Check alle échte Black Friday-deals Ook zo moe van nepaanbiedingen? Wij laten alleen échte deals zien
Toon posts:

[HijackLog] Spyware: loadingwebsite, betterinternet

Pagina: 1
Acties:
  • 106 views sinds 30-01-2008
  • Reageer

dinsdag 8 februari 2005 17:27

Acties:
  • Risce
  • Registratie: November 2004
  • Laatst online: 27-10 15:14

Risce

Topicstarter
Ik heb al een tijdje een nasty probleem met spyware. Ik scan zowat elke sessie mijn PC met adaware, heb killbox geprobeerd en hijackthis doet het eindelijk weer (om onduidelijke redenen crashte die eerst). Dit is mijn log:

Logfile of HijackThis v1.99.0
Scan saved at 17:25:28, on 8-2-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.XXXXXX.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\XXXXX\Application Data\Mozilla\Profiles\default\vqxtlq0d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\XXXXX\Application Data\Mozilla\Profiles\default\vqxtlq0d.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "D:\apps\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.m...eb_site.cab?1105646922078
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/...com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/...sengerSetupDownloader.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

Sinds gisteren ben ik overigens overgestapt op Firefox, maar IE is blijkbaar ook niet te losen, en die popups gaan vrolijk door in IE, terwijl ik game of browse via Firefox.

[ Voor 4% gewijzigd door Risce op 08-02-2005 17:27 ]

Theorie: Ja. Praktijk...uh. Nee.

dinsdag 8 februari 2005 17:37

Acties:
  • pasta
  • Registratie: September 2002
  • Laatst online: 12-01 14:16

pasta

Ondertitel

Ik zie in je log een paar verdachte entries,
code:
1
2
3

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
Deze kunnen sowieso wel weg. :)
code:
1

O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe
Ik kan hier niets duidelijks vinden op google, zou je deze file eens door Jotti's online malware scan willen gooien? :)
code:
1
2
3
4

O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
Deze kunnen verder ook nog weg. Overigens mis ik nog de running processes in je log, zou je deze ook nog even willen plaatsen? Alvast bedankt. :)

Signature

dinsdag 8 februari 2005 17:45

Acties:
  • Risce
  • Registratie: November 2004
  • Laatst online: 27-10 15:14

Risce

Topicstarter
dankjewel voor de snelle reply.

RaConfig is mijn programma voor de WLAN kaart (die ik overigens niet altijd gebruik). Is geen malware. Leer ik jou ook wat.. :o

Ik ga die dingen even verwijderen en kom dadelijk terug met een nieuwe log.

StartupList report, 8-2-2005, 17:48:13
StartupList version: 1.52.2
Started from : D:\Apps\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RaConfig.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\explorer.exe
D:\Apps\Winamp\winamp.exe
D:\Apps\Firefox\firefox.exe
C:\WINDOWS\System32\taskmgr.exe
D:\Apps\HijackThis.exe

Is dat voldoende?

[ Voor 72% gewijzigd door Risce op 08-02-2005 17:49 ]

Theorie: Ja. Praktijk...uh. Nee.

dinsdag 8 februari 2005 18:03

Acties:

Verwijderd

Ik weet even de oplossing niet.
Maar als je dat IP-adres in google typt, krijg je 10.800 hits.
Ik denk dat daar wel wat voor je bij zit.

dinsdag 8 februari 2005 18:34

Acties:
  • pasta
  • Registratie: September 2002
  • Laatst online: 12-01 14:16

pasta

Ondertitel

Risce, zou je nog even je complete log willen posten nadat je de entries die ik net noemde hebt gefixed? Verder zou je ook nog even met een andere virusscanner kunnen scannen, zoals Kaspersky (met ext. bases aan). :)

Signature

dinsdag 8 februari 2005 18:39

Acties:
  • Risce
  • Registratie: November 2004
  • Laatst online: 27-10 15:14

Risce

Topicstarter
Kom ik net terug bij de comp, zijn er 3 icons (free online music, online dating, holiday travel) op mijn desktop geplant. :|

