Hijack This (win2000 ernstig vertraagd)

**kasparh** · 27 September 2006, 09:41

Hoi,

Ondanks volledige scan met Hitman Pro, AVG en Kaspersky blijf ik hier met een vertraagd (en duidelijk besmet) systeem zitten.
Kan iemand dit logje eens analyseren?
Bedankt voor een snelle reactie (zoals ik van jullie - dank dank dank - gewoon ben)!

Hier is het logje:

Logfile of HijackThis v1.99.1
Scan saved at 9:31:50, on 27/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Administrator\Xinstall.exe
C:\kybrdff_e14.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Trust\Trust 730S LCD PowerC@M ZOOM\ICON.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\7c24e70ad58bb7b519dfdd1abcd4a1e1\update\update. exe
C:\WINNT\system32\wuauclt.exe
C:\wim analyse\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://pac.telenet.be:8080
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Administrator\Xinstall.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e14.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e14.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e14.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trust 730S LCD PowerC@M ZOOM Monitor.lnk = C:\Program Files\Trust\Trust 730S LCD PowerC@M ZOOM\ICON.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://korneelbeirnaert.spaces.live....d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136842866926
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents...r/imloader.cab
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: Syncmgr - C:\WINNT\system32\jtps0777e.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Tot ziens!

Kaspar H

**jurgenv** · 27 September 2006, 13:28

1. Download dit bestand: - combofix.exe
2. Dubbelklik op combofix.exe en volg de instructies die je krijgt.
3. Wanneer het tooltje klaar is zal het een rapport maken voor je, post die log hier met een nieuw hijackthis logje.

Note:
Niet klikken terwijl combofix bezig is, dat zou het tooltje doen vastlopen!

**kasparh** · 29 September 2006, 09:29

Dag Jurgen,

Bedankt voor een snel antwoord.
Ik liep de combofix, hieronder vind je het logje. Toch even opmerken dat ik daarbij diverse malen werd onderbroken door zowel AVG als Kaspersky om adware of virussen te melden.

Korneel - vr 29/09/2006 9:07:48.25 Service Pack 4
ComboFix 06.09.28 - Running from: "C:\wim analyse"
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\CLSID\{997E2580-BBA3-49AF-85FF-543AEE42E180}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{997E2580-BBA3-49AF-85FF-543AEE42E180}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{997E2580-BBA3-49AF-85FF-543AEE42E180}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{997E2580-BBA3-49AF-85FF-543AEE42E180}\InprocServer32]
@="C:\\WINNT\\system32\\svmapi.dll"
"ThreadingModel"="Apartment"
[HKEY_CLASSES_ROOT\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\Implemented Categories]
[HKEY_CLASSES_ROOT\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
[HKEY_CLASSES_ROOT\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\InprocServer32]
@="C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\scieplugin.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Administrator\Application Data\Dxccwrd.dll
C:\Documents and Settings\Administrator\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Administrator\Application Data\Dxcuknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Inetget2
C:\Program Files\ToolBar888
C:\Program Files\Common Files\{6000AB84-015C-1033-1002-980830980020}
C:\Documents and Settings\Administrator\Xinstall.exe
C:\Program Files\PrintView

((((((((((((((((((((((((((((((( Files Created from 2006-08-29 to 2006-09-29 ))))))))))))))))))))))))))))))))))

2006-09-27 18:11 82,432 -ra------ C:\WINNT\system32\msxml4r.dll
2006-09-27 18:11 44,544 -ra------ C:\WINNT\system32\msxml4a.dll
2006-09-27 18:11 1,233,920 -ra------ C:\WINNT\system32\msxml4.dll
2006-09-27 11:55 86,016 --a------ C:\WINNT\unvise32.exe
2006-09-25 19:34 176,640 --a------ C:\WINNT\system32\Xinstall.exe
2006-09-25 16:52 51,072 --a------ C:\WINNT\system32\drivers\ikhlayer.sys
2006-09-25 16:52 30,592 --a------ C:\WINNT\system32\drivers\ikhfile.sys
2006-09-25 15:45 20,480 --a------ C:\WINNT\system32\sprJ.exe
2006-09-24 11:53 20,480 --a------ C:\WINNT\system32\sprC.exe
2006-09-23 05:45 234,272 -r--s---- C:\WINNT\system32\PABASE.DLL
2006-09-22 16:10 20,480 --a------ C:\WINNT\system32\sprK.exe
2006-09-22 16:10 138,862 --a------ C:\WINNT\system32\mny.exe
2006-09-22 16:10 138,862 --a------ C:\WINNT\system32\alfa.exe
2006-09-22 14:24 46,352 --a------ C:\WINNT\setdebug.exe
2006-09-22 14:24 313,856 --a------ C:\WINNT\system32\dx3j.dll
2006-09-22 14:24 171,792 --a------ C:\WINNT\system32\wjview.exe
2006-09-22 14:24 171,280 --a------ C:\WINNT\system32\jit.dll
2006-09-22 14:24 139,536 --a------ C:\WINNT\system32\javaee.dll
2006-09-22 14:24 113 --a------ C:\WINNT\system32\zonedon.reg
2006-09-22 14:24 113 --a------ C:\WINNT\system32\zonedoff.reg
2006-09-22 14:23 947,472 --a------ C:\WINNT\system32\msjava.dll
2006-09-22 14:23 63,248 --a------ C:\WINNT\system32\javaprxy.dll
2006-09-22 14:23 49,424 --a------ C:\WINNT\system32\clspack.exe
2006-09-22 14:23 404,752 --a------ C:\WINNT\system32\javart.dll
2006-09-22 14:23 286,992 --a------ C:\WINNT\system32\vmhelper.dll
2006-09-22 14:23 21,264 --a------ C:\WINNT\system32\msjdbc10.dll
2006-09-22 14:23 187,152 --a------ C:\WINNT\system32\javacypt.dll
2006-09-22 14:23 172,304 --a------ C:\WINNT\system32\jview.exe
2006-09-22 14:23 154,384 --a------ C:\WINNT\system32\msawt.dll
2006-09-22 14:23 15,120 --a------ C:\WINNT\system32\jdbgmgr.exe
2006-09-21 19:41 234,272 -r--s---- C:\WINNT\system32\tLembed.dll
2006-09-21 19:41 234,272 -r--s---- C:\WINNT\system32\tkpmib.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2006-09-29 09:10 -------- d-a------ C:\Program Files\Common Files
2006-09-27 11:56 16524 --a------ C:\Program Files\Furnish Lite uninstal.log
2006-09-27 11:55 -------- d-a------ C:\Program Files\Furnish Lite
2006-09-27 08:48 778656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-09-26 18:42 -------- d-------- C:\Program Files\MSN Messenger
2006-09-26 18:42 -------- d-------- C:\Program Files\Messenger
2006-09-26 10:49 -------- d-------- C:\Program Files\WinZip
2006-09-26 10:20 -------- d-------- C:\Program Files\Kaspersky Lab
2006-09-26 10:10 -------- d-------- C:\Program Files\IncrediMail
2006-09-25 16:57 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-25 16:52 -------- d-a------ C:\Program Files\Spyware Doctor
2006-09-25 16:47 -------- d-------- C:\Program Files\Hitman Pro
2006-09-25 16:35 -------- d-------- C:\Program Files\Anti-Virus-Pro
2006-09-12 13:48 1713536 --a------ C:\WINNT\system32\NTKRNLPA.EXE
2006-09-12 13:48 1690880 --a------ C:\WINNT\system32\NTOSKRNL.EXE
2006-08-22 12:48 136912 --------- C:\WINNT\system32\drivers\fltmgr.sys
2006-08-08 17:50 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-08-08 17:50 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-07-25 07:08 840976 --a------ C:\WINNT\system32\mmcndmgr.dll
2006-07-21 17:08 72704 --a------ C:\WINNT\system32\hlink.dll
2006-07-06 13:45 96528 --a------ C:\WINNT\system32\dnsrslvr.dll
2006-07-06 11:52 613648 --a------ C:\WINNT\system32\mmc.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"internat.exe"="internat.exe"
"IncrediMail"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe /c"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc. exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgem c.exe"
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"kav"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINNT\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Desktop Uninstall"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00 ,20,03,00,00,3c,02,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:02,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00 ,00,00,00,00,00,00,00,00,00,\
00,00,02,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00 ,00,00,00,00,00,00,00,00,00,\
00,00,01,00,00,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,f0,01,00,00,1f,00,00,00 ,80,00,00,00,76,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f ,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"
"Spyware Doctor"=""
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Runonce]
"^SetupICWDesktop"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run]
"wininet.dll"="dfrgsrv.exe"
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Fri 2006-09-29 9:17:32.03
ComboFix.txt

************************************

Hijack This Logje:

Logfile of HijackThis v1.99.1
Scan saved at 9:26:40, on 29/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Trust\Trust 730S LCD PowerC@M ZOOM\ICON.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\wim analyse\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://pac.telenet.be:8080
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trust 730S LCD PowerC@M ZOOM Monitor.lnk = C:\Program Files\Trust\Trust 730S LCD PowerC@M ZOOM\ICON.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://korneelbeirnaert.spaces.live....d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136842866926
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents...r/imloader.cab
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Hopelijk kun je hier verder iets mee.

Alvast bedankt voor de tijd & moeite!

Kaspar H

**jurgenv** · 30 September 2006, 02:30

* Download en unzip Killbox naar je bureaublad.
Klik op killbox.exe.
Selecteer de optie "Delete on reboot".
In het veld "Full Path of File to Delete" kopieer en plak je het volgende:

C:\WINNT\system32\Xinstall.exe

Klik op de knop: single file (!Belangrijk!)

Daarna, Klik op de rode cirkel met het wit kruisje erin.
Killbox zal zeggen dat deze file zal verwijderd worden on reboot.. vraagt om nu te rebooten. Klik YES.

Je pc moet nu rebooten.

* Ik zie dat je Kaspersky en AVG tesamen in real-time modus gebruikt, dit is echter niet aan te raden want dit zorgt voor vertragingen en het doet ook de betrouwbaarheid dalen. dus De-installeer 1 van je antivirussen oftewel schakel je 1 real-time beveiliging uit van de twee.

* Post dan een nieuw hijackthis logje hier.

**kasparh** · 3 October 2006, 10:29

Hoi,

Werk hier normaal met avg, had kaspersky gedownload om full scan met deze av te lopen, zette real-time protection even af - ga kaspersky later verwijderen. bedankt voor de tip.

Hijack This logje na Killbox:

Logfile of HijackThis v1.99.1
Scan saved at 10:23:54, on 3/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Trust\Trust 730S LCD PowerC@M ZOOM\ICON.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\wim analyse\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://pac.telenet.be:8080
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trust 730S LCD PowerC@M ZOOM Monitor.lnk = C:\Program Files\Trust\Trust 730S LCD PowerC@M ZOOM\ICON.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://korneelbeirnaert.spaces.live....d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136842866926
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents...r/imloader.cab
O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Nog een extra vraagje:

Ik zou graag die f***ing incredimail verwijderen, maar dat lukt maar niet. Kun jij helpen?

Alvast bedankt!

Groeten,

Kaspar H

**jurgenv** · 3 October 2006, 17:26

Kan je ook eens een nieuw logje van combofix posten? Heb je ook al geprobeerd incredimail te de-installeren via software.

**kasparh** · 4 October 2006, 23:50

Het logje van combofix doe ik morgen.
Incredimail via software heb ik geprobeerd, maar ik krijg telkens melding dat ik geen beheerdersrechten heb (???) - er draait maar één admin op die pc en daarmee werk ik...

Andere mogelijkheden? Direct in register? Daar heb ik net iets te weinig kaas van gegeten.

Groetjes,

**kasparh** · 5 October 2006, 12:57

Hi,

Hier mijn logje van combofix:

Korneel - Thu 2006-10-05 12:51:30.54 Service Pack 4
ComboFix 06.09.28 - Running from: "C:\wim analyse"
((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))

2006-09-27 18:11 82,432 -ra------ C:\WINNT\system32\msxml4r.dll
2006-09-27 18:11 44,544 -ra------ C:\WINNT\system32\msxml4a.dll
2006-09-27 18:11 1,233,920 -ra------ C:\WINNT\system32\msxml4.dll
2006-09-27 11:55 86,016 --a------ C:\WINNT\unvise32.exe
2006-09-25 16:52 51,072 --a------ C:\WINNT\system32\drivers\ikhlayer.sys
2006-09-25 16:52 30,592 --a------ C:\WINNT\system32\drivers\ikhfile.sys
2006-09-22 16:10 20,480 --a------ C:\WINNT\system32\sprK.exe
2006-09-22 16:10 138,862 --a------ C:\WINNT\system32\mny.exe
2006-09-22 16:10 138,862 --a------ C:\WINNT\system32\alfa.exe
2006-09-22 14:24 46,352 --a------ C:\WINNT\setdebug.exe
2006-09-22 14:24 313,856 --a------ C:\WINNT\system32\dx3j.dll
2006-09-22 14:24 171,792 --a------ C:\WINNT\system32\wjview.exe
2006-09-22 14:24 171,280 --a------ C:\WINNT\system32\jit.dll
2006-09-22 14:24 139,536 --a------ C:\WINNT\system32\javaee.dll
2006-09-22 14:24 113 --a------ C:\WINNT\system32\zonedon.reg
2006-09-22 14:24 113 --a------ C:\WINNT\system32\zonedoff.reg
2006-09-22 14:23 947,472 --a------ C:\WINNT\system32\msjava.dll
2006-09-22 14:23 63,248 --a------ C:\WINNT\system32\javaprxy.dll
2006-09-22 14:23 49,424 --a------ C:\WINNT\system32\clspack.exe
2006-09-22 14:23 404,752 --a------ C:\WINNT\system32\javart.dll
2006-09-22 14:23 286,992 --a------ C:\WINNT\system32\vmhelper.dll
2006-09-22 14:23 21,264 --a------ C:\WINNT\system32\msjdbc10.dll
2006-09-22 14:23 187,152 --a------ C:\WINNT\system32\javacypt.dll
2006-09-22 14:23 172,304 --a------ C:\WINNT\system32\jview.exe
2006-09-22 14:23 154,384 --a------ C:\WINNT\system32\msawt.dll
2006-09-22 14:23 15,120 --a------ C:\WINNT\system32\jdbgmgr.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2006-10-03 21:30 -------- d-a------ C:\Program Files\Furnish Lite
2006-10-03 10:38 -------- d-------- C:\Program Files\CCleaner
2006-09-29 09:10 -------- d-a------ C:\Program Files\Common Files
2006-09-27 11:56 16524 --a------ C:\Program Files\Furnish Lite uninstal.log
2006-09-27 08:48 778656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-09-26 18:42 -------- d-------- C:\Program Files\MSN Messenger
2006-09-26 18:42 -------- d-------- C:\Program Files\Messenger
2006-09-26 10:49 -------- d-------- C:\Program Files\WinZip
2006-09-26 10:20 -------- d-------- C:\Program Files\Kaspersky Lab
2006-09-26 10:10 -------- d-------- C:\Program Files\IncrediMail
2006-09-25 16:57 -------- d-------- C:\Program Files\SpywareBlaster
2006-09-25 16:52 -------- d-a------ C:\Program Files\Spyware Doctor
2006-09-25 16:47 -------- d-------- C:\Program Files\Hitman Pro
2006-09-25 16:35 -------- d-------- C:\Program Files\Anti-Virus-Pro
2006-09-12 13:48 1713536 --a------ C:\WINNT\system32\NTKRNLPA.EXE
2006-09-12 13:48 1690880 --a------ C:\WINNT\system32\NTOSKRNL.EXE
2006-08-22 12:48 136912 --------- C:\WINNT\system32\drivers\fltmgr.sys
2006-08-08 17:50 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-08-08 17:50 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-07-25 07:08 840976 --a------ C:\WINNT\system32\mmcndmgr.dll
2006-07-21 17:08 72704 --a------ C:\WINNT\system32\hlink.dll
2006-07-06 13:45 96528 --a------ C:\WINNT\system32\dnsrslvr.dll
2006-07-06 11:52 613648 --a------ C:\WINNT\system32\mmc.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"internat.exe"="internat.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc. exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgem c.exe"
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"kav"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINNT\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Desktop Uninstall"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00 ,20,03,00,00,3c,02,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:02,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00 ,00,00,00,00,00,00,00,00,00,\
00,00,02,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00 ,00,00,00,00,00,00,00,00,00,\
00,00,01,00,00,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,f0,01,00,00,1f,00,00,00 ,80,00,00,00,76,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f ,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE"
"Spyware Doctor"=""
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Runonce]
"^SetupICWDesktop"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\explorer\run]
"wininet.dll"="dfrgsrv.exe"
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Thu 2006-10-05 12:53:18.18
ComboFix.txt
ComboFix2.txt

opmerking
Je zal merken dat avg en kaspersky weer beide openstaan. Ik verwijder kaspersky nu.

Groetjes en bedankt,

Kaspar H

**jurgenv** · 5 October 2006, 18:28

Msn zelf is besmet met een worm, dus we zullen msn moeten de-installeren tijdens het cleanen, anders zal hij gewoon de infectie terugzetten, dus eerste stap:
MSN de-installeren! Als je dit niet doet kunnen we niet verder...

Daarna herstart je je pc en doe je het volgende:

* Download Killbox.
Klik op killbox.exe.
Kies de optie: "Delete on reboot".

Kopieer het volgende vetgedrukt deel:

C:\WINNT\unvise32.exe
C:\WINNT\system32\sprK.exe
C:\WINNT\system32\mny.exe
C:\WINNT\system32\alfa.exe

Open 'file' in het killboxmenu bovenaan en kies: Paste from clipboard

Je zal zien, het bovenstaande vetgedrukte zal staan in het "Full Path of File to Delete"-veld.
Er is een klein pijltje naast dat veld. Als je daarop klikt zal je al die bovenstaande lijntjes (indien bestanden aanwezig) die je gekopieerd hebt zien staan (dit is alvast de bedoeling)

Klik op de knop: All files (!Belangrijk!)

Daarna, Klik op de rode cirkel met het wit kruisje erin.
Killbox zal zeggen dat deze file zal verwijderd worden on reboot.. vraagt om nu te rebooten. Klik YES.

Je pc moet nu rebooten.

* Download en installeer AVG Anti-Spyware.

Na de installatie, open AVG Anti-Spyware:
* onder "Status", klik op Change state naast "Resident shield". (wijzig van active naar inactive!)
* onder "Update", klik op de Start update knop.
* onder "Scanner", tab "Settings":
- - onder "How to act?", klik op "Recommended actions" en selecteer Quarantine. (ZEER BELANGRIJK!)
  * onder "Reports", selecteer Automatically generate report after every scan en verwijder het vinkje bij Only if threats were found
Sluit AVG Anti-Spyware. Laat het nog niet scannen.

* Als je Adaware SE nog niet geïnstalleerd hebt, download, installeer en update het dan volgens de richtlijnen
die je kan vinden op: http://users.pandora.be/marcvn/spyware/1414188.htm

* Start je computer op in VEILIGE MODUS

* Voer een volledige scan uit met Adaware en verwijder alles wat gevonden wordt.

* Start AVG Anti-Spyware.

* Klik op Scan en kies Complete System Scan.
Na de scan; volg onderstaande instructies :
BELANGRIJK : Klik niet op de "Save Scan Report" knop vooraleer je de "Apply all Actions" knop hebt aangeklikt !
* Draag er zorg voor dat Set all elements to: op Quarantine staat (1),
zoniet klik op de link en kies Quarantine in de popup menu. (2)
(Dit geldt niet voor cookies, deze worden onveranderlijk gedelete !)
* Onderaan het venster klik op de Apply all Actions knop. (3)

* Wanneer je de melding krijgt 'All actions have been applied', klik je onderaan op de knop Save Report.

* Herstart je computer in normale modus.

* Download ATF cleaner (by Atribune)

Dubbelklik op ATF cleaner om het programma te starten.
Op het tabblad "Main", plaats je een vinkje bij Select All.
Klik op de knop Empty Selected.

Gebruik je ook Firefox als browser:
Klik op tabblad "Firefox", plaats een vinkje bij Select All.
Wil je de door Firefox opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
(dit verwijdert het vinkje bij "Firefox saved passwords")
Klik op de knop Empty Selected.

Gebruik je ook Opera als browser:
Klik op tabblad "Opera", plaats een vinkje bij Select All.
Wil je de door Opera opgeslagen wachtwoorden behouden, dan klik je in het venster dat verschijnt op "No".
Klik op de knop Empty Selected.
Ga naar het tabblad "Main" en klik op de knop Exit om het programma af te sluiten.

* Post dan een nieuw hijackthis logje hier met het rapport van ewido.

**kasparh** · 13 November 2006, 12:35

Dag Jürgen,

Ik volgde (na maandje ertussenuit) al je instructies.
Hier het HT-logje:

Logfile of HijackThis v1.99.1
Scan saved at 11:29, on 06-11-13
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Trust\Trust 730S LCD PowerC@M ZOOM\ICON.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\wim analyse\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = http://pac.telenet.be:8080
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trust 730S LCD PowerC@M ZOOM Monitor.lnk = C:\Program Files\Trust\Trust 730S LCD PowerC@M ZOOM\ICON.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://korneelbeirnaert.spaces.live....d/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136842866926
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents...r/imloader.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Je vroeg ook het ewido-rapport.
Ik neem aan dat je het logje van AVG-AS bedoelde.
Hier is het:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:19 06-11-13
+ Scan result:

HKLM\SOFTWARE\WinAntiVirus Pro 2006 -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\WINNT\system32\hp3560.tmp -> Downloader.Zlob.ly : Cleaned with backup (quarantined).
C:\WINNT\Downloaded Program Files\UWA6P_0001_N73M0604NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup (quarantined).
C:\WINNT\system32\srona.exe/crazlow.exe -> Proxy.Ranky.ei : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\korneel@incredimail ltd.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\korneel@msnportal.1 12.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\korneel@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\korneel@adopt.euroc lick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\korneel@image.maste rstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Administrator\Cookies\korneel@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Administrator\Cookies\korneel@ad.yieldman ager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINNT\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld285D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4284.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld5C42.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldE0E.tmp -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

Alvast bedankt om dit nog eens te willen bekijken!

Groet,

Kaspar H

Discussie: Hijack This (win2000 ernstig vertraagd)

Discussietools

Discussie doorzoeken

Weergave

Hijack This (win2000 ernstig vertraagd)

De volgende gebruiker bedankt jurgenv voor deze nuttige post:

De volgende gebruiker bedankt jurgenv voor deze nuttige post:

De volgende gebruiker bedankt jurgenv voor deze nuttige post:

Discussie informatie

Users Browsing this Thread

Soortgelijke discussies

pc vertraagd enorm

Win2000 Lost PAswoord wat nu ?

win2000 installeren

Favorieten/bladwijzers

Favorieten/bladwijzers

Regels voor berichten