Vraag & Antwoord
wil iemand deze Hijack log bekijken?
3 antwoorden
- Logfile of HijackThis v1.99.1
Scan saved at 16:43:22, on 10-3-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Kris\Mijn documenten\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://64.124.210.131/index.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://64.124.210.131/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.124.210.131
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://64.124.210.131/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://64.124.210.131/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINDOWS\System32\trgen.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\t.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\grlyoja.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/156cf5c88794159f5716/netzip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe - Ik zal kijken of ik een recept kan uitschrijven voor deze PC.
Er staat nl Begin2Search en FreshBar bar op die niet alleen via hijackthis kunnen worden verwijderd.
Sjaak - Kijk of je het proces host.exe kan beëindigen (CTRL-ALT-DEL) en dan onder het tabblad processen.
copieer de volgende regel:
[b:61030979c1]regsvr32 /u C:\Windows\System32\winb2s32.dll
[/b:61030979c1]
Klik op Start -> Uitvoeren: plak nu de regel (CTRL-V)
Copieer de volgende code naar notepad:
[code:1:61030979c1]
REGEDIT4
[-HKEY_CLASSES_ROOT\winb2s.dbi.1]
[-HKEY_CLASSES_ROOT\winb2s.dbi]
[-HKEY_CLASSES_ROOT\winb2s.iiittt.1]
[-HKEY_CLASSES_ROOT\winb2s.iiittt]
[-HKEY_CLASSES_ROOT\winb2s.momo.1]
[-HKEY_CLASSES_ROOT\winb2s.momo]
[-HKEY_CLASSES_ROOT\winb2s.ohb.1]
[-HKEY_CLASSES_ROOT\winb2s.ohb]
[-HKEY_CLASSES_ROOT\winb2s.amo.1]
[-HKEY_CLASSES_ROOT\winb2s.amo]
[-HKEY_CLASSES_ROOT\CLSID\{52FE5233-367C-4EFB-BDD7-0BE4D212C107}]
[-HKEY_CLASSES_ROOT\CLSID\{07E9CDF4-20D2-46B1-B681-663968F527CE}]
[-HKEY_CLASSES_ROOT\CLSID\{7C5E5671-7A1D-4AE8-91F0-496ADF2825F7}]
[-HKEY_CLASSES_ROOT\CLSID\{4D568F0F-8AC9-40AB-88B7-415134C78777}]
[-HKEY_CLASSES_ROOT\CLSID\{09C14745-90FD-42D1-9276-4924D7DBC274}]
[-HKEY_CLASSES_ROOT\TypeLib\{081DE2F6-927B-4AA9-88C1-F531C9387383}]
[-HKEY_CLASSES_ROOT\Interface\{A797A41D-F9F0-4A32-B9B5-AF927CB5AE54}]
[-HKEY_CLASSES_ROOT\Interface\{B12508AD-CA55-4238-8DB3-55808BA6915A}]
[-HKEY_CLASSES_ROOT\Interface\{F912C325-5B26-4AD6-BF39-84370833E972}]
[-HKEY_CLASSES_ROOT\Interface\{BF7CB2C3-55B6-44C1-9615-920D004C27F7}]
[-HKEY_CLASSES_ROOT\Interface\{6FE4AADF-EDAC-4037-9164-0B60179A4F12}]
[-HKEY_CLASSES_ROOT\Interface\{17973BD7-959C-4D8A-8B2F-AB200E20A75E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.amo]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.amo.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.iiittt]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.iiittt.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.momo]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.momo.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.ohb]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dsktrf.ohb.1]
[-HKEY_ALL_USERS\Software\_dsktptr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6024FCD5-91FC-4DC7-8481-63EABD5051D8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4776F3A-6936-4A9C-B2DA-E57C239FD2F8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FF81672F-13FF-401F-8662-6E895C564CC4}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D568F0F-8AC9-40AB-88B7-415134C78777}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\code store database\distribution units\{07e9cdf4-20d2-46b1-b681-663968f527ce}\winb2s.dbi.1]
[-HKEY_CURRENT_USER\SOFTWARE\aaa_soft][/code:1:61030979c1]
Sla dit op het bureaublad met de naam fixme.reg
Opslaan als type: [b:61030979c1]Alle bestanden[/b:61030979c1]
Start dit bestand nog niet op!
Print onderstaande tekst uit want de PC moet in VEILIGE mode worden herstart en dan heb je geen internet om dit te bekijken.
Herstart de PC in VEILIGE MODE. Dat is op F8 als de computer weer gaat opstarten.
Start nu hijackthis en selecteer de volgende items:
[b:61030979c1]R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://64.124.210.131/index.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://64.124.210.131/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://64.124.210.131
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://64.124.210.131/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://64.124.210.131/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://64.124.210.131/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://64.124.210.131/
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: ohb - {22B720C7-5FA6-40A8-9F8F-8584BF669690} - C:\WINDOWS\System32\trgen.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\t.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\grlyoja.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/156cf5c88794159f5716/netzip/RdxIE601.cab
[/b:61030979c1]
Sluit nu alle vensters behalve hijackthis en klik op "Fix checked"
Verwijder nu de volgende bestanden:
Zorg dat je ook de systeembesturings- en verborgen bestanden kunt zien.
C:\Windows\System32\t.dll
C:\Windows\System32\winb2s32.dll
C:\Windows\System32\dsktrf.dll
C:\Windows\System32\reg6523.exe
C:\Windows\System32\trgen.dll
C:\Windows\System32\b2s_cache\ (gehele directory)
C:\Windows\downloaded program files\winb2s32.inf
C:\Program Files\Internet Explorer\grlyoja.exe
Zoek en verwijder ook nog de volgende bestanden:
host.exe, menu.txt en date.dat (mogelijk ook in C:\Windows\System32)
Voer nu het bestand fixme.reg uit.
Laat te aan het register toevoegen.
Herstart de computer en maak een nieuw log met hijackthis en post dat.
Geef ook aan welke bestanden je niet kon verwijderen.
Sjaak
Beantwoord deze vraag
Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.
