ongewenste pop ups

Hallo allemaal,

Ik post dit bericht namens een Franse vriend van mij. Hij heeft last van pop ups die spontaan tevoorschijn komen. Gescand met virusscanner, adaware, spybot en nog steeds komen ze terug.

Hierbij zijn log:

Logfile of HijackThis v1.99.1

Scan saved at 20:12:31, on 02/11/05

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\ATI2EVXX.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE

C:\SBPCI\CTMIX32.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\WINDOWS\SYSTEM\GSICON.EXE

C:\WINDOWS\SYSTEM\DSLAGENT.EXE

C:\PROGRAM FILES\WANADOO\TASKBARICON.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\PROGRAM FILES\SCANNERU\AM32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\WANADOO\ESPACEWANADOO.EXE

C:\PROGRAM FILES\WANADOO\COMCOMP.EXE

C:\PROGRAM FILES\WANADOO\WATCH.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\WINAMP\WINAMP.EXE

C:\PROGRAM FILES\SERV-U\SERV-U32.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.fr/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo, Internet avec france telecom

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: SysTray.Exe

O4 - HKLM\..\Run: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: loadqm.exe

O4 - HKLM\..\Run: C:\Program Files\Norton AntiVirus\vptray.exe

O4 - HKLM\..\Run: C:\SBPCI\ctmix32.exe /T

O4 - HKLM\..\Run: C:\WINDOWS\SYSTEM\LOYTFGTO.EXE

O4 - HKLM\..\Run: “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime

O4 - HKLM\..\Run: “C:\PROGRAM FILES\WINAMP\WINAMPa.exe”

O4 - HKLM\..\Run: GSICON.EXE

O4 - HKLM\..\Run: DSLAGENT.EXE

O4 - HKLM\..\Run: C:\PROGRA~1\WANADOO\watch.exe

O4 - HKLM\..\Run: C:\PROGRA~1\WANADOO\taskbaricon.exe

O4 - HKLM\..\RunServices: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: mstask.exe

O4 - HKLM\..\RunServices: ati2evxx.exe

O4 - HKLM\..\RunServices: C:\WINDOWS\SYSTEM\ati2s9ag.exe

O4 - HKLM\..\RunServices: C:\Program Files\Norton AntiVirus\rtvscn95.exe

O4 - HKLM\..\RunServices: C:\Program Files\Norton AntiVirus\defwatch.exe

O4 - HKCU\..\Run: C:\PROGRA~1\INSTAN~1\BIN\ITLAUN~1.EXE -Embedding /AutoStart

O4 - HKCU\..\Run: “C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE” /background

O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.EXE

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL (file missing)

O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL (file missing)

O9 - Extra button: (no name) - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=book (file missing)

O9 - Extra ‘Tools’ menuitem: FUNNY SEXY PICTURES - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=book (file missing)

O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - www.wanadoo.fr (file missing) (HKCU)

O16 - DPF: {084DAC27-6FA3-4F55-9005-033F2F102F5C} (ITPPDiagIE Class) - http://data.jeuxclassiques.com/npwwg.cab

O16 - DPF: {ABB08127-7417-11D4-8566-00500448008D} (Chat Class) - http://downloads.winwise.fr/Common/npchatlax.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {45E83043-1F6F-4D22-A5E7-0138EA171B49} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/fr/filesharingctrl.cab

O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/eng/darts_2_0_0_29.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webmasterexe/drsmartload111a.exe

Je vriend heeft deze trojan aan boord: http://www.sophos.com/virusinfo/analyses/trojteadoorb.html

Vink deze regels aan in HJT en sluit alle andere vensters:

O4 - HKLM\..\Run: C:\WINDOWS\SYSTEM\LOYTFGTO.EXE

O9 - Extra button: (no name) - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - top.holm.ru/cgi-bin/link.cgi?l=book (file missing)

O9 - Extra ‘Tools’ menuitem: FUNNY SEXY PICTURES - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - top.holm.ru/cgi-bin/link.cgi?l=book (file missing)

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - promo.dollarrevenue.com/webmasterexe/drsmartload111a.exe

Klik op fix checked.

Verwijder het volgende bestand:

C:\WINDOWS\SYSTEM\LOYTFGTO.EXE <== Bestand

Doe een online scan bij Panda en bewaar het logje: http://www.pandasoftware.com/products/activescan.htm

Post een vers HJT logje en het logje van Panda :-)

karin

Oetie

lucas

Erik

karin

Erik