Toon posts:

[spyware] Startpagina naar smart-security.info*

Pagina: 1
Acties:
  • 115 views sinds 30-01-2008
  • Reageer

woensdag 16 juni 2004 14:03

Acties:

Verwijderd

Topicstarter
Hallo mensen, ik heb sinds vanochtend een probleem met de computer. Er zit nu spyware op die er automatisch is opgekomen. Als ik nu IE opstart krijg ik als beginpagina C:\WINDOWS\secure.html waar ik een link zie staan naar www.smart-security.info. Ook is mijn bureauachtergrond ineens veranderd in een pop-up achtig iets. Ik heb al gescand met ad-aware, avast, housecall en CWS schredder maar heb het probleem nog steeds. Ook heb ik files gefixt met hijack en opnieuw opgestart maar niets helpt.

Dit is het log van hijack:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

Logfile of HijackThis v1.97.7
Scan saved at 13:56:17, on 16-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Frans\Application Data\atuw.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe
C:\Documents and Settings\Frans\Bureaublad\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Wopr] C:\Documents and Settings\Frans\Application Data\atuw.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: BackUp Maker.lnk = C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.higherlevel.nl/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://toyocam.artecom.be/bin/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {ADC3EA10-8A28-41A9-96B4-534ADFC3CA0A} (Configuratore Auto Control) - http://cv.fiat.com/autopricer/ocx/configuratoreauto.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36501C2B-8806-46B9-9C29-D42C3A0A265E}: NameServer = 194.134.5.55,217.148.180.42


De secure bestanden heb ik proberen te verwijderen, maar komen steeds terug. Iemand een idee hoe ik dit er af kan krijgen??

woensdag 16 juni 2004 14:10

Acties:
  • wildhagen
  • Registratie: Juni 1999
  • Niet online

wildhagen

Blablabla

code:
1
2

O4 - HKCU\..\Run: [Wopr] C:\Documents and Settings\Frans\Application Data\atuw.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u


Haal die twee maar eens door de Jotti-scan: http://virusscan.jotti.dhs.org/

Deze entry kan weg:

code:
1

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A


Dit is spyware, mag ook weg:

code:
1

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

[ Voor 16% gewijzigd door wildhagen op 16-06-2004 14:11 ]

Virussen? Scan ze hier!

woensdag 16 juni 2004 14:18

Acties:
  • elevator
  • Registratie: December 2001
  • Niet online

elevator

Officieel moto fan :)

Een kleine titel edit 'spyware' vertelt natuurlijk niet zoveel :)
Verder - vertel ook altijd even welke je al had verwijderd en welke automatisch terugkwamen :)

woensdag 16 juni 2004 17:16

Acties:

Verwijderd

Topicstarter
Heb geprobeerd om de bestanden te verwijderen, maar ze komen elke keer terug. Ik heb nu wel een txt bestandje gevonden waarmee het starten van internetexplorer is veranderd:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

<html>
<head>
<title>Warning</title>
<SCRIPT language="JavaScript">
self.moveTo(0,0);
self.resizeTo(screen.availWidth,screen.availHeight);
var exit=true;
function cp() {
if (exit) {
rnd = Math.round(Math.random()*1);
if(rnd == 0) window.open('http://school-fuck.com/',"kolyan","fullscreen,scrollbars");
else if(rnd == 1) window.open('http://virgins-fuck.com/',"kolyan","fullscreen,scrollbars");
}
}
</script>
</head>
<body bgcolor="#000099" topmargin="50" onunload="cp()">
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0" width="600" style="border-collapse: collapse" bordercolor="#111111">
<tr><td width="100%" align="center"><font face="Fixedsys" size="2" color="#FFFFFF">Detected SPYware! System error #384</font></td></tr>
<tr><td width="100%" align="center"><font face="Fixedsys" size="2" color="#FFFFFF">__________________________________________________________________________</font></td></tr>
<tr><td width="100%" align="center">&nbsp;</td></tr>
<tr><td width="100%"><p align="justify"><font face="Fixedsys" color="#FFFFFF">Your IP address 
is 83.116.41.39. Using this address a remote computer has gained anaccess to your computer and probably is collecting the information about 
the sites you've visited and the files contained in the folder Temporary 
Internet Files. Attention! Ask for help or install the software for 
deleting secret information about the sites you visited.</font></td></tr>
<tr><td width="100%"><p align="center"><font face="Fixedsys" color="#FFFFFF">__________________________________________________________________________</font></td></tr>
<tr><td width="100%"><p align="center"><font face="Fixedsys" color="#FFFFFF">Your computer is 
full of evidences!</font></td></tr>
<tr><td width="100%"><br><table border=0 cellpadding=3 cellspacing=0 width=100%>
<tr><td width=30%><font color=ffffff face=Tahoma size=2>ISP of transmission:</td><td width=70%><b><font color=ffffff face=Tahoma size=2>WANADOO</b></td></tr><tr><td width=30%><font color=ffffff face=Tahoma size=2>Your IP address:</td><td width=70%><b><font color=ffffff face=Tahoma size=2>83.116.41.39</b></td></tr><tr><td width=30%><font color=ffffff face=Tahoma size=2>They know you're using:</td><td width=70%><b><font color=ffffff face=Tahoma size=2>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; WRV)</b></td></tr><tr><td width=30%><font color=ffffff face=Tahoma size=2>Your computer is:</td><td width=70%><b><font color=ffffff face=Tahoma size=2>Windows XP</b></td></tr><tr><td width=30%><font color=ffffff face=Tahoma size=2>Risk status for further investigation:</td><td width=70%><b><font color=ffffff face=Tahoma size=2>VERY HIGH RISK</b></td></tr>
</table></td></tr>
<tr><td width="100%">&nbsp;</td></tr>
<tr><td width="100%">&nbsp;</td></tr>
<tr><td width="100%">&nbsp;</td></tr>
<tr><td width="100%"><a href="http://www.smart-security.info/?affid=DNN-2" onClick=exit=false><font face="Fixedsys" color="#FFFFFF">To protect from the Spyware - click here</font></a></td></tr>
<tr><td width="100%"><a href="http://www.smart-security.info/?affid=DNN-2" onClick=exit=false><font face="Fixedsys" color="#FFFFFF">To prevent information transmission&nbsp; - click here</font></a></td></tr>
<tr><td width="100%"><a href="http://www.smart-security.info/?affid=DNN-2" onClick=exit=false><font face="Fixedsys" color="#FFFFFF">To delete the history of your activity, click here</font></a></td></tr>
<tr><td width="100%">&nbsp;</td></tr>
</table></center></div>
</body>
</html>


Door dit xt bestandje leeg te maken kan ik nu in ieder geval IE normaal opstarten. Nu heb ik alleen nog de HTML achtige desktop

donderdag 17 juni 2004 20:11

Acties:

Verwijderd

Topicstarter
Hallo mensen. Ik ben weer een stapje verder als eerst. Door ... te verwijderen uit het register en door hijack te gebruiken heb ik atuw.exe uit mijn computer gekregen. IE opstarten gaat nu weer normaal en ik krijg geen virusberichten meer dat een sexdialer zich wil installeren.

Nu heb ik nog één probleem, mijn desktop in nog steeds een webpagina achtig iets (wel zonder webinhoud, alles is nu wit)

Het log van Hijack ziet er nu zo uit:

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

Logfile of HijackThis v1.97.7
Scan saved at 19:42:56, on 17-6-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Frans\Bureaublad\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: BackUp Maker.lnk = C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.higherlevel.nl/
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://toyocam.artecom.be/bin/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {ADC3EA10-8A28-41A9-96B4-534ADFC3CA0A} (Configuratore Auto Control) - http://cv.fiat.com/autopricer/ocx/configuratoreauto.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36501C2B-8806-46B9-9C29-D42C3A0A265E}: NameServer = 194.134.5.55,217.148.180.42


Ik weet nu echt niet meer waar ik moet zoeken. Kan iemand een aanzet geven waar ik het nog kan gaan zoeken???

donderdag 17 juni 2004 20:14

Acties:
  • wildhagen
  • Registratie: Juni 1999
  • Niet online

wildhagen

Blablabla

Je hebt er nog één virus opstaan wat je eerst niet had ;)

Gooi deze entry maar weg:

code:
1

O4 - HKLM\..\Run: [CLSID] C:\WINDOWS\System32\com.exe


Verder zie ik geen vreemde/slechte entries...

Virussen? Scan ze hier!

donderdag 17 juni 2004 20:19

Acties:

Verwijderd

Topicstarter
Dit is overigens mijn opstartlijstje van hijack:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

StartupList report, 17-6-2004, 20:13:04
StartupList version: 1.52
Started from : C:\Documents and Settings\Frans\Bureaublad\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Frans\Bureaublad\HijackThis.exe
C:\Documents and Settings\Frans\Bureaublad\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
BackUp Maker.lnk = C:\Program Files\ASCOMP Software\BackUp Maker\bkmaker.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Apoint = C:\Program Files\Apoint2K\Apoint.exe
S3hotkey = S3hotkey.exe
S3TRAY2 = S3tray2.exe
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
(Default) = 
StatusClient = C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
TomcatStartup = C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
DataLayer = C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
Nokia Tray Application = C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
CLSID = C:\WINDOWS\System32\com.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
STManager = C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
Skype = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[HouseCall Besturing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\AvxOScan\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
CODEBASE = http://toyocam.artecom.be/bin/AxisCamControl.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Configuratore Auto Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ConfiguratoreAuto.ocx
CODEBASE = http://cv.fiat.com/autopricer/ocx/configuratoreauto.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
System: C:\WINDOWS\system32\system32.dll

--------------------------------------------------
End of report, 7.146 bytes
Report generated in 0,231 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only


Ik las trouwens dat skype misschien ook spyware in zich heeft...zou die dit alles kunnen veroorzaken?

maandag 28 juni 2004 19:57

Acties:

Verwijderd

Ik had gisteren hetzelfde probleem met die smart security ellende:

Bij mij was de boosdoener:

HKCU\.. \Run: [winupd] "C:\Windows\System32\winupd.exe"

deze en alle andere ellende verwijderen met Hijack, winupd.exe ff handmatig verwijderen.

Dan met regedit onder HKCU/Software/Microsoft/InternetExplorer de key "desktop" verwijderen.

Tot slot stonden alle plaatjes en de html pagina zelf bij mij in C:\Windows\WEB, makkelijk te onderscheiden van het normale als je naar de aanmaakdatum kijkt, ook deleten.

Als je nu opnieuw opstart ben je er geheel van af ....

zaterdag 10 juli 2004 20:03

Acties:

Verwijderd

Voor mensen die nog steeds problemen hebben met deze spyware.
De eesrte keer dat ik zo kwaad werd over spyware dat ik ermaar een site voor heb gemaakt

I made a site for the people that have problems with the spyware with messag
e
Page Detected SPYware! system error #384

You can find it here http://www.easyrcon.com/spyremove
It contains
- Information about this spyware
- A tool i made to remove this spyware
- Information how to remove this spyware without the tool

Greets Dmc
Pagina: 1
Reageer

Apple iPhone 17 LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq