Vraag & Antwoord

Beveiliging & privacy

win32:trojano-1941 TROJAANS PAARD!!

Anoniem
None
60 antwoorden
  • Verwijderen in veilige modus uitvoeren of na het herstarten van je computer.

    Dit is een trojan downloader, het bestand wordt door AVG blijkbaar niet herkend, maar de zooi die door de trojan wordt gedownload wordt wel herkend en onderschept door AVG. Dat is de reden dat die meldingen blijven komen :wink:
  • Nieuwe meldingen Trojaans Paard
    C:\windows\g25270343.dll
  • Heb je Daily Weather Forecast nog kunnen verwijderen in veilige modus?
  • Ja, die is weg! Met tevens een aantal registerverwijzingen die ik handmatig heb verwijderd.
  • Doe het volgende ook nog eens:
    Download rkfiles.
    Pak de bestanden uit naar de map c:\rkfiles.
    Gebruik het programma nog niet.

    Start de computer in veilige modus.

    Ga via de verkenner naar de map c:\[b:2e51ab741b]rkfiles[/b:2e51ab741b] en dubbelklik op [b:2e51ab741b]rkfiles.bat[/b:2e51ab741b].
    De computer wordt nu gescand.
    Als het scannen klaar is wordt het venster gesloten)

    Start de PC in normale modus. Bekijk de inhoud van de logfile gemaakt tijdens het scannen met rkfiles, zoek het bestand [b:2e51ab741b]C:\log.txt[/b:2e51ab741b](is de log van rkfiles). Plaats de inhoud van dit log in een nieuw bericht.

    Groeten smeenk :wink:
  • C:\rkfiles

    Houd er rekening mee dat alles dat via deze methode gevonden wordt niet perse malware hoeft te zijn, u dient dit eerst te checken, bijvoorbeeld door de bestanden te uploaden naar http://virusscan.jotti.org Bij twijfel niets doen!!.
    Bestanden gevonden in uw System map…………
    ————————
    C:\WINDOWS\system32\aswBoot.exe: UPX!t$
    C:\WINDOWS\system32\avisynth.dll: UPX!
    C:\WINDOWS\system32\MACDec.dll: UPX!
    C:\WINDOWS\system32\MonkeySource.ax: UPX!
    C:\WINDOWS\system32\swreg.exe: UPX!
    C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
    C:\WINDOWS\system32\DivX.dll: PEC2

    Bestanden gevonden in uw WINDOWS map…………
    ————————
    Programma beeindigd
    Tot ziens
  • Je zou deze bestanden eens kunnen scannen met http://virusscan.jotti.org
    De eerste heb ik mijn twijfels bij, die andere zijn waarschijnlijk onschuldig.

    C:\WINDOWS\system32\aswBoot.exe
    C:\WINDOWS\system32\avisynth.dll
    C:\WINDOWS\system32\MACDec.dll
    C:\WINDOWS\system32\MonkeySource.ax
    C:\WINDOWS\system32\swreg.exe
    C:\WINDOWS\system32\DivX.dll

    Groeten smeenk
  • Service load:
    0% 100%
    File: aswBoot.exe Status:
    OK
    MD5 a3e7643f796328b0fcf96a8852ce2482 Packers detected:
    -
    Scanner results
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    UNA
    Found nothing
    VBA32
    Found nothing

    Service load:
    0% 100%
    File: avisynth.dll Status:
    MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
    MD5 77bbe48f9db24942d2e0527f1adce635 Packers detected:
    UPX
    Scanner results
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    UNA
    Found nothing
    VBA32
    Found nothing

    Service load:
    0% 100%
    File: MACDec.dll
    Status:
    MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
    MD5 451cd43bd3b5d00cadd6720569602764
    Packers detected:
    UPX
    Scanner results
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    UNA
    Found nothing
    VBA32
    Found nothing

    Service load:
    0% 100%
    File: MonkeySource.ax
    Status:
    MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
    MD5 e14a141f614303c331cbdf38fc15b6cf
    Packers detected:
    UPX
    Scanner results
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    UNA
    Found nothing
    VBA32
    Found nothing

    Service load:
    0% 100%
    File: swreg.exe
    Status:
    MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
    MD5 68f9aeb2df69a6117e65d2c6fc804775
    Packers detected:
    UPX
    Scanner results
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    UNA
    Found nothing
    VBA32
    Found nothing

    Service load:
    0% 100%
    File: DivX.dll
    Status:
    MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
    MD5 6e5fc7ff90b8ae953a9531bdcb893cf6
    Packers detected:
    PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
    Scanner results
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found nothing
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    UNA
    Found nothing
    VBA32
    Found nothing
  • Hmmm, ik was daar al bang voor, bestanden gewoon laten staan, waarschijnlijk gewoon legitiem :-?

    Download Silent Runners
    Unzip het naar een eigen map.
    Start SilentRunners.vbs
    Wanneer je antivirusprogramma een melding geeft, sta je toe om dit script uit te voeren.
    Er wordt een logje geplaatst in de map van waar je Silentrunners gestart hebt. Post dit logje ook even :wink:
  • "Silent Runners.vbs", revision 41, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ———————————

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "NBJ" = ""C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "HTpatch" = "C:\WINDOWS\htpatch.exe" [null data]
    "VOBRegCheck" = "C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg" [null data]
    "PinnacleDriverCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string]
    "Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
    "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
    "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
    "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
    "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
    "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
    "PCMService" = "C:\Program Files\Medion Home CinemaXL\PowerCinema\PCMService.exe" [empty string]
    "DownloadAccelerator" = "C:\PROGRA~1\DAP\DAP.EXE /STARTUP" ["SpeedBit Ltd."]
    "Dit" = "Dit.exe" [null data]
    "atwtusb" = "atwtusb.exe beta" ["Aiptek"]
    "MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {0000CC75-ACF3-4cac-A0A9-DD3868E06852}\(Default) = "DAPHelper Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\DAP\DAPBHO.dll" ["Speedbit Ltd."]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Configuratiescherm-uitbreiding Beeldscherm-panning"
    -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-pictogramuitbreiding"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
    "{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
    "{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"]
    "{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
    "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" = "CopyToCD shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\VSO\COPYTO~1\CTCDSH~1.DLL" ["VSO Software"]
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universele Plug en Play-apparaten"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\VSO\COPYTO~1\CTCDSH~1.DLL" ["VSO Software"]
    EncodeDivXExt\(Default) = "{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll" [empty string]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\VSO\COPYTO~1\CTCDSH~1.DLL" ["VSO Software"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\VSO\COPYTO~1\CTCDSH~1.DLL" ["VSO Software"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


    Active Desktop and Wallpaper:
    —————————–

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


    Enabled Screen Saver:
    ———————

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS]


    Startup items in "Ray" & "All Users" startup folders:
    —————————————————–

    C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten
    INFECTION WARNING! "numlock.vbs" [null data]
    "Office Opstarten" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]


    Enabled Scheduled Tasks:
    ————————

    "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


    Winsock2 Service Provider DLLs:
    ——————————-

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
    000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 32
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ————————————

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{62999427-33FC-4BAF-9C9C-BCE6BD127F08}" = "DAP Bar"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\DAP\DAPIEBar.dll" [empty string]

    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

    {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Miscellaneous IE Hijack Points
    ——————————

    C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

    Added lines (compared with English-language version):
    [Strings]: START_PAGE_URL=http://www.aldi.com

    Missing lines (compared with English-language version):
    [Strings]: 1 line


    HOSTS file
    ———-

    C:\WINDOWS\System32\drivers\etc\HOSTS

    maps: 752 domain names to IP addresses,
    25 of the IP addresses are *not* localhost!


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ——————————————————————

    avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
    avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
    avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
    avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
    Eenvoudige TCP/IP-services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
    ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
    InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
    IPv6-hulpservice, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
    Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
    RIP-listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
    Virtual NIC Service, PackethSvc, "C:\WINDOWS\System32\PackethSvc.exe" ["America Online, Inc."]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
    WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
    X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"]


    Print Monitors:
    —————

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    LPR Port\Driver = "lprmon.dll" [MS]
    Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


    ———-
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
    use the -supp parameter or answer "No" at the first message box.
    ———- (total run time: 40 seconds, including 19 seconds for message boxes)
  • Ook dat levert niet veel op, doe dit maar eens:

    Download the Hoster: http://www.funkytoad.com/download/hoster.zip
    Unzip het programma, run het, klik op Restore Original Hosts, klik op OK en sluit het programma af.

    Ik hoor het wel als je probleem nog bestaat, post ook nog maar eens een HijackThis log ter controle :wink:
  • Logfile of HijackThis v1.99.1
    Scan saved at 13:48:37, on 18-12-2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\htpatch.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Medion Home CinemaXL\PowerCinema\PCMService.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\WINDOWS\Dit.exe
    C:\WINDOWS\system32\atwtusb.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\system32\TBLMOUSE.EXE
    C:\WINDOWS\DitExp.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Ray\LOCALS~1\Temp\Rar$EX00.000\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldi.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.nl/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aldi.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
    O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [PCMService] C:\Program Files\Medion Home CinemaXL\PowerCinema\PCMService.exe
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - Global Startup: numlock.vbs
    O4 - Global Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - (no file)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
    O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
  • Deze mag nog weg:
    [b:1288a7dc49]O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - (no file) [/b:1288a7dc49]

    Verder zie ik er niets verkeerds in :wink:
  • De betreffende registerverwijzing is inmiddels ook verwijderd. Maar ik heb weer diverse ICOO-Loaders aangetroffen en daarom maar weer gedeleted. Eentje kan er echter niet verwijderd worden.
    Bovendien is het me een raadsel hoe die ICOOloaders telkens toch weer in het register terechtkomen. We hebben ze toch al eerder eruitgehaald?
  • [quote:60ae02fd4b]Bovendien is het me een raadsel hoe die ICOO loaders telkens toch weer in het register terechtkomen. We hebben ze toch al eerder eruitgehaald?[/quote:60ae02fd4b]

    Nog een idee?

    Andere vraag: het lijkt er nu op dat ik het Trojaans Paard kwijt ben. (niet te hard roepen!)
    Heeft het nu zin om een nieuw herstelpunt te maken? Kun je hiermee een nieuwe virusaanval ongedaan maken?
  • Wat icoo betreft zou ik het niet weten, je zou dit nog even kunnen proberen:

    Download [b:27448fc5c0]de trial versie van Spysweeper[/b:27448fc5c0]
    Kies bij installatie voor "standaard installatie", en geef je e-mailadres in wanneer daar naar gevraagd wordt.
    Er zal gevraagd worden of je de nieuwste definities wil downloaden. Doe dit (dit kan soms even duren)
    Als de update voltooid is, sluit je Spysweeper.

    Start de computer op in veilige modus. Hoe je dit doet kan je [b:27448fc5c0]hier[/b:27448fc5c0] lezen.

    Start Spysweeper
    Klik daarna op Options - Sweep Options en vink het volgende aan:
    Sweep all Folders on Selected drives en Local Disc C.
    Bij "What to Sweep", vink je alles aan.
    Klik dan op"Sweep" en laat het je systeem volledig scannen.

    Na afloop van de scan, klik je op "Remove", en vervolgens klik je op "Select All" en daarna "Next".

    Klik op "Results" en vervolgens op het tabblad "Session Log".
    klik dan op "Save to File" en bewaar het logje op je bureaublad.
    Sluit Spysweeper af.

    Herstart de computer in normale modus.

    Wis dan even al je oude systeemherstelpunten:
    Schakel Systeemherstel uit.
    Herstart de computer. Schakel Systeemherstel weer in.
    Systeemherstel uitschakelen.

    Plaats de inhoud van het log bestandje van spysweeper dan in je volgende bericht.
    Groeten smeenk ;)
  • Hallo Smeenk,
    Toch maar geweldig! Al die raadgevingen en oplossingsmethoden van je. THANKS! :wink: :wink: :wink:

    Even vooraf: Van SpySweeper heb ik de Nederlandse versie gedownload (versie 4.5.8 (build 683) en uiteraard geupdate.
    Veel adware is ontdekt (ondanks AdAware 6.0 en SpyBlaster versie 3.4) en weer een TrojanHorse (in UKvideo)

    Ik kreeg de melding dat SS met succes een prog verwijderd heeft waarvan bekend is dat het de IE-instellingen kan omleiden!

    Bovendien de melding dat Cydoor (adware) onderdeel is om Kazaa te laten functioneren. Ik heb het in quarantaine laten zetten. Niet verwijderen dus??

    Hier is het log:

