Op deze website gebruiken we cookies om content en advertenties te personaliseren, om functies voor social media te bieden en om ons websiteverkeer te analyseren. Ook delen we informatie over uw gebruik van onze site met onze partners voor social media, adverteren en analyse. Deze partners kunnen deze gegevens combineren met andere informatie die u aan ze heeft verstrekt of die ze hebben verzameld op basis van uw gebruik van hun services. Meer informatie.

Akkoord

Vraag & Antwoord

Beveiliging & privacy

msn-worm hjt-log

M@rc
15 antwoorden
  • Onoplettend en met reflex op een link geklikt tijdens msn-gesprek die 'zogezegd' door mijn gesprekspartner werd gestuurd. Pc zeer traag, of loopt volledig vast. Uiteindelijk gelukt om log te maken.

    Logfile of HijackThis v1.99.1
    Scan saved at 22:04:12, on 24/09/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\WINNT\system32\drivers\CDAC11BA.EXE
    C:\WINNT\QmV1dGVscw\command.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Network Monitor
    etmon.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\dfndrff_e13.exe
    C:
    wnmff_e13.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINNT\system32\crunner\cproc.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\explorer.exe
    C:\Documents and Settings\Administrator\Bureaublad\spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ksjantwerpen.org/forum
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0
    l-be\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hjdb9e29] RUNDLL32.EXE waa537ef.dll,n 004b9e250000000aaa537ef
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [defender] C:\\dfndrff_e13.exe
    O4 - HKLM\..\Run: [newname] C:\
    wnmff_e13.exe
    O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e13.exe
    O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
    O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [cprocsvc] C:\WINNT\system32\crunner\cproc.exe
    O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
    O4 - HKCU\..\Run: [Ypyachqe] C:\Documents and Settings\Administrator\Mijn documenten\?ssembly\l?ass.exe
    O4 - HKCU\..\Run: [Ccat] "C:\PROGRA~1\COMMON~1\RACLE~1\wuaclt.exe" -vt ndrv
    O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINNT\system32\mapiicon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\INTERVIDEO\COMMON\BIN\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
    O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &Google Zoeken - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/9.20.0002/OCI/setup.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ksjherentals.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/nl/win/QuickTimeFullInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp01.photoprintit.de/microsite/defaults/activex/IPSUploader.cab
    O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9AD68B69-CDA4-438F-8A3C-27A0701A1293}: NameServer = 195.238.2.22 195.238.2.21
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\Player\__CDS2.dll (file missing)
    O20 - AppInit_DLLs: dxclib303562752.dll
    O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\fp0003dme.dll
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QmV1dGVscw\command.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor
    etmon.exe
    O23 - Service: AOpen NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32
    vsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

    Alvast bedankt voor de hulp,

    Guft. ;)





  • a naar Configuratiescherm - Software - Programma's wijzigen of verwijderen. Deïnstalleer MSN Messenger.
    (Deze is geïnfecteerd met een worm. Later, wanneer de computer clean is, kan je deze weer installeren.)
    Deïnstalleer ook Command Service en Network Monitor.

    Download Brute Force Uninstaller: http://www.merijn.org/files/bfu.zip
    Unzip/pak het uit naar zijn eigen map op je C:\ (c:\BFU).
    Lees hier hoe je op de juiste wijze moet unzippen/uitpakken:
    http://home.planet.nl/~kleyn080/unzippenXPuitleg.html

    Dubbelklik op BFU.exe om the Brute Force Uninstaller te starten.

    Naast 'scriptfile to execute'-venster zal je een klein icoontje zien: [img:4929533d09]http://users.telenet.be/bluepatchy/miekiemoes/images/bfuicon.JPG[/img:4929533d09]
    Klik op dat icoontje en een nieuw venster zal openen.
    Bovenaan zie je staan: 'Please enter the full URL to the script you want to execute'
    In het venster kopieer en plak je volgende url:
    http://home.planet.nl/~kleyn080/alcanshorty.bfu

    Klik op OK
    Daarna klik je op [b:4929533d09]execute[/b:4929533d09] in Brute Force Uninstaller.

    Wacht tot je de boodschap [b:4929533d09]complete script execution[/b:4929533d09] te zien krijgt en klik daarna op [b:4929533d09]OK[/b:4929533d09].
    Klik [b:4929533d09]exit[/b:4929533d09] om het programma te beeïndigen.

    Download combofix.exe: http://download.bleepingcomputer.com/sUBs/combofix.exe
    Plaats het op je bureaublad.
    Dubbelklik er op om het programma te starten.
    In het scherm dat verschijnt tik je een Y in om het cleaningsprocess te starten.
    Volg de instructies op het scherm.
    Als het tooltje klaar is, opent er een logfile (combofix.txt) Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.
  • Administrator - ma 25/09/2006 19:37:12,09 Service Pack 4
    ComboFix 06.09.25 - Running from: "C:\Documents and Settings\Administrator\Bureaublad"

    ((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

    REGISTRY ENTRIES REMOVED:

    [HKEY_CLASSES_ROOT\CLSID\{CE1C5B69-BB0E-4A84-8DFA-4D6BD1441121}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{CE1C5B69-BB0E-4A84-8DFA-4D6BD1441121}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{CE1C5B69-BB0E-4A84-8DFA-4D6BD1441121}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{CE1C5B69-BB0E-4A84-8DFA-4D6BD1441121}\InprocServer32]
    @="C:\\WINNT\\system32\\aqpmgr.dll"
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\CLSID\{B196C206-EDA9-49BE-BC2F-B6261777CAF7}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B196C206-EDA9-49BE-BC2F-B6261777CAF7}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B196C206-EDA9-49BE-BC2F-B6261777CAF7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{B196C206-EDA9-49BE-BC2F-B6261777CAF7}\InprocServer32]
    @="C:\\WINNT\\system32\\wnpasf.dll"
    "ThreadingModel"="Apartment"

    [HKEY_CLASSES_ROOT\CLSID\{2A977B8C-42F7-44B8-B067-08F1D03C9796}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2A977B8C-42F7-44B8-B067-08F1D03C9796}\Implemented Categories]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2A977B8C-42F7-44B8-B067-08F1D03C9796}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
    @=""

    [HKEY_CLASSES_ROOT\CLSID\{2A977B8C-42F7-44B8-B067-08F1D03C9796}\InprocServer32]
    @="C:\\WINNT\\system32\\mrasn1.dll"
    "ThreadingModel"="Apartment"

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    FILES REMOVED:

    C:\WINNT\system32\cmcui.dll
    C:\WINNT\system32\crodm.dll
    C:\WINNT\system32\d60mlgd1160.dll
    C:\WINNT\system32\daactfrm.dll
    C:\WINNT\system32\dzrgui.dll
    C:\WINNT\system32\fzeploy.dll
    C:\WINNT\system32\IQROP.DLL
    C:\WINNT\system32\ir2ql5f51.dll
    C:\WINNT\system32\irlql5351.dll
    C:\WINNT\system32\j24o0ch3ef4.dll
    C:\WINNT\system32\mmxml.dll
    C:\WINNT\system32\mrasn1.dll
    C:\WINNT\system32\MRSDM.DLL
    C:\WINNT\system32\mvimsg.dll
    C:\WINNT\system32
    42u0ef9eh2.dll
    C:\WINNT\system32
    4n60e5seh.dll
    C:\WINNT\system32\NAWKS.DLL
    C:\WINNT\system32\q4ps0e77eh.dll
    C:\WINNT\system32\qPsf.dll


    Granting sedebugprivilege to Administrators … successful


    ((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINNT\system32\dxclib303562752.dll
    C:\Documents and Settings\Administrator\Application Data\Dxcknwrd.dll
    C:\WINNT\system32\bkd.exe
    C:\Program Files\DeluxeCommunications\Dxc.exe
    C:\Program Files\DeluxeCommunications\DxcBho.dll
    C:\Program Files\DeluxeCommunications\DxcCore.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Documents and Settings\Administrator\Xinstall.exe
    C:\Documents and Settings\Default User\Application Data\NetMon
    C:\Program Files\Common Files\misc002
    C:\Program Files\Deskbar
    C:\WINNT\system32\crunner
    C:\Program Files\Common Files\{C45DC839-07CF-1043-0926-020922970020}

    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    Folders Quarantined:

    C:\QooBox\Purity\Documents and Settings\Administrator\Mijn documenten\SSEMBL~1
    C:\QooBox\Purity\Documents and Settings\Administrator\Mijn documenten\SSEMBL~1\l?ass.exe
    C:\QooBox\Purity\Program Files\SCURIT~1
    C:\QooBox\Purity\Program Files\Common Files\ICROSO~1
    C:\QooBox\Purity\Program Files\Common Files\RACLE~1
    C:\QooBox\Purity\Program Files\Common Files\RACLE~1\wuaclt.exe
    C:\QooBox\Purity\Program Files\Common Files\RACLE~1\?racle


    ((((((((((((((((((((((((((((((( Files Created from 2006-08-25 to 2006-09-25 ))))))))))))))))))))))))))))))))))


    2006-09-25 18:24 138,862 –a—— C:\WINNT\system32\mny.exe
    2006-09-25 14:00 20,480 –a—— C:\WINNT\system32\sprJ.exe
    2006-09-24 22:09 20,480 –a—— C:\WINNT\system32\sprC.exe
    2006-09-24 02:39 2 –a—— C:\WINNT\system32\wcptr.exe
    2006-09-24 02:39 131,072 –a—— C:\WINNT\system32\jtuk.dll
    2006-09-23 02:31 131,072 –a—— C:\WINNT\system32\uzj.dll
    2006-09-22 19:30 234,905 -r–s—- C:\WINNT\system32\arctres.dll
    2006-09-21 19:55 57,384 –a—— C:\WINNT\system32\avsda.dll
    2006-09-21 19:48 1,233 –a—— C:\WINNT\system32\hjdb9e29.sys
    2006-09-21 19:42 2,657 –a—— C:\DXC1205b.exe
    2006-09-21 19:31 52,305 –a—— C:\WINNT\system32\Xinstall.exe
    2006-09-21 19:31 20,480 –a—— C:\WINNT\system32\sprT.exe
    2006-09-21 19:31 138,862 –a—— C:\WINNT\system32\alfa.exe
    2006-09-10 15:23 278,528 –a—— C:\WINNT\system32\livesnth.dll


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2006-09-25 19:40 ——– d-a—— C:\Program Files\Common Files
    2006-09-25 19:26 ——– d——– C:\Program Files\Yahoo!
    2006-09-25 18:25 ——– d——– C:\Program Files\Hitman Pro
    2006-09-24 22:36 ——– d——– C:\Program Files\SpywareBlaster
    2006-09-24 22:34 ——– d——– C:\Program Files\MSN Messenger
    2006-09-23 02:31 32177 —hs—- C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
    2006-09-23 00:43 ——– d——– C:\Program Files\PrintView
    2006-09-22 19:40 ——– d——– C:\Program Files\HP
    2006-09-22 19:40 ——– d——– C:\Program Files\Hewlett-Packard
    2006-09-22 19:40 ——– d——– C:\Documents and Settings\Administrator\Application Data\Image Zone Express
    2006-09-22 19:38 44774 –a—— C:\Documents and Settings\Administrator\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
    2006-09-22 19:37 369 –a—— C:\Documents and Settings\Administrator\Application Data\HelpFilesUpdatePatch_PRINTHELPWRAPPER.log
    2006-09-22 19:37 0 –a—— C:\Documents and Settings\Administrator\Application Data\HelpFilesUpdatePatch_HELPFILEREPLACE.log
    2006-09-22 19:36 2974 –a—— C:\Documents and Settings\Administrator\Application Data\PatchUpdate_InstantShareJPG.log
    2006-09-22 19:36 2532 –a—— C:\Documents and Settings\Administrator\Application Data\PatchUpdate_HP_ISRegionListUpdatelog_HPSU.log
    2006-09-22 19:35 5433 –a—— C:\Documents and Settings\Administrator\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
    2006-09-22 19:34 44631 –a—— C:\Documents and Settings\Administrator\Application Data\Update_HP_RedboxHprblog_HPSU.log
    2006-09-22 18:31 ——– d——– C:\Program Files\AVPersonal
    2006-09-21 19:55 ——– d——– C:\Program Files\AntiVir PersonalEdition Classic
    2006-08-16 22:08 153600 —hs—- C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
    2006-08-02 22:21 ——– d——– C:\Program Files\imageinfo
    2006-08-02 22:21 ——– d——– C:\Program Files\image
    2006-08-02 21:54 ——– d——– C:\Program Files\thumbs


