Toon posts:

spyware terug na iedere opstart

Pagina: 1
Acties:

zondag 17 oktober 2004 15:45

Acties:

Verwijderd

Topicstarter
heu,
ik heb bepaalde spyware op mn pc staan (cashback, bargain buddy en navisearch, kwam bij cd-brandprogramma sun, van download.com) en wat ik ook doe, t is na elke keer opnieuw opstarten weer terug. ik heb vanalles al geprobeerd, eerst uninstallen, dan mappen weghalen, dan ad-awaren, en alle andere combinaties van die 3. ad-aware vind trouwens bargain buddy altijd, navisearch soms en cashback nooit. hier is mijn hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 16:25:54, on 16-10-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Niek\Mijn documenten\Installers2\spywareshit\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door chello broadband n.v.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.co...all/shockwave/Install.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.../MineSweeper.cab30149.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangen...uncher/ActiveLauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn...rStatsClient.cab30149.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell....stemprofiler/PROFILER.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zuma/popcaploader_v5.cab

iemand n suggestie, want ik word echt 8)7 !

zondag 17 oktober 2004 17:32

Acties:
  • wildhagen
  • Registratie: Juni 1999
  • Niet online

wildhagen

Blablabla

De volgende entries kunnen weg:

code:
1
2
3
4
5
6
7

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (file missing)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.co...all/shockwave/Install.cab

[ Voor 9% gewijzigd door wildhagen op 17-10-2004 17:32 ]

Virussen? Scan ze hier!

dinsdag 19 oktober 2004 16:36

Acties:

Verwijderd

Topicstarter
Dat heeft niet echt geholpen, nog andere ideeen?

dinsdag 19 oktober 2004 16:54

Acties:

Verwijderd

wat ik vond

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (file missin
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangen...uncher/ActiveLauncher.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.co...all/shockwave/Install.cab

die laatste 2 lijken op shockwave, maar die website ziet er raar uit waar ze vandaan komen.

dinsdag 19 oktober 2004 17:37

Acties:

Verwijderd

Topicstarter
das een of andere driver voor n spelletje, komt idd van shockwave af. maar die staan er al lang op, nooit last van gehad. en ik heb ze nou verwijderd, dusss...

dinsdag 19 oktober 2004 17:48

Acties:

Verwijderd

Probeer de spyware eens in veilige modus te verwijderen... dit hielp bij mij ook.

vrijdag 22 oktober 2004 15:22

Acties:

Verwijderd

Topicstarter
nope, werkt ook niet, dan kan adaware ze niet vinden, en ze staan sowieso ook niet in program files. alleen wat dingen uit system volume info worden gevonden, en na reboot zijn ze weer terug. |:(

woensdag 27 oktober 2004 00:38

Acties:
  • MegaJurk
  • Registratie: Januari 2001
  • Laatst online: 14-09-2023

MegaJurk

NF7-S 1825@2280

Misschien dat dit werkt?

zie ook: http://www.mcse.ms/archive177-2004-4-497067.html


This was originally posted on a group where the level of techno was less
than here, so, the details may be insulting to some. Also, not sure if
booting in safe mode is necessary but it worked.


*** DISCLAIMER DISCLAIMER DISCLAIMER ***

This worked for me on Windows XpHome with NTFS file system.
I guarantee NOTHING. You are messing with a trojan and the registry. It
is possible your machine may never boot again after doing any of this.
BACK UP ANYTHING CRITICAL TO CDs WHILE YOU CAN. Personally, before
hacking at any of this I burned 10 CDs of data.

I don't guarantee that this is totally removed. For all I know it is
sending every piece of personal info, credit card number, password, etc
to the scumbag that created it. You want a guarantee, buy a toaster or
something. All I know is my machine APPEARS to be running as it was.
==================================================


Download Dellater.exe from
http://www.diamondcs.com.au/index.php?page=dellater

and Windows-XP-Prefetch-Clean-And-Control.exe from
http://www.jester2k.pwp.b...o.uk/jester2ksoftware.htm

Boot in safe mode by pressing F8 while Windows is starting. You will be
given a text list of options. First one is Safe Mode.

Run the above prefetch