    15:35: | Begin van sessie, maandag 19 december 2005 |
    15:35: Spy Sweeper gestart
    15:35: Inspectie gestart met spywaredefinities versie 586
    15:35: Geheugeninspectie starten
    15:36: Geheugeninspectie voltooid. Tijd verstreken: 00:00:56
    15:36: Register-inspectie starten
    15:36: Gevonden Adware: hotsearchbar toolbar
    15:36: HKCR\clsid\{76c13acd-b6fd-4cbe-ac7b-46551f360048}\ (6 subsporen) (ID = 127751)
    15:36: HKCR\clsid\{285b5ccd-c3f0-4eb6-9632-7d0a3c3af824}\ (6 subsporen) (ID = 127752)
    15:36: HKCR\clsid\{2490a770-d039-4b60-a94d-ad22f9ac605b}\ (6 subsporen) (ID = 127753)
    15:36: HKCR\clsid\{de910060-8efb-44b9-b492-75180696643f}\ (17 subsporen) (ID = 127756)
    15:36: HKLM\software\classes\clsid\{76c13acd-b6fd-4cbe-ac7b-46551f360048}\ (6 subsporen) (ID = 127760)
    15:36: HKLM\software\classes\clsid\{285b5ccd-c3f0-4eb6-9632-7d0a3c3af824}\ (6 subsporen) (ID = 127761)
    15:36: HKLM\software\classes\clsid\{2490a770-d039-4b60-a94d-ad22f9ac605b}\ (6 subsporen) (ID = 127762)
    15:36: HKLM\software\classes\clsid\{de910060-8efb-44b9-b492-75180696643f}\ (17 subsporen) (ID = 127765)
    15:36: Gevonden Adware: win comm
    15:36: HKLM\software\win comm\ (1 subsporen) (ID = 146971)
    15:36: Gevonden Adware: wurldmedia
    15:36: HKCR\appid\sostatatl.exe\ (1 subsporen) (ID = 147535)
    15:36: HKCR\appid\{dee5d795-a276-43b5-a04a-511149a354f0}\ (1 subsporen) (ID = 147536)
    15:37: Gevonden Adware: cws-aboutblank
    15:37: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
    15:37: Gevonden Adware: exact searchbar
    15:37: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {224530a0-c9cb-4aee-9c0f-54ac1b533211} (ID = 125865)
    15:37: Gevonden Adware: navexcel navhelper
    15:37: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
    15:37: Gevonden Adware: switchdialer
    15:37: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\main\ || startpagina (ID = 143489)
    15:37: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
    15:37: Register-inspectie voltooid. Tijd verstreken:00:00:13
    15:37: Cookie-inspectie starten
    15:37: Gevonden Spy Cookie: onestat.com cookie
    15:37: ray@stat.onestat[2].txt (ID = 3098)
    15:37: Cookie-inspectie voltooid. Tijd verstreken: 00:00:05
    15:37: Bestandsinspectie starten
    15:38: Gevonden Adware: websearch toolbar
    15:38: c:\program files\common files\wintools (1 subsporen) (ID = -2147480046)
    15:38: c:\program files\toolbar (5 subsporen) (ID = -2147480045)
    15:38: c:\documents and settings\all users\menu start\programma's\web search tools (4 subsporen) (ID = -2147480048)
    15:38: c:\program files\win comm (1 subsporen) (ID = -2147480033)
    15:38: Gevonden Adware: blazefind
    15:38: c:\program files\windows servead (ID = -2147481363)
    15:38: c:\program files\navexcel (4 subsporen) (ID = -2147480574)
    15:38: c:\program files\navexcel search toolbar (2 subsporen) (ID = -2147475427)
    15:38: Gevonden Trojan Horse: ukvideo
    15:38: c:\windows\system32\dialersetup (1 subsporen) (ID = -2147480128)
    15:38: Gevonden Adware: limeshop
    15:38: c:\program files\limeshop (135 subsporen) (ID = -2147480733)
    15:38: Gevonden Adware: whenu savenow
    15:38: c:\program files\vvsn (3 subsporen) (ID = -2147480376)
    15:38: Gevonden Adware: gain - common components
    15:38: c:\program files\common files\gmt (623 subsporen) (ID = -2147480945)
    15:38: c:\program files\common files\cmeii (20 subsporen) (ID = -2147480946)
    15:38: Gevonden Adware: whenu
    15:38: c:\program files\common files\whenu (1 subsporen) (ID = -2147480379)
    15:38: c:\documents and settings\all users\menu start\programma's\gain (1 subsporen) (ID = -2147480951)
    15:39: Gevonden Adware: ebates money maker
    15:39: br.class (ID = 59482)
    15:39: ea.class (ID = 59611)
    15:39: bh.class (ID = 59461)
    15:39: l.class (ID = 59673)
    15:39: bg.class (ID = 59460)
    15:39: cf.class (ID = 59511)
    15:39: cu.class (ID = 59543)
    15:39: dx.class (ID = 59604)
    15:39: cb.class (ID = 59504)
    15:39: cl.class (ID = 59524)
    15:39: dj.class (ID = 59576)
    15:39: cv.class (ID = 59545)
    15:39: cx.class (ID = 59548)
    15:39: dg.class (ID = 59568)
    15:39: bl.class (ID = 59469)
    15:39: bi.class (ID = 59463)
    15:39: da.class (ID = 59557)
    15:39: bu.class (ID = 59487)
    15:39: ch.class (ID = 59516)
    15:39: bz.class (ID = 59498)
    15:39: dl.class (ID = 59582)
    15:39: bt.class (ID = 59485)
    15:39: cn.class (ID = 59528)
    15:40: cj.class (ID = 59519)
    15:40: dq.class (ID = 59588)
    15:40: bo.class (ID = 59475)
    15:40: dz.class (ID = 59608)
    15:40: bc.class (ID = 59453)
    15:40: dy.class (ID = 59605)
    15:40: ed.class (ID = 59657)
    15:40: dm.class (ID = 59583)
    15:40: bm.class (ID = 59471)
    15:40: ck.class (ID = 59521)
    15:40: cc.class (ID = 59506)
    15:40: dr.class (ID = 59591)
    15:40: bw.class (ID = 59492)
    15:40: ca.class (ID = 59501)
    15:40: bf.class (ID = 59458)
    15:40: f.class (ID = 59660)
    15:40: d.class (ID = 59555)
    15:40: dn.class (ID = 59584)
    15:40: b.class (ID = 59446)
    15:40: bb.class (ID = 59451)
    15:40: cs.class (ID = 59539)
    15:40: ce.class (ID = 59510)
    15:40: cp.class (ID = 59533)
    15:40: be.class (ID = 59457)
    15:40: n.class (ID = 59687)
    15:40: di.class (ID = 59573)
    15:40: dv.class (ID = 59600)
    15:40: db.class (ID = 59559)
    15:40: bp.class (ID = 59478)
    15:40: cd.class (ID = 59507)
    15:40: main.class (ID = 59681)
    15:40: Gevonden Adware: bonzi buddy
    15:40: newshortcut2.url (ID = 51620)
    15:41: limeshop_readme.txt (ID = 65532)
    15:41: topmoxie_proxy.htm (ID = 59713)
    15:41: topmoxie_conflicts2.htm (ID = 59712)
    15:41: limeshop_preferences0.htm (ID = 65531)
    15:41: limeshop_offer0.htm (ID = 65530)
    15:41: limeshop_confirm0.htm (ID = 65529)
    15:41: dw.class (ID = 59603)
    15:41: cq.class (ID = 59534)
    15:41: bx.class (ID = 59494)
    15:41: r.class (ID = 59694)
    15:41: nhelper.htm (ID = 70375)
    15:42: Gevonden Adware: shopathomeselect
    15:42: vg.dat (ID = 57301)
    15:43: debut.htm (ID = 61337)
    15:43: limeshop.html (ID = 65526)
    15:43: lsp_.dll (ID = 75816)
    15:46: info.txt (ID = 89082)
    15:46: welcome.htm (ID = 61651)
    15:50: fillin.wav (ID = 61352)
    16:04: sahagent_.exe (ID = 75904)
    16:07: Gevonden Adware: igetnet
    16:07: update_hosts.dll (ID = 63461)
    16:08: Gevonden Adware: ignkeys
    16:08: update_rsp.dll (ID = 63481)
    16:17: update_bho.dll (ID = 63479)
    16:24: appmgrgui.zip (ID = 61281)
    16:25: navexcelbar.dll (ID = 93779)
    16:25: Gevonden Adware: cydoor peer-to-peer dependency
    16:25: cd_clint.dll (ID = 57300)
    16:27: gain website.url (ID = 61373)
    16:27: gator.log (ID = 61386)
    16:27: gatorsupportinfo.txt (ID = 61414)
    16:27: cmediagnostics.log (ID = 61291)
    16:27: mepcme.dat (ID = 61517)
    16:28: notrgs.gdte (ID = 61552)
    16:28: rmhgxlmu.wzg (ID = 85808)
    16:28: cursors.xml (ID = 84688)
    16:28: home.url (ID = 84894)
    16:28: frequently asked questions.url (ID = 84889)
    16:28: bonzi.url (ID = 51610)
    16:28: terms of use.url (ID = 86338)
    16:28: privacy policy.url (ID = 84923)
    16:28: eb.class (ID = 59614)
    16:28: limeshop.url (ID = 65528)
    16:28: q.class (ID = 59693)
    16:28: e.class (ID = 59610)
    16:28: g.class (ID = 59663)
    16:28: ec.class (ID = 59654)
    16:28: i.class (ID = 59665)
    16:28: k.class (ID = 59671)
    16:28: s.class (ID = 59698)
    16:28: a.class (ID = 59443)
    16:28: m.class (ID = 59678)
    16:28: j.class (ID = 59670)
    16:28: p.class (ID = 59689)
    16:28: v.class (ID = 59718)
    16:28: x.class (ID = 59729)
    16:28: ba.class (ID = 59449)
    16:28: bd.class (ID = 59455)
    16:28: bj.class (ID = 59466)
    16:28: bq.class (ID = 59480)
    16:28: bs.class (ID = 59484)
    16:28: bv.class (ID = 59490)
    16:28: t.class (ID = 59708)
    16:28: cg.class (ID = 59513)
    16:28: ci.class (ID = 59517)
    16:28: cm.class (ID = 59526)
    16:28: co.class (ID = 59530)
    16:28: cw.class (ID = 59547)
    16:28: cy.class (ID = 59551)
    16:28: dc.class (ID = 59561)
    16:28: u.class (ID = 59715)
    16:28: dh.class (ID = 59570)
    16:28: dk.class (ID = 59579)
    16:28: du.class (ID = 59596)
    16:28: limeshop_script0.htm (ID = 65533)
    16:31: Bestandsinspectie voltooid. Tijd verstreken: 00:54:24
    16:31: Volledige inspectie is voltooid. Verstreken tijd 00:55:41
    16:31: Gevonden sporen: 1032
    17:03: Verwijderingsprocedure gestart
    17:03: Alle sporen worden in quarantaine geplaatst: hotsearchbar toolbar
    17:04: Alle sporen worden in quarantaine geplaatst: win comm
    17:04: Alle sporen worden in quarantaine geplaatst: wurldmedia
    17:04: Alle sporen worden in quarantaine geplaatst: cws-aboutblank
    17:04: Alle sporen worden in quarantaine geplaatst: exact searchbar
    17:04: Alle sporen worden in quarantaine geplaatst: navexcel navhelper
    17:04: Alle sporen worden in quarantaine geplaatst: switchdialer
    17:04: Alle sporen worden in quarantaine geplaatst: onestat.com cookie
    17:04: Alle sporen worden in quarantaine geplaatst: websearch toolbar
    17:04: Alle sporen worden in quarantaine geplaatst: blazefind
    17:04: Alle sporen worden in quarantaine geplaatst: ukvideo
    17:04: Alle sporen worden in quarantaine geplaatst: limeshop
    17:04: Alle sporen worden in quarantaine geplaatst: whenu savenow
    17:04: Alle sporen worden in quarantaine geplaatst: gain - common components
    17:04: Alle sporen worden in quarantaine geplaatst: whenu
    17:04: Alle sporen worden in quarantaine geplaatst: ebates money maker
    17:05: Alle sporen worden in quarantaine geplaatst: bonzi buddy
    17:05: Alle sporen worden in quarantaine geplaatst: shopathomeselect
    17:05: Alle sporen worden in quarantaine geplaatst: igetnet
    17:05: Alle sporen worden in quarantaine geplaatst: ignkeys
    17:07: Alle sporen worden in quarantaine geplaatst: cydoor peer-to-peer dependency
    17:09: Verwijderingsprocedure voltooid. Verstreken tijd 00:05:03
    ********
    15:17: | Begin van sessie, maandag 19 december 2005 |
    15:17: Spy Sweeper gestart
    15:17: Inspectie gestart met spywaredefinities versie 586
    15:17: Geheugeninspectie starten
    15:17: Geheugeninspectie voltooid. Tijd verstreken: 00:00:21
    15:35: Programmaversie: 4.5.8 (build 683) Gebruikte spywaredefinities: 586
    15:35: | Einde van sessie, maandag 19 december 2005 |
    ********
    14:15: | Begin van sessie, maandag 19 december 2005 |
    14:15: Spy Sweeper gestart
    14:15: Inspectie gestart met spywaredefinities versie 586
    14:15: Geheugeninspectie starten
    14:16: Geheugeninspectie voltooid. Tijd verstreken: 00:00:56
    14:16: Register-inspectie starten
    14:16: Gevonden Adware: hotsearchbar toolbar
    14:16: HKCR\clsid\{76c13acd-b6fd-4cbe-ac7b-46551f360048}\ (6 subsporen) (ID = 127751)
    14:16: HKCR\clsid\{285b5ccd-c3f0-4eb6-9632-7d0a3c3af824}\ (6 subsporen) (ID = 127752)
    14:16: HKCR\clsid\{2490a770-d039-4b60-a94d-ad22f9ac605b}\ (6 subsporen) (ID = 127753)
    14:16: HKCR\clsid\{de910060-8efb-44b9-b492-75180696643f}\ (17 subsporen) (ID = 127756)
    14:16: HKLM\software\classes\clsid\{76c13acd-b6fd-4cbe-ac7b-46551f360048}\ (6 subsporen) (ID = 127760)
    14:16: HKLM\software\classes\clsid\{285b5ccd-c3f0-4eb6-9632-7d0a3c3af824}\ (6 subsporen) (ID = 127761)
    14:16: HKLM\software\classes\clsid\{2490a770-d039-4b60-a94d-ad22f9ac605b}\ (6 subsporen) (ID = 127762)
    14:16: HKLM\software\classes\clsid\{de910060-8efb-44b9-b492-75180696643f}\ (17 subsporen) (ID = 127765)
    14:16: Gevonden Adware: win comm
    14:16: HKLM\software\win comm\ (1 subsporen) (ID = 146971)
    14:16: Gevonden Adware: wurldmedia
    14:16: HKCR\appid\sostatatl.exe\ (1 subsporen) (ID = 147535)
    14:16: HKCR\appid\{dee5d795-a276-43b5-a04a-511149a354f0}\ (1 subsporen) (ID = 147536)
    14:16: Gevonden Adware: cws-aboutblank
    14:16: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
    14:16: Gevonden Adware: exact searchbar
    14:16: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {224530a0-c9cb-4aee-9c0f-54ac1b533211} (ID = 125865)
    14:16: Gevonden Adware: navexcel navhelper
    14:16: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
    14:16: Gevonden Adware: switchdialer
    14:16: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\main\ || startpagina (ID = 143489)
    14:16: HKU\S-1-5-21-3274082783-3749152046-3359350331-1007\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
    14:16: Register-inspectie voltooid. Tijd verstreken:00:00:14
    14:16: Cookie-inspectie starten
    14:17: Gevonden Spy Cookie: onestat.com cookie
    14:17: ray@stat.onestat[2].txt (ID = 3098)
    14:17: Cookie-inspectie voltooid. Tijd verstreken: 00:00:05
    14:17: Bestandsinspectie starten
    14:18: Gevonden Adware: websearch toolbar
    14:18: c:\program files\toolbar (5 subsporen) (ID = -2147480045)
    14:18: c:\documents and settings\all users\menu start\programma's\web search tools (4 subsporen) (ID = -2147480048)
    14:18: c:\program files\common files\wintools (1 subsporen) (ID = -2147480046)
    14:18: c:\program files\navexcel search toolbar (2 subsporen) (ID = -2147475427)
    14:18: Gevonden Trojan Horse: ukvideo
    14:18: c:\windows\system32\dialersetup (1 subsporen) (ID = -2147480128)
    14:18: c:\program files\navexcel (4 subsporen) (ID = -2147480574)
    14:18: Gevonden Adware: blazefind
    14:18: c:\program files\windows servead (ID = -2147481363)
    14:18: c:\program files\win comm (1 subsporen) (ID = -2147480033)
    14:18: Gevonden Adware: limeshop
    14:18: c:\program files\limeshop (135 subsporen) (ID = -2147480733)
    14:18: Gevonden Adware: whenu savenow
    14:18: c:\program files\vvsn (3 subsporen) (ID = -2147480376)
    14:18: Gevonden Adware: gain - common components
    14:18: c:\documents and settings\all users\menu start\programma's\gain (1 subsporen) (ID = -2147480951)
    14:18: c:\program files\common files\cmeii (20 subsporen) (ID = -2147480946)
    14:18: c:\program files\common files\gmt (623 subsporen) (ID = -2147480945)
    14:18: Gevonden Adware: whenu
    14:18: c:\program files\common files\whenu (1 subsporen) (ID = -2147480379)
    14:19: Gevonden Adware: ebates money maker
    14:19: br.class (ID = 59482)
    14:19: ea.class (ID = 59611)
    14:19: bh.class (ID = 59461)
    14:19: l.class (ID = 59673)
    14:19: bg.class (ID = 59460)
    14:19: cf.class (ID = 59511)
    14:19: cu.class (ID = 59543)
    14:19: dx.class (ID = 59604)
    14:19: cb.class (ID = 59504)
    14:19: cl.class (ID = 59524)
    14:19: dj.class (ID = 59576)
    14:19: cv.class (ID = 59545)
    14:19: cx.class (ID = 59548)
    14:19: dg.class (ID = 59568)
    14:19: bl.class (ID = 59469)
    14:19: bi.class (ID = 59463)
    14:19: da.class (ID = 59557)
    14:19: bu.class (ID = 59487)
    14:19: ch.class (ID = 59516)
    14:19: bz.class (ID = 59498)
    14:19: dl.class (ID = 59582)
    14:19: bt.class (ID = 59485)
    14:19: cn.class (ID = 59528)
    14:19: cj.class (ID = 59519)
    14:20: dq.class (ID = 59588)
    14:20: bo.class (ID = 59475)
    14:20: dz.class (ID = 59608)
    14:20: bc.class (ID = 59453)
    14:20: dy.class (ID = 59605)
    14:20: ed.class (ID = 59657)
    14:20: dm.class (ID = 59583)
    14:20: bm.class (ID = 59471)
    14:20: ck.class (ID = 59521)
    14:20: cc.class (ID = 59506)
    14:20: dr.class (ID = 59591)
    14:20: bw.class (ID = 59492)
    14:20: ca.class (ID = 59501)
    14:20: bf.class (ID = 59458)
    14:20: f.class (ID = 59660)
    14:20: d.class (ID = 59555)
    14:20: dn.class (ID = 59584)
    14:20: b.class (ID = 59446)
    14:20: bb.class (ID = 59451)
    14:20: cs.class (ID = 59539)
    14:20: ce.class (ID = 59510)
    14:20: cp.class (ID = 59533)
    14:20: be.class (ID = 59457)
    14:20: n.class (ID = 59687)
    14:20: di.class (ID = 59573)
    14:20: dv.class (ID = 59600)
    14:20: db.class (ID = 59559)
    14:20: bp.class (ID = 59478)
    14:20: cd.class (ID = 59507)
    14:20: main.class (ID = 59681)
    14:20: Gevonden Adware: bonzi buddy
    14:20: newshortcut2.url (ID = 51620)
    14:21: limeshop_readme.txt (ID = 65532)
    14:21: topmoxie_proxy.htm (ID = 59713)
    14:21: topmoxie_conflicts2.htm (ID = 59712)
    14:21: limeshop_preferences0.htm (ID = 65531)
    14:21: limeshop_offer0.htm (ID = 65530)
    14:21: limeshop_confirm0.htm (ID = 65529)
    14:21: dw.class (ID = 59603)
    14:21: cq.class (ID = 59534)
    14:21: bx.class (ID = 59494)
    14:21: r.class (ID = 59694)
    14:21: nhelper.htm (ID = 70375)
    14:22: Gevonden Adware: shopathomeselect
    14:22: vg.dat (ID = 57301)
    14:22: debut.htm (ID = 61337)
    14:23: limeshop.html (ID = 65526)
    14:23: lsp_.dll (ID = 75816)
    14:25: info.txt (ID = 89082)
    14:26: welcome.htm (ID = 61651)
    14:30: fillin.wav (ID = 61352)
    14:44: sahagent_.exe (ID = 75904)
    14:47: Gevonden Adware: igetnet
    14:47: update_hosts.dll (ID = 63461)
    14:48: Gevonden Adware: ignkeys
    14:48: update_rsp.dll (ID = 63481)
    14:57: update_bho.dll (ID = 63479)
    15:04: appmgrgui.zip (ID = 61281)
    15:05: navexcelbar.dll (ID = 93779)
    15:05: Gevonden Adware: cydoor peer-to-peer dependency
    15:05: cd_clint.dll (ID = 57300)
    15:07: gain website.url (ID = 61373)
    15:07: gator.log (ID = 61386)
    15:07: gatorsupportinfo.txt (ID = 61414)
    15:07: cmediagnostics.log (ID = 61291)
    15:07: mepcme.dat (ID = 61517)
    15:08: notrgs.gdte (ID = 61552)
    15:08: rmhgxlmu.wzg (ID = 85808)
    15:08: cursors.xml (ID = 84688)
    15:08: home.url (ID = 84894)
    15:08: frequently asked questions.url (ID = 84889)
    15:08: terms of use.url (ID = 86338)
    15:08: privacy policy.url (ID = 84923)
    15:08: eb.class (ID = 59614)
    15:08: bonzi.url (ID = 51610)
    15:08: limeshop.url (ID = 65528)
    15:08: q.class (ID = 59693)
    15:08: e.class (ID = 59610)
    15:08: g.class (ID = 59663)
    15:08: ec.class (ID = 59654)
    15:08: i.class (ID = 59665)
    15:08: k.class (ID = 59671)
    15:08: s.class (ID = 59698)
    15:08: a.class (ID = 59443)
    15:08: m.class (ID = 59678)
    15:08: j.class (ID = 59670)
    15:08: p.class (ID = 59689)
    15:08: v.class (ID = 59718)
    15:08: x.class (ID = 59729)
    15:08: ba.class (ID = 59449)
    15:08: bd.class (ID = 59455)
    15:08: bj.class (ID = 59466)
    15:08: bq.class (ID = 59480)
    15:08: bs.class (ID = 59484)
    15:08: bv.class (ID = 59490)
    15:08: t.class (ID = 59708)
    15:08: cg.class (ID = 59513)
    15:08: ci.class (ID = 59517)
    15:08: cm.class (ID = 59526)
    15:08: co.class (ID = 59530)
    15:08: cw.class (ID = 59547)
    15:08: cy.class (ID = 59551)
    15:08: dc.class (ID = 59561)
    15:08: u.class (ID = 59715)
    15:08: dh.class (ID = 59570)
    15:08: dk.class (ID = 59579)
    15:08: du.class (ID = 59596)
    15:08: limeshop_script0.htm (ID = 65533)
    15:11: Bestandsinspectie voltooid. Tijd verstreken: 00:54:14
    15:11: Volledige inspectie is voltooid. Verstreken tijd 00:55:32
    15:11: Gevonden sporen: 1032
    15:16: Programmaversie: 4.5.8 (build 683) Gebruikte spywaredefinities: 586
    15:17: Programmaversie: 4.5.8 (build 683) Gebruikte spywaredefinities: 586
    15:17: | Einde van sessie, maandag 19 december 2005 |
    ********
    13:44: | Begin van sessie, maandag 19 december 2005 |
    13:44: Spy Sweeper gestart
    13:59: De spywaredefinities zijn bijgewerkt.
    14:12: Programmaversie: 4.5.8 (build 683) Gebruikte spywaredefinities: 586
    14:14: Programmaversie: 4.5.8 (build 683) Gebruikte spywaredefinities: 586
    14:15: Programmaversie: 4.5.8 (build 683) Gebruikte spywaredefinities: 586
    14:15: | Einde van sessie, maandag 19 december 2005 |
  • Ja Spy Sweeper is een geweldig programma, in mijn ogen één van de weinige programma's die het geld dubbel en dwars waard is.

    Kazaa bevat inderdaad spyware Cydoor en warschijnlijk werkt Kazaa niet meer als je deze spyware verwijderd. Het lijkt met toch beter als je Kazaa inruilt voor een soortgelijk programma zonder spyware.

    Ik denk dat je problemen nu voorbij zijn.

    [b:86071f6e44]Enkele tips om je systeem schoon te houden:[/b:86071f6e44]

    Bezoek regelmatig de Windows Update Site. Alleen zo ben je zeker dat je de nieuwste patches voor je besturingssysteem geïnstalleerd hebt. Als er nieuwe updates beschikbaar zijn, dan dowload en installeer je alle essentiële updates en service packs. Reboot je computer en controleer opnieuw. Herhaal deze procedure tot dat er geen essentiële updates meer zijn.

    Houdt ook je antivirusprogramma altijd up to date.

    Daarnaast moet je ook een goede firewall gebruiken, de standaard Windows-firewall is niet voldoende.
    Gratis: ZoneAlarm, Kerio en Sygate

    Installeer ook SpywareBlaster en Spywareguard.
    Gebruik je de laatste versie van Spybot Search & Destroy, en je maakt gebruik van de realtime protectie TeaTimer, dan moet je Spywareguard niet installeren. Houd ook deze progs up to date!

    Via een reg-file kun je je tegen kwaadaardige activeX-codes wapenen. Klik hier voor meer info

    vr.gr.smeenk :wink:
  • regfile geïnstalleerd en spyblaster geüpdatet.
    Avast, mijn virusscanner, wordt dagelijks ververst.
    De Windows site voor updates moet ik inderdaad meer bezoeken.

    Zone Alarm heb ik tijden geleden gebruikt maar dat gaf veel problemen met andere applicaties en wekte erg vertragend. Ik weet nog dat ik het erg moeilijk van mijn systeen af kon krijgen! Misschien is Kerio iets..

    Ik hoop alles nu in ieder geval schoon te houden.
    Nogmaals mijn dank!!
    :wink: :wink:

    Met vr.gr.
    theplayer1
  • Graag gedaan hoor :)

    Ik hoop dat we die trojan definitief van je systeem hebben, het was in ieder geval een hele klus :roll:

    Groeten smeenk

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.