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
    "Ypyachqe"="C:\\Documents and Settings\\Administrator\\Mijn documenten\\?ssembly\\l?ass.exe"
    "Ccat"="\"C:\\PROGRA~1\\COMMON~1\\RACLE~1\\wuaclt.exe\" -vt ndrv"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "Synchronization Manager"="mobsync.exe /logon"
    "HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "hjdb9e29"="RUNDLL32.EXE waa537ef.dll,n 004b9e250000000aaa537ef"
    "avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
    "PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
    "ntdll.dll"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
    "DeskHtmlVersion"=dword:00000110
    "DeskHtmlMinorVersion"=dword:00000003
    "Settings"=dword:00000000
    "GeneralFlags"=dword:00000001

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msoclip1/01/clip_image002.gif"
    "SubscribedURL"="file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msoclip1/01/clip_image002.gif"
    "FriendlyName"=""
    "Flags"=dword:00002001
    "Position"=hex:2c,00,00,00,47,02,00,00,5c,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,e8,\
    03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:01,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,47,02,00,00,5c,00,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,01,00,00,00
    "RestoredStateInfo"=hex:54,1f,65,79,00,24,60,79,ff,ff,ff,ff,0c,5d,76,02,7b,50,\
    ab,70,dc,ff,76,02

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="Mijn huidige introductiepagina"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
    00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,c0
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
    ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
    00,00,01,00,00,00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000095
    "CDRAutoRun"=dword:00000000

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername"=dword:00000000
    "legalnoticecaption"=""
    "legalnoticetext"=""
    "shutdownwithoutlogon"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    @=""
    "NoDriveTypeAutoRun"=hex:5f,00,00,00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000095

    [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
    "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
    "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
    securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


    Contents of the 'Scheduled Tasks' folder
    C:\WINNT\tasks\HPpromotions journeysoftware.job

    Completion time: Mon 2006-09-25 19:40:42.48
    ComboFix.txt











    [b:ff02f2087c]Logfile of HijackThis v1.99.1[/b:ff02f2087c]Scan saved at 19:43:57, on 25/09/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\WINNT\system32\drivers\CDAC11BA.EXE
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\PROGRA~1\PRINTV~1\pvmodule.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\INTERVIDEO\COMMON\BIN\WinCinemaMgr.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
    C:\WINNT\system32\mapiicon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
    C:\Documents and Settings\Administrator\Bureaublad\spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [hjdb9e29] RUNDLL32.EXE waa537ef.dll,n 004b9e250000000aaa537ef
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [Ypyachqe] C:\Documents and Settings\Administrator\Mijn documenten\?ssembly\l?ass.exe
    O4 - HKCU\..\Run: [Ccat] "C:\PROGRA~1\COMMON~1\RACLE~1\wuaclt.exe" -vt ndrv
    O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINNT\system32\mapiicon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\INTERVIDEO\COMMON\BIN\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
    O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &Google Zoeken - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/9.20.0002/OCI/setup.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ksjherentals.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/nl/win/QuickTimeFullInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp01.photoprintit.de/microsite/defaults/activex/IPSUploader.cab
    O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\Player\__CDS2.dll (file missing)
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: AOpen NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32
    vsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe


    Command service en network monitor stond er niet tussen.

    Guft. ;)


  • Sluit alle open vensters, run HijackThis nog een keer en plaats een vinkje bij de volgende items:

    [b:e9dbfa2aa7]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKLM\..\Run: [hjdb9e29] RUNDLL32.EXE waa537ef.dll,n 004b9e250000000aaa537ef
    O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
    O4 - HKCU\..\Run: [Ypyachqe] C:\Documents and Settings\Administrator\Mijn documenten\?ssembly\l?ass.exe
    O4 - HKCU\..\Run: [Ccat] "C:\PROGRA~1\COMMON~1\RACLE~1\wuaclt.exe" -vt ndrv[/b:e9dbfa2aa7]

    Klik daarna op "Fix checked" en sluit HijackThis af.

    Herstart de computer.

    Start HijackThis opnieuw, maak een nieuwe log en post deze.
  • Logfile of HijackThis v1.99.1
    Scan saved at 21:48:09, on 25/09/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\WINNT\system32\drivers\CDAC11BA.EXE
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\INTERVIDEO\COMMON\BIN\WinCinemaMgr.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
    C:\WINNT\system32\mapiicon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
    C:\Documents and Settings\Administrator\Bureaublad\spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ksjantwerpen.org/forum
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINNT\system32\mapiicon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\INTERVIDEO\COMMON\BIN\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
    O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
    O8 - Extra context menu item: &Google Zoeken - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/9.20.0002/OCI/setup.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ksjherentals.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/nl/win/QuickTimeFullInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp01.photoprintit.de/microsite/defaults/activex/IPSUploader.cab
    O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\Player\__CDS2.dll (file missing)
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: AOpen NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32
    vsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
  • Sluit alle open vensters, run HijackThis nog een keer en plaats een vinkje bij de volgende items:

    [b:fba5df537f]O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll[/b:fba5df537f]

    Klik daarna op "Fix checked" en sluit HijackThis af.

    Installeer een virusscanner en een firewall:
    AVG, AntiVir of Avast zijn gratis antivirusprogramma's.
    Zonealarm, Sygate of Kerio zijn gratis firewalls.

    Laat je volledige systeems scannen met het AV-programma dat je geïnstalleerd hebt. Laat verwijderen wat het vindt.

    Download en installeer [b:fba5df537f]Ewido Anti-Spyware 4.0[/b:fba5df537f].
    Na de installatie open je Ewido Anti-Spyware 4.0:
    - onder 'Status' klik je naast 'Resident shield' op [b:fba5df537f]Change state[/b:fba5df537f]. (deze moet op 'Inactive' komen te staan)
    - onder 'Update' klik je bij 'Manual update' op de knop [b:fba5df537f]Start update[/b:fba5df537f].
    - onder 'Scanner' ga je naar de tab 'Settings' en wijzig je het volgende: [list:fba5df537f]* onder 'How to act?', klik je op 'Recommended actions' en selecteer je [b:fba5df537f]Quarantine[/b:fba5df537f].
    * Onder 'Reports', selecteer je [b:fba5df537f]Automatically generate report after every scan[/b:fba5df537f] en verwijder je het vinkje bij [b:fba5df537f]Only if threats were found[/b:fba5df537f].[/list:u:fba5df537f]
    -Sluit Ewido. Laat het [b:fba5df537f]nog niet[/b:fba5df537f] scannen.

    Start de computer op in veilige modus. Hoe je dit doet kan je hier lezen.
    Open Ewido Security Suite.
    - Klik op 'Scanner'.
    - Klik op 'Complete system scan'.
    Ewido gaat nu je volledige computersysteem scannen.
    - Als de scan beëindigd is, klik je onderaan op de knop [b:fba5df537f]Apply all Actions[/b:fba5df537f].
    - Wanneer je de melding krijgt 'All actions have been applied', klik je onderaan op de knop 'Save Report'. Het rapport van de scan wordt nu opgeslagen in de map Program Files\ewido anti-spyware 4.0\Reports
    Klik je op de knop 'Save report as' dan krijg je de mogelijkheid om het rapportje op een andere plaats op te slaan. (bv je bureaublad)
    - Sluit Ewido af.

    Herstart de computer in normale modus en post het rapport van Ewido.

    Start HijackThis opnieuw, maak een nieuwe log en post deze.
  • Heb AVG er op geplaatst maar ik zie nog veel sporen van vorige (antivir).
    Bij ewido kwam dat je 'no reports' kon maken en bij status resident shield kon ik niks veranderen.

    ———————————————————
    ewido anti-spyware - Scan Report
    ———————————————————

    + Created at: 1:12:07 27/09/2006

    + Scan result:



    C:\WINNT\system32\mqexdlm.srg -> Adware.BargainBuddy : Cleaned with backup (quarantined).
    C:\QooBox\Purity\Documents and Settings\Administrator\Mijn documenten\SSEMBL~1\lѕass.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\WINNT\system32\jtuk.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\WINNT\system32\uzj.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
    C:\WINNT\system32\70tovmto.ini -> Adware.Sahat : Cleaned with backup (quarantined).
    C:\DXC1205b.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
    C:\Program Files\Common Files\Yazzle1122OinAdmin.exe -> Dropper.Small : Cleaned with backup (quarantined).
    C:\Documents and Settings\Administrator\Bureaublad\spyware\backups\backup-20060926-214032-718.dll -> Not-A-Virus.Downloader.Win32.InsTool.a : Cleaned with backup (quarantined).
    :mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4u154ok.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    :mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4u154ok.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    :mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4u154ok.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
    :mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4u154ok.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
    :mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4u154ok.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


    ::Report end


    [b:9e79efd999]Logfile of HijackThis v1.99.1[/b:9e79efd999]
    Scan saved at 1:18:30, on 27/09/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\system32\drivers\CDAC11BA.EXE
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\INTERVIDEO\COMMON\BIN\WinCinemaMgr.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
    C:\WINNT\system32\mapiicon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
    C:\Documents and Settings\Administrator\Bureaublad\spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ksjantwerpen.org/forum
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINNT\system32\mapiicon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\INTERVIDEO\COMMON\BIN\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
    O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/9.20.0002/OCI/setup.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ksjherentals.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/nl/win/QuickTimeFullInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp01.photoprintit.de/microsite/defaults/activex/IPSUploader.cab
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\Player\__CDS2.dll (file missing)
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: AOpen NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32
    vsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

    Guft. ;)
  • Ga naar start - uitvoeren en tik in: services.msc
    Zoek deze service:
    AntiVir PersonalEdition Classic Guard

    Dubbelklik er op, stop de service en zet het opstartype op uitgeschakeld.

    Doe dit ook voor AntiVir PersonalEdition Classic Scheduler.

    Doe deze online-scan: http://www.pandasoftware.com/activescan/com/activescan_principal.htm
    Na het scannen krijg je de mogelijkheid om het logje op te slaan. Doe dit.
    Post de inhoud van dat logje.
  • Incident
    Status Location

    Adware:adware/exact.bargainbuddy
    Not disinfected c:\winnt\system32\vx0.nls
    Adware:adware/ncase
    Not disinfected c:\winnt\180axau.dat
    Adware:adware/clickalchemy
    Not disinfected c:\winnt\alchem.ini
    Dialer:dialer.xd
    Not disinfected c:\winnt\switchagreement.txt
    Hacktool:rootkit/fu.a
    Not disinfected
    hkey_local_machine\system\currentcontrolset\services\msdirectx
    Adware:adware/ucmore
    Not disinfected Windows Registry
    Adware:adware/cws
    Not disinfected Windows Registry
    Adware:Adware/Maxifiles
    Not disinfected C:\Documents and
    Settings\Administrator\alfa.exe
    Dialer:Dialer.ZE
    Not disinfected C:\Documents and
    Settings\Administrator\Bureaublad\spyware\backups\backup-20050117-160925-657.inf
    Spyware:Cookie/Hbmediapro
    Not disinfected C:\Documents and
    Settings\Administrator\Cookies\administrator@adopt.hbmediapro[2].txt
    Spyware:Cookie/MetriWeb
    Not disinfected C:\Documents and
    Settings\Administrator\Cookies\administrator@metriweb[1].txt
    Adware:Adware/YazzleSudoku
    Not disinfected C:\Program Files\Common
    Files\Yazzle1122OinUninstaller.exe
    Adware:Adware/Maxifiles
    Not disinfected C:\Program Files\Hitman Pro\mny.exe
    Adware:Adware/CommAd
    Not disinfected C:\WINNT\QmV1dGVscw\kApYx3pPwT.vbs
    Adware:Adware/Maxifiles
    Not disinfected C:\WINNT\system32\alfa.exe
    Adware:Adware/Maxifiles
    Not disinfected C:\WINNT\system32\mny.exe
    Dialer:Dialer.Gen
    Not disinfected C:\WINNT\system32\XXXNow_be-uninstall.exe
  • Deze bestanden kan je verwijderen:
    c:\winnt\system32\vx0.nls
    c:\winnt\180axau.dat
    c:\winnt\alchem.ini
    c:\winnt\switchagreement.txt
    C:\Documents and Settings\Administrator\alfa.exe
    C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
    C:\Program Files\Hitman Pro\mny.exe
    C:\WINNT\QmV1dGVscw\kApYx3pPwT.vbs
    C:\WINNT\system32\alfa.exe
    C:\WINNT\system32\mny.exe
    C:\WINNT\system32\XXXNow_be-uninstall.exe


    Download F-Secure Blacklight: https://europe.f-secure.com/blacklight/
    Plaats het op je bureaublad.
    Dubbelklik blbeta.exe.
    Klik op "I accept the agreement".
    Klik op "Next".
    Klik op "Scan" en als het programma klaar is klik je daarna op "Next".
    Indien Blacklight iets vindt, zal het een lijst van bestanden weergeven.
    Laat nog niks hernoemen.
    Op je bureaublad staat een bestand met de naam fsbl.xxxxxxx.log (de x-en staan voor getallen)
    Dit is het logje dat blacklight gemaakt heeft. Post het.
  • 10/02/06 00:22:48 [Info]: BlackLight Engine 1.0.47 initialized
    10/02/06 00:22:48 [Info]: OS: 5.0 build 2195 (Service Pack 4)
    10/02/06 00:22:49 [Note]: 7019 4
    10/02/06 00:22:49 [Note]: 7005 0
    10/02/06 00:22:52 [Note]: 7006 0
    10/02/06 00:22:52 [Note]: 7011 1580
    10/02/06 00:22:53 [Note]: 7026 0
    10/02/06 00:22:53 [Note]: 7026 0
    10/02/06 00:23:04 [Note]: FSRAW library version 1.7.1020
    10/02/06 00:30:09 [Note]: 2000 1012
    10/02/06 00:30:09 [Note]: 2000 1012
    10/02/06 00:30:09 [Note]: 2000 1012
    10/02/06 00:50:24 [Note]: 7007 0
  • Download swsc.exe en plaats het bestandje in de system32 map: http://www.xs4all.nl/~fstaal01/downloads/swsc.exe

    Ga naar start - uitvoeren en tik in: [b:0b88664551]swsc delete msdirectx[/b:0b88664551]
    Herstart de computer.

    Kijk of je dit bestand kan vinden: c:\winnt\system32\msdirectx.sys
    Indien aanwezig verwijder je het. (ik vermoed dat het weg is)


    Zijn er nog problemen?
  • Ik zal het uitvoeren, mag msn ook al terug geïnstalleerd worden?
  • Die mag er weer op.
  • Logfile of HijackThis v1.99.1
    Scan saved at 22:05:50, on 2/10/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\system32\drivers\CDAC11BA.EXE
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\INTERVIDEO\COMMON\BIN\WinCinemaMgr.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
    C:\WINNT\system32\mapiicon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
    C:\Documents and Settings\Administrator\Bureaublad\spyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ksjantwerpen.org/forum
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.be/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - Startup: ADSL Diagnostic Tools.LNK = C:\WINNT\system32\mapiicon.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\INTERVIDEO\COMMON\BIN\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O4 - Global Startup: Poort voor Symantec Fax Starter Edition.lnk = C:\Program Files\Microsoft Office\Office\1043\OLFSNT40.EXE
    O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientInstall/9.20.0002/OCI/setup.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ksjherentals.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/nl/win/QuickTimeFullInstaller.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/nl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp01.photoprintit.de/microsite/defaults/activex/IPSUploader.cab
    O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - E:\Player\__CDS2.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: Logical Disk Manager Administrative-service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: AOpen NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32
    vsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe


    Heel erg bedankt! Alles loopt prima nu. Klopt dit ook volgens de log.

    Een pluim voor je hulp.

    Guft. ;)

Beantwoord deze vraag

Dit is een gearchiveerde pagina. Antwoorden is niet meer mogelijk.