Logfile of HijackThis v1.99.0
Scan saved at 18:37:39, on 8-2-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnbforum.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\StijnStijn\Application Data\Mozilla\Profiles\default\vqxtlq0d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\StijnStijn\Application Data\Mozilla\Profiles\default\vqxtlq0d.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "D:\apps\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.m...eb_site.cab?1105646922078
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/...com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/...sengerSetupDownloader.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

--------------

StartupList report, 8-2-2005, 18:38:37
StartupList version: 1.52.2
Started from : D:\Apps\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RaConfig.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\explorer.exe
D:\Apps\Firefox\firefox.exe
D:\Apps\HijackThis.exe
C:\WINDOWS\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

GhostStartTrayApp = C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
QuickTime Task = "D:\apps\Quicktime\qttask.exe" -atboottime
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

AAW =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmarque.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Norton SystemWorks One Button Checkup.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[CryptoRSA Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CRYPTO~1.OCX
CODEBASE = https://www.p3.postbank.nl/sesam/CAX.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.m...eb_site.cab?1105646922078

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[HouseCall Besturing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/...com/housecall/xscan53.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/...sengerSetupDownloader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macrome...ve/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: ||

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5.613 bytes
Report generated in 0,031 seconds

Theorie: Ja. Praktijk...uh. Nee.

dinsdag 8 februari 2005 20:58

Acties:
  • Pendaco
  • Registratie: Augustus 2003
  • Laatst online: 16:56

Pendaco

Vogon Poetry FTW!

Probeer ook eerst eens spybot:s&d, of spysweeper. En anders de gebundelde software in hitmanpro eens.

start daarna op in de veilige modus en verwijder de overige resten met hijackthis!
(belangrijk is dat je tussendoor je internet explorer, of andere browser, dichthoud)

code:
1
2
3
4
5
6
7

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)


ook rommel
code:
1

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

check daarvoor ook deze site en deze.
Zoek gsda.dll anders even op je pc op, en scan hem met door pasta aangegeven virusscan site van jotti

en draai ook eens windows update

[ Voor 28% gewijzigd door Pendaco op 08-02-2005 21:09 ]

dinsdag 8 februari 2005 21:58

Acties:
  • Risce
  • Registratie: November 2004
  • Laatst online: 27-10 15:14

Risce

Topicstarter
Als ik op gsda.dll zoek vindt hij niks. De rest heb ik weer via Hijack gedelete.

Een nieuwe log:

Logfile of HijackThis v1.99.0
Scan saved at 22:30:39, on 8-2-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.XXXX.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\XXXX\Application Data\Mozilla\Profiles\default\vqxtlq0d.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\XXXX\Application Data\Mozilla\Profiles\default\vqxtlq0d.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "D:\apps\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.m...eb_site.cab?1105646922078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/...com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/...sengerSetupDownloader.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RaConfig.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Apps\Firefox\firefox.exe
D:\Apps\HijackThis.exe

Loadingwebsite en mediabuy en dat soort shit komt nog steeds gewoon terug. |:(

[ Voor 99% gewijzigd door Risce op 08-02-2005 23:05 ]

Theorie: Ja. Praktijk...uh. Nee.

woensdag 9 februari 2005 00:05

Acties:
  • Risce
  • Registratie: November 2004
  • Laatst online: 27-10 15:14

Risce

Topicstarter
Ik heb er nu een heel hard programma overheen gegooid: l2mfix. Ik weet nog niet of het helpt. Het lijkt te hebben geholpen. Een uur gamen, geen popups. Locatie:
http://www.atribune.org/downloads/l2mfix.exe
Pas wel op, het is nogal botte bijl werk.
Dit is de fixlog:

L2Mfix 1.02a

Running From:
C:\DOCUME~1\XXXX~1\BUREAU~1\l2mfix


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Read INGEBOUWD\Hoofdgebruikers
(ID-IO) ALLOW Read INGEBOUWD\Hoofdgebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access MAKER EIGENAAR


Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Iedereen
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Read INGEBOUWD\Hoofdgebruikers
(ID-IO) ALLOW Read INGEBOUWD\Hoofdgebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access MAKER EIGENAAR


Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\XXX\Bureaublad\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\XXXX\Bureaublad\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1028 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1264 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dzsenh.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\pdcn20.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\jtls0737e.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\uwiplat.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\itpeers.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\aersvc.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\kqdfr.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\wkpasf.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\snrio800.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dzmasf.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\vsscript.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\ipign32.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\mhr.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\adwav.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\pzdgen.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\mal_mtf.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\iodkcs32.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\wfv8dmod.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\kuduk.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dgvoice.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\fkusd.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\slxcoins.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\eb.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\hr2405fqe.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\o4nsle571h.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\hWl.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\tHpiperf.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\kt86l7ls1.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\fp4603hse.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\f82m0if1e82.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\n82ulif9182.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\e0202afmgd2a2.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\gp00l3dm1.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\mv26l9fs1.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\e6020gdoe60c0.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\hrjo0513e.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\h8l2li3o18.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\h0n00a5med.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\gp6ol3j31.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\lv0409dqe.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\gp68l3ju1.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\jrl0253mg.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\aza02afmgd2a2.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\gpj6l31s1.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\damsrpcn.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\nrevtmsg.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\hkicons.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\suredir.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\mdglibnt.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\mvsystem.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\dwrgres.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\ajtodisc.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\ugnpui.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\fEultrep.dll
1 bestand(en) gekopieerd.
Backing Up: C:\WINDOWS\system32\hr0205doe.dll
1 bestand(en) gekopieerd.
deleting: C:\WINDOWS\system32\dzsenh.dll
Successfully Deleted: C:\WINDOWS\system32\dzsenh.dll
deleting: C:\WINDOWS\system32\pdcn20.dll
Successfully Deleted: C:\WINDOWS\system32\pdcn20.dll
deleting: C:\WINDOWS\system32\jtls0737e.dll
Successfully Deleted: C:\WINDOWS\system32\jtls0737e.dll
deleting: C:\WINDOWS\system32\uwiplat.dll
Successfully Deleted: C:\WINDOWS\system32\uwiplat.dll
deleting: C:\WINDOWS\system32\itpeers.dll
Successfully Deleted: C:\WINDOWS\system32\itpeers.dll
deleting: C:\WINDOWS\system32\aersvc.dll
Successfully Deleted: C:\WINDOWS\system32\aersvc.dll
deleting: C:\WINDOWS\system32\kqdfr.dll
Successfully Deleted: C:\WINDOWS\system32\kqdfr.dll
deleting: C:\WINDOWS\system32\wkpasf.dll
Successfully Deleted: C:\WINDOWS\system32\wkpasf.dll
deleting: C:\WINDOWS\system32\snrio800.dll
Successfully Deleted: C:\WINDOWS\system32\snrio800.dll
deleting: C:\WINDOWS\system32\dzmasf.dll
Successfully Deleted: C:\WINDOWS\system32\dzmasf.dll
deleting: C:\WINDOWS\system32\vsscript.dll
Successfully Deleted: C:\WINDOWS\system32\vsscript.dll
deleting: C:\WINDOWS\system32\ipign32.dll
Successfully Deleted: C:\WINDOWS\system32\ipign32.dll
deleting: C:\WINDOWS\system32\mhr.dll
Successfully Deleted: C:\WINDOWS\system32\mhr.dll
deleting: C:\WINDOWS\system32\adwav.dll
Successfully Deleted: C:\WINDOWS\system32\adwav.dll
deleting: C:\WINDOWS\system32\pzdgen.dll
Successfully Deleted: C:\WINDOWS\system32\pzdgen.dll
deleting: C:\WINDOWS\system32\mal_mtf.dll
Successfully Deleted: C:\WINDOWS\system32\mal_mtf.dll
deleting: C:\WINDOWS\system32\iodkcs32.dll
Successfully Deleted: C:\WINDOWS\system32\iodkcs32.dll
deleting: C:\WINDOWS\system32\wfv8dmod.dll
Successfully Deleted: C:\WINDOWS\system32\wfv8dmod.dll
deleting: C:\WINDOWS\system32\kuduk.dll
Successfully Deleted: C:\WINDOWS\system32\kuduk.dll
deleting: C:\WINDOWS\system32\dgvoice.dll
Successfully Deleted: C:\WINDOWS\system32\dgvoice.dll
deleting: C:\WINDOWS\system32\fkusd.dll
Successfully Deleted: C:\WINDOWS\system32\fkusd.dll
deleting: C:\WINDOWS\system32\slxcoins.dll
Successfully Deleted: C:\WINDOWS\system32\slxcoins.dll
deleting: C:\WINDOWS\system32\eb.dll
Successfully Deleted: C:\WINDOWS\system32\eb.dll
deleting: C:\WINDOWS\system32\hr2405fqe.dll
Successfully Deleted: C:\WINDOWS\system32\hr2405fqe.dll
deleting: C:\WINDOWS\system32\o4nsle571h.dll
Successfully Deleted: C:\WINDOWS\system32\o4nsle571h.dll
deleting: C:\WINDOWS\system32\hWl.dll
Successfully Deleted: C:\WINDOWS\system32\hWl.dll
deleting: C:\WINDOWS\system32\tHpiperf.dll
Successfully Deleted: C:\WINDOWS\system32\tHpiperf.dll
deleting: C:\WINDOWS\system32\kt86l7ls1.dll
Successfully Deleted: C:\WINDOWS\system32\kt86l7ls1.dll
deleting: C:\WINDOWS\system32\fp4603hse.dll
Successfully Deleted: C:\WINDOWS\system32\fp4603hse.dll
deleting: C:\WINDOWS\system32\f82m0if1e82.dll
Successfully Deleted: C:\WINDOWS\system32\f82m0if1e82.dll
deleting: C:\WINDOWS\system32\n82ulif9182.dll
Successfully Deleted: C:\WINDOWS\system32\n82ulif9182.dll
deleting: C:\WINDOWS\system32\e0202afmgd2a2.dll
Successfully Deleted: C:\WINDOWS\system32\e0202afmgd2a2.dll
deleting: C:\WINDOWS\system32\gp00l3dm1.dll
Successfully Deleted: C:\WINDOWS\system32\gp00l3dm1.dll
deleting: C:\WINDOWS\system32\mv26l9fs1.dll
Successfully Deleted: C:\WINDOWS\system32\mv26l9fs1.dll
deleting: C:\WINDOWS\system32\e6020gdoe60c0.dll
Successfully Deleted: C:\WINDOWS\system32\e6020gdoe60c0.dll
deleting: C:\WINDOWS\system32\hrjo0513e.dll
Successfully Deleted: C:\WINDOWS\system32\hrjo0513e.dll
deleting: C:\WINDOWS\system32\h8l2li3o18.dll
Successfully Deleted: C:\WINDOWS\system32\h8l2li3o18.dll
deleting: C:\WINDOWS\system32\h0n00a5med.dll
Successfully Deleted: C:\WINDOWS\system32\h0n00a5med.dll
deleting: C:\WINDOWS\system32\gp6ol3j31.dll
Successfully Deleted: C:\WINDOWS\system32\gp6ol3j31.dll
deleting: C:\WINDOWS\system32\lv0409dqe.dll
Successfully Deleted: C:\WINDOWS\system32\lv0409dqe.dll
deleting: C:\WINDOWS\system32\gp68l3ju1.dll
Successfully Deleted: C:\WINDOWS\system32\gp68l3ju1.dll
deleting: C:\WINDOWS\system32\jrl0253mg.dll
Successfully Deleted: C:\WINDOWS\system32\jrl0253mg.dll
deleting: C:\WINDOWS\system32\aza02afmgd2a2.dll
Successfully Deleted: C:\WINDOWS\system32\aza02afmgd2a2.dll
deleting: C:\WINDOWS\system32\gpj6l31s1.dll
Successfully Deleted: C:\WINDOWS\system32\gpj6l31s1.dll
deleting: C:\WINDOWS\system32\damsrpcn.dll
Successfully Deleted: C:\WINDOWS\system32\damsrpcn.dll
deleting: C:\WINDOWS\system32\nrevtmsg.dll
Successfully Deleted: C:\WINDOWS\system32\nrevtmsg.dll
deleting: C:\WINDOWS\system32\hkicons.dll
Successfully Deleted: C:\WINDOWS\system32\hkicons.dll
deleting: C:\WINDOWS\system32\suredir.dll
Successfully Deleted: C:\WINDOWS\system32\suredir.dll
deleting: C:\WINDOWS\system32\mdglibnt.dll
Successfully Deleted: C:\WINDOWS\system32\mdglibnt.dll
deleting: C:\WINDOWS\system32\mvsystem.dll
Successfully Deleted: C:\WINDOWS\system32\mvsystem.dll
deleting: C:\WINDOWS\system32\dwrgres.dll
Successfully Deleted: C:\WINDOWS\system32\dwrgres.dll
deleting: C:\WINDOWS\system32\ajtodisc.dll
Successfully Deleted: C:\WINDOWS\system32\ajtodisc.dll
deleting: C:\WINDOWS\system32\ugnpui.dll
Successfully Deleted: C:\WINDOWS\system32\ugnpui.dll
deleting: C:\WINDOWS\system32\fEultrep.dll
Successfully Deleted: C:\WINDOWS\system32\fEultrep.dll
deleting: C:\WINDOWS\system32\hr0205doe.dll
Successfully Deleted: C:\WINDOWS\system32\hr0205doe.dll

