hijack log

Raoul

24-10-2005 12:45

Nou ik heb dus alle stappen uitgevoerd maar alsnog staat er ontzettend veel troep op de computer.
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Support.com\bin\tgcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
D:\NORMAN\bin\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\NORMAN\bin\ZANDA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
D:\NORMAN\Nvc\BIN\NIP.EXE
D:\NORMAN\Nvc\BIN\NVCSCHED.EXE
D:\NORMAN\bin\NJEEVES.EXE
D:\NORMAN\Nvc\BIN\nipsvc.exe
D:\NORMAN\Nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\alg.exe
D:\NORMAN\Nvc\bin\cclaw.exe
C:\Program Files\Ahead\Nero\nero.exe
D:\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.paradigit.nl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {043EB01E-BA91-300D-B96D-A1BE1DC84C2A} - C:\DOCUME~1\gerda\APPLIC~1\CREATI~1\ThatHeck.exe (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: “C:\Program Files\Analog Devices\SoundMAX\smax4.exe” /tray
O4 - HKLM\..\Run: C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: “C:\PROGRA~1\Support.com\bin\tgcmd.exe” /server /startmonitor /deaf
O4 - HKLM\..\Run: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: D:\NORMAN\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM\..\Run: C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: C:\Documents and Settings\All Users\Application Data\Popmorekeepdash\chic rdr.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU\..\Run: “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\microsoft\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} (Installer Class) - quickfix2.chello.nl/quickfix2/asp/chelloInstall.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {4C762EEE-6D90-4F9B-94F6-B6E99B008ABD} (SeeStorm AvatarPlayer) - www.facefactory.tv/cab/AvatarPlayer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56830284-4E2F-4418-8D26-3DEF348C16F1} (OSAKit.OSA_Kit) - www.ancientsoft.com/OSAKit.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - www.bigfishgames.com/online/luxor/mjolauncher.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - www.bigfishgames.com/online/tumblebugs/axhost.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - www.extrafilm.nl/import/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - game12.zylomgames.com/activex/zylomgamesplayer.cab
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} (clsDefault Class) - quickfix2.chello.nl/quickfix2/asp/LaunchApp.CAB
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - game13.zylomgames.com/activex/zylomloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - as.photoprintit.de/ips-opdata/74914090/activex/IPSUploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - asp01.photoprintit.de/microsite/defaults/activex/XUpload.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~2\msgrapp.dll” (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - D:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - D:\NORMAN\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - D:\NORMAN\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - D:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - D:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Even voor de goeie orde dit is de pc van me vriendin die eerst niet wist hoe ze het moest bijhouden.
Bedankt alvast!
Raoul

24-10-2005 12:56

Weet niet waarom maar dit staat er blijkbaar niet bij, voor het geval jullie het nodig hebben:
Logfile of HijackThis v1.99.1
Scan saved at 12:28:03, on 24-10-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
pablo

24-10-2005 21:42

hoi raoul
deinstalleer via configuratiescherm software eerst
big fish games toolbar
messenger plus
deskmate
Boonty Games : deze lijkt mij ook reclame mee te brengen de privacy policy verteld iig dat ze persoonlijke informatie bijhouden voor reclame doeleinden
http://www.boonty.com/privacy.php
zet in configuratiescherm-mapoptie's eerst een vinkje bij “verborgen bestanden en mappen weergeven” en haal het vinkje weg bij “extensie's voor bekende bestandstypen verbergen” en bij “beschermde besturingsbestanden verbergen ( aanbevolen) ”,klik op toepassen en ok
print de onderstaand instruktie's uit of kopieer ze naar een text bestand,de rest van de fix is in veilige modus en dan kan je deze pagina dus niet meer gebruiken om te spieken
start op in veilige modus ( uitleg ) ( uitleg )
start allÃƒÂ©ÃƒÂ©n hijack,vink alleen de onderstaande regels aan en klik op “fix checked”
O2 - BHO: (no name) - {043EB01E-BA91-300D-B96D-A1BE1DC84C2A} - C:\DOCUME~1\gerda\APPLIC~1\CREATI~1\ThatHeck.exe (file missing)
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: “C:\PROGRA~1\Support.com\bin\tgcmd.exe” /server /startmonitor /deaf
O4 - HKLM\..\Run: C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: C:\Documents and Settings\All Users\Application Data\Popmorekeepdash\chic rdr.exe
O4 - HKCU\..\Run: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\microsoft\Office10\OSA.EXE
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - www.reflexive.net/rlwweb/ReflexiveWebGameLoader.cab
O16 - DPF: {4C762EEE-6D90-4F9B-94F6-B6E99B008ABD} (SeeStorm AvatarPlayer) - www.facefactory.tv/cab/AvatarPlayer.cab
O16 - DPF: {56830284-4E2F-4418-8D26-3DEF348C16F1} (OSAKit.OSA_Kit) - www.ancientsoft.com/OSAKit.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - www.bigfishgames.com/online/luxor/mjolauncher.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - www.bigfishgames.com/online/tumblebugs/axhost.cab
deze alleen als ze boonty kwijt wil
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
verwijder de volgende mappen ( ~1 betekend dat de mapnaam is afgekort )
C:\PROGRAm files\DESKMAte
C:\DOCUME~1\gerda\APPLIC~1\CREATI~1
C:\PROGRA~1\BFGTOO~1
C:\Documents and Settings\All Users\Application Data\Popmorekeepdash
leeg je temp file's,de mappen leegmaken,niet verwijderen:
C:\Documents and Settings\\Local Settings\Temp\
C:\Documents and Settings\gebruikersnaam\Local Settings\Temporary Internet Files
C:\Documents and Settings\gebruikersnaam\Local Settings\Temporary Internet Files\content.ie5 <= als deze map niet weergegeven word ga dan naar de map temporary internet files en type dan \content.ie5 erachter in de adresbalk en klik enter
C:\Windows\Temp\
start opnieuw op in normale modus.
open kladblok.
kopieer de onderstaande vetgedrukte tekst en plak dit in een nieuw kladblokvenster.
sla het op je bureaublad op als “export.bat” ( inclusief de aanhalingstekens ).
dir %Windir%\tasks /a:h > jobs.txt
notepad jobs.txt
del /q jobs.txt
zoek naar export.bat op je bureaublad en dubbelklik erop.
er zal een kladblokscherm openen,selecteer alle tekst en kopieer die naar je antwoord samen met een nieuw hijack logje
paul
pablo

24-10-2005 22:08

http://www.hijackthis.nl/forum/viewtopic.php?p=10963#10963
waarom op twee forums,we zijn allemaal vrijwilligers,om er dan meer aan het werk te zetten is op zijn zachts gezegd niet erg aardig
paul
Raoul

25-10-2005 09:58

sorry ik zal het in het vervolg niet meer doen.
had er geen slechte bedoelingen mee maar ik dacht dat ik daar misschien sneller geholpen werd toen ik al een tijdje zat te wachten. maar gebeur niet meer! me logje komt er aan ik ga nu alles doen.
Erik

25-10-2005 10:21

>ik dacht dat ik daar misschien sneller geholpen werd
En dat was ook zo ;-)
Nu alleen nog een berichtje voor Miepje
Raoul

25-10-2005 10:41

heb ik toch gedaan, als eerste zelfs…
Logfile of HijackThis v1.99.1
Scan saved at 10:40:26, on 25-10-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\NORMAN\bin\ZANDA.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
D:\NORMAN\Nvc\BIN\nvcoas.exe
D:\NORMAN\bin\NJEEVES.EXE
D:\NORMAN\Nvc\BIN\NVCSCHED.EXE
D:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
D:\NORMAN\bin\ZLH.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\NORMAN\Nvc\BIN\NIP.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
D:\NORMAN\Nvc\bin\cclaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
D:\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startpagina.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.paradigit.nl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: “C:\Program Files\Analog Devices\SoundMAX\smax4.exe” /tray
O4 - HKLM\..\Run: C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: D:\NORMAN\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM\..\Run: C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU\..\Run: “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.paradigit.nl
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D185838-009D-47C8-824B-B65B4854430E} (Installer Class) - http://quickfix2.chello.nl/quickfix2/asp/chelloInstall.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.extrafilm.nl/import/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylomgames.com/activex/zylomgamesplayer.cab
O16 - DPF: {C58EFA10-2CC0-4C50-8C77-B326555EC1B7} (clsDefault Class) - http://quickfix2.chello.nl/quickfix2/asp/LaunchApp.CAB
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://game13.zylomgames.com/activex/zylomloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.bigfishgames.com/online/feedingfrenzy/Game/SproutLauncher.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://as.photoprintit.de/ips-opdata/74914090/activex/IPSUploader.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://asp01.photoprintit.de/microsite/defaults/activex/XUpload.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~2\msgrapp.dll” (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - D:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - D:\NORMAN\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - D:\NORMAN\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - D:\NORMAN\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - D:\NORMAN\Nvc\BIN\NVCSCHED.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Zo is me logje nu. ik kon dit niet vinden:
O4 - HKCU\..\Run: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
Raoul

25-10-2005 13:10

Oh ik ben die laatste stap vergeten zie ik, zit nu op een andere computer maar ik zal dat er als ik even de kans heb er ook nog bij zetten.
Weet niet of jullie hier al wat mee kunnen maar tot dusver heb ik iig geen problemen meer gehad.
Raoul

26-10-2005 14:44

hier de rest:
Het volume in station C heeft geen naam.
Het volumenummer is 10F5-288E
Map van C:\WINDOWS\tasks
26-10-2005 14:00 268 A1C6CBE291854B16.job
26-10-2005 14:00 264 A344EBB591076635.job
26-10-2005 14:00 264 B1AF69F791611C6B.job
26-10-2005 14:00 264 B1BFB86D914829C9.job
11-09-2002 21:00 65 desktop.ini
26-10-2005 09:01 6 SA.DAT
6 bestand(en) 1.131 bytes
0 map(pen) 3.444.686.848 bytes beschikbaar
pablo

26-10-2005 21:39

hoi raoul,
start hiojack,klik op scan en vink allen de onderstaande regel aan:
O4 - HKCU\..\Run: \Program\BackWeb-8876480.exe
sluit alle vensters behalve hijack en klik op “fix checked”
download de killbox en pak hem uit naar je bureaublad
http://www.downloads.subratam.org/KillBox.zip
start de killbox en zet een vinkje bij “delete on reboot”
kopieer de vetgedrukte tekst:
C:\windows\tasks\A1C6CBE291854B16.job
C:\windows\tasks\A344EBB591076635.job
C:\windows\tasks\B1AF69F791611C6B.job
C:\windows\tasks\B1BFB86D914829C9.job
open “file” in het killboxmenu bovenaan en kies: Paste from clipboard
je zal zien, het bovenstaande vetgedrukte zal staan in het “Full Path of File to Delete”-veld.
Er is een klein pijltje naast dat veld. Als je daarop klikt zal je al die bovenstaande lijntjes ( indien bestanden aanwezig ) die je gekopieerd hebt zien staan ( dat is tenminste de bedoeling )
Daarna klik je op de rode knop met het wit kruisje erin,klik in beide popschermpjes op JA.
je pc zal herstarten,als je een melding krijgt over pendingfilerename herstart dan handmatig
plaats daarna nog even een nieuw hijack logje en een logje van export.bat ter controle
paul

hijack log

Raoul

Raoul

pablo

pablo

Raoul

Erik

Raoul

Raoul

Raoul

pablo