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: dzsenh.dll (deflated 5%)
adding: pdcn20.dll (deflated 5%)
adding: jtls0737e.dll (deflated 5%)
adding: uwiplat.dll (deflated 4%)
adding: itpeers.dll (deflated 4%)
adding: aersvc.dll (deflated 4%)
adding: kqdfr.dll (deflated 4%)
adding: wkpasf.dll (deflated 4%)
adding: snrio800.dll (deflated 4%)
adding: dzmasf.dll (deflated 4%)
adding: vsscript.dll (deflated 4%)
adding: ipign32.dll (deflated 4%)
adding: mhr.dll (deflated 4%)
adding: adwav.dll (deflated 4%)
adding: pzdgen.dll (deflated 4%)
adding: mal_mtf.dll (deflated 4%)
adding: iodkcs32.dll (deflated 4%)
adding: wfv8dmod.dll (deflated 4%)
adding: kuduk.dll (deflated 3%)
adding: dgvoice.dll (deflated 3%)
adding: fkusd.dll (deflated 4%)
adding: slxcoins.dll (deflated 4%)
adding: eb.dll (deflated 4%)
adding: hr2405fqe.dll (deflated 4%)
adding: o4nsle571h.dll (deflated 3%)
adding: hWl.dll (deflated 5%)
adding: tHpiperf.dll (deflated 4%)
adding: kt86l7ls1.dll (deflated 5%)
adding: fp4603hse.dll (deflated 4%)
adding: f82m0if1e82.dll (deflated 4%)
adding: n82ulif9182.dll (deflated 4%)
adding: e0202afmgd2a2.dll (deflated 4%)
adding: gp00l3dm1.dll (deflated 5%)
adding: mv26l9fs1.dll (deflated 3%)
adding: e6020gdoe60c0.dll (deflated 3%)
adding: hrjo0513e.dll (deflated 5%)
adding: h8l2li3o18.dll (deflated 4%)
adding: h0n00a5med.dll (deflated 3%)
adding: gp6ol3j31.dll (deflated 4%)
adding: lv0409dqe.dll (deflated 5%)
adding: gp68l3ju1.dll (deflated 4%)
adding: jrl0253mg.dll (deflated 5%)
adding: aza02afmgd2a2.dll (deflated 4%)
adding: gpj6l31s1.dll (deflated 4%)
adding: damsrpcn.dll (deflated 5%)
adding: nrevtmsg.dll (deflated 4%)
adding: hkicons.dll (deflated 5%)
adding: suredir.dll (deflated 3%)
adding: mdglibnt.dll (deflated 4%)
adding: mvsystem.dll (deflated 3%)
adding: dwrgres.dll (deflated 3%)
adding: ajtodisc.dll (deflated 4%)
adding: ugnpui.dll (deflated 3%)
adding: fEultrep.dll (deflated 4%)
adding: hr0205doe.dll (deflated 4%)
adding: echo.reg (deflated 11%)
adding: clear.reg (deflated 69%)
adding: desktop.ini (deflated 13%)
adding: readme.txt (deflated 49%)
adding: direct.txt (deflated 4%)
adding: report.txt (deflated 71%)
adding: lo2.txt (deflated 85%)
adding: test2.txt (deflated 48%)
adding: test3.txt (deflated 48%)
adding: test5.txt (deflated 48%)
adding: test.txt (deflated 83%)
adding: xfind.txt (deflated 78%)
adding: backregs/shell.reg (deflated 73%)
adding: backregs/EEC39A22-9A63-4AE5-9751-81BAC34CE6F9.reg (deflated 69%)
adding: backregs/A257AF51-06CE-46CD-886A-87225B4130AA.reg (deflated 69%)
adding: backregs/DC3DE6C3-FEAB-4448-8907-A12534D2243D.reg (deflated 69%)
adding: backregs/D926842D-33A2-4063-962C-5D22D7DE336E.reg (deflated 69%)
adding: backregs/BC789F36-5851-4C7E-A1C4-5A0913341144.reg (deflated 69%)
adding: backregs/7AFDDEB0-9B3B-4C99-A2B7-F23D4445401B.reg (deflated 69%)
adding: backregs/ADD3A0F5-005F-41A3-8674-531D37E8D3D7.reg (deflated 69%)
adding: backregs/B3F6BA75-D56D-4F6D-ADD4-D2F21CE6D8B5.reg (deflated 69%)
adding: backregs/8683FCA6-79DC-4BBD-B204-7087B352658E.reg (deflated 69%)
adding: backregs/C6249570-56DF-4B12-8691-C94885F8DD87.reg (deflated 68%)
adding: backregs/C12E7654-6D74-4DBE-A69F-FDA024C37C0F.reg (deflated 69%)
adding: backregs/C258AB38-D347-47C4-8C46-CA4A51E8BE8A.reg (deflated 69%)
adding: backregs/2086E089-0E31-47B0-92FF-C2E786135746.reg (deflated 69%)
adding: backregs/E5CFB2F4-51F8-4CE4-BD89-F949BA654CB0.reg (deflated 69%)
adding: backregs/C470FB56-90AB-4AD7-9594-0AB42B8BF3C5.reg (deflated 69%)
adding: backregs/FD8AC606-82C3-45BD-B517-7CDDB3789916.reg (deflated 69%)
adding: backregs/835FB6C9-70AD-4612-A0EF-111B9A65D442.reg (deflated 69%)
adding: backregs/4A24B012-BC94-4BBB-A4EB-097D05172B9C.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read INGEBOUWD\Gebruikers
(ID-IO) ALLOW Read INGEBOUWD\Gebruikers
(ID-NI) ALLOW Read INGEBOUWD\Hoofdgebruikers
(ID-IO) ALLOW Read INGEBOUWD\Hoofdgebruikers
(ID-NI) ALLOW Full access INGEBOUWD\Administrators
(ID-IO) ALLOW Full access INGEBOUWD\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access MAKER EIGENAAR


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: dzsenh.dll
deleting local copy: pdcn20.dll
deleting local copy: jtls0737e.dll
deleting local copy: uwiplat.dll
deleting local copy: itpeers.dll
deleting local copy: aersvc.dll
deleting local copy: kqdfr.dll
deleting local copy: wkpasf.dll
deleting local copy: snrio800.dll
deleting local copy: dzmasf.dll
deleting local copy: vsscript.dll
deleting local copy: ipign32.dll
deleting local copy: mhr.dll
deleting local copy: adwav.dll
deleting local copy: pzdgen.dll
deleting local copy: mal_mtf.dll
deleting local copy: iodkcs32.dll
deleting local copy: wfv8dmod.dll
deleting local copy: kuduk.dll
deleting local copy: dgvoice.dll
deleting local copy: fkusd.dll
deleting local copy: slxcoins.dll
deleting local copy: eb.dll
deleting local copy: hr2405fqe.dll
deleting local copy: o4nsle571h.dll
deleting local copy: hWl.dll
deleting local copy: tHpiperf.dll
deleting local copy: kt86l7ls1.dll
deleting local copy: fp4603hse.dll
deleting local copy: f82m0if1e82.dll
deleting local copy: n82ulif9182.dll
deleting local copy: e0202afmgd2a2.dll
deleting local copy: gp00l3dm1.dll
deleting local copy: mv26l9fs1.dll
deleting local copy: e6020gdoe60c0.dll
deleting local copy: hrjo0513e.dll
deleting local copy: h8l2li3o18.dll
deleting local copy: h0n00a5med.dll
deleting local copy: gp6ol3j31.dll
deleting local copy: lv0409dqe.dll
deleting local copy: gp68l3ju1.dll
deleting local copy: jrl0253mg.dll
deleting local copy: aza02afmgd2a2.dll
deleting local copy: gpj6l31s1.dll
deleting local copy: damsrpcn.dll
deleting local copy: nrevtmsg.dll
deleting local copy: hkicons.dll
deleting local copy: suredir.dll
deleting local copy: mdglibnt.dll
deleting local copy: mvsystem.dll
deleting local copy: dwrgres.dll
deleting local copy: ajtodisc.dll
deleting local copy: ugnpui.dll
deleting local copy: fEultrep.dll
deleting local copy: hr0205doe.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dzsenh.dll
C:\WINDOWS\system32\pdcn20.dll
C:\WINDOWS\system32\jtls0737e.dll
C:\WINDOWS\system32\uwiplat.dll
C:\WINDOWS\system32\itpeers.dll
C:\WINDOWS\system32\aersvc.dll
C:\WINDOWS\system32\kqdfr.dll
C:\WINDOWS\system32\wkpasf.dll
C:\WINDOWS\system32\snrio800.dll
C:\WINDOWS\system32\dzmasf.dll
C:\WINDOWS\system32\vsscript.dll
C:\WINDOWS\system32\ipign32.dll
C:\WINDOWS\system32\mhr.dll
C:\WINDOWS\system32\adwav.dll
C:\WINDOWS\system32\pzdgen.dll
C:\WINDOWS\system32\mal_mtf.dll
C:\WINDOWS\system32\iodkcs32.dll
C:\WINDOWS\system32\wfv8dmod.dll
C:\WINDOWS\system32\kuduk.dll
C:\WINDOWS\system32\dgvoice.dll
C:\WINDOWS\system32\fkusd.dll
C:\WINDOWS\system32\slxcoins.dll
C:\WINDOWS\system32\eb.dll
C:\WINDOWS\system32\hr2405fqe.dll
C:\WINDOWS\system32\o4nsle571h.dll
C:\WINDOWS\system32\hWl.dll
C:\WINDOWS\system32\tHpiperf.dll
C:\WINDOWS\system32\kt86l7ls1.dll
C:\WINDOWS\system32\fp4603hse.dll
C:\WINDOWS\system32\f82m0if1e82.dll
C:\WINDOWS\system32\n82ulif9182.dll
C:\WINDOWS\system32\e0202afmgd2a2.dll
C:\WINDOWS\system32\gp00l3dm1.dll
C:\WINDOWS\system32\mv26l9fs1.dll
C:\WINDOWS\system32\e6020gdoe60c0.dll
C:\WINDOWS\system32\hrjo0513e.dll
C:\WINDOWS\system32\h8l2li3o18.dll
C:\WINDOWS\system32\h0n00a5med.dll
C:\WINDOWS\system32\gp6ol3j31.dll
C:\WINDOWS\system32\lv0409dqe.dll
C:\WINDOWS\system32\gp68l3ju1.dll
C:\WINDOWS\system32\jrl0253mg.dll
C:\WINDOWS\system32\aza02afmgd2a2.dll
C:\WINDOWS\system32\gpj6l31s1.dll
C:\WINDOWS\system32\damsrpcn.dll
C:\WINDOWS\system32\nrevtmsg.dll
C:\WINDOWS\system32\hkicons.dll
C:\WINDOWS\system32\suredir.dll
C:\WINDOWS\system32\mdglibnt.dll
C:\WINDOWS\system32\mvsystem.dll
C:\WINDOWS\system32\dwrgres.dll
C:\WINDOWS\system32\ajtodisc.dll
C:\WINDOWS\system32\ugnpui.dll
C:\WINDOWS\system32\fEultrep.dll
C:\WINDOWS\system32\hr0205doe.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{EEC39A22-9A63-4AE5-9751-81BAC34CE6F9}"=-
"{A257AF51-06CE-46CD-886A-87225B4130AA}"=-
"{DC3DE6C3-FEAB-4448-8907-A12534D2243D}"=-
"{D926842D-33A2-4063-962C-5D22D7DE336E}"=-
"{BC789F36-5851-4C7E-A1C4-5A0913341144}"=-
"{7AFDDEB0-9B3B-4C99-A2B7-F23D4445401B}"=-
"{ADD3A0F5-005F-41A3-8674-531D37E8D3D7}"=-
"{B3F6BA75-D56D-4F6D-ADD4-D2F21CE6D8B5}"=-
"{8683FCA6-79DC-4BBD-B204-7087B352658E}"=-
"{C6249570-56DF-4B12-8691-C94885F8DD87}"=-
"{C12E7654-6D74-4DBE-A69F-FDA024C37C0F}"=-
"{C258AB38-D347-47C4-8C46-CA4A51E8BE8A}"=-
"{2086E089-0E31-47B0-92FF-C2E786135746}"=-
"{E5CFB2F4-51F8-4CE4-BD89-F949BA654CB0}"=-
"{C470FB56-90AB-4AD7-9594-0AB42B8BF3C5}"=-
"{FD8AC606-82C3-45BD-B517-7CDDB3789916}"=-
"{835FB6C9-70AD-4612-A0EF-111B9A65D442}"=-
"{4A24B012-BC94-4BBB-A4EB-097D05172B9C}"=-
[-HKEY_CLASSES_ROOT\CLSID\{EEC39A22-9A63-4AE5-9751-81BAC34CE6F9}]
[-HKEY_CLASSES_ROOT\CLSID\{A257AF51-06CE-46CD-886A-87225B4130AA}]
[-HKEY_CLASSES_ROOT\CLSID\{DC3DE6C3-FEAB-4448-8907-A12534D2243D}]
[-HKEY_CLASSES_ROOT\CLSID\{D926842D-33A2-4063-962C-5D22D7DE336E}]
[-HKEY_CLASSES_ROOT\CLSID\{BC789F36-5851-4C7E-A1C4-5A0913341144}]
[-HKEY_CLASSES_ROOT\CLSID\{7AFDDEB0-9B3B-4C99-A2B7-F23D4445401B}]
[-HKEY_CLASSES_ROOT\CLSID\{ADD3A0F5-005F-41A3-8674-531D37E8D3D7}]
[-HKEY_CLASSES_ROOT\CLSID\{B3F6BA75-D56D-4F6D-ADD4-D2F21CE6D8B5}]
[-HKEY_CLASSES_ROOT\CLSID\{8683FCA6-79DC-4BBD-B204-7087B352658E}]
[-HKEY_CLASSES_ROOT\CLSID\{C6249570-56DF-4B12-8691-C94885F8DD87}]
[-HKEY_CLASSES_ROOT\CLSID\{C12E7654-6D74-4DBE-A69F-FDA024C37C0F}]
[-HKEY_CLASSES_ROOT\CLSID\{C258AB38-D347-47C4-8C46-CA4A51E8BE8A}]
[-HKEY_CLASSES_ROOT\CLSID\{2086E089-0E31-47B0-92FF-C2E786135746}]
[-HKEY_CLASSES_ROOT\CLSID\{E5CFB2F4-51F8-4CE4-BD89-F949BA654CB0}]
[-HKEY_CLASSES_ROOT\CLSID\{C470FB56-90AB-4AD7-9594-0AB42B8BF3C5}]
[-HKEY_CLASSES_ROOT\CLSID\{FD8AC606-82C3-45BD-B517-7CDDB3789916}]
[-HKEY_CLASSES_ROOT\CLSID\{835FB6C9-70AD-4612-A0EF-111B9A65D442}]
[-HKEY_CLASSES_ROOT\CLSID\{4A24B012-BC94-4BBB-A4EB-097D05172B9C}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6F399CEB-056B-46EC-B749-8ACE61A3A73E}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{6F399CEB-056B-46EC-B749-8ACE61A3A73E}</IDone>
<IDtwo>AD</IDtwo>
<VERSION>200</VERSION>
****************************************************************************

[ Voor 10% gewijzigd door Risce op 09-02-2005 00:56 ]

Theorie: Ja. Praktijk...uh. Nee.

Pagina: 1
Reageer

Apple iPhone 17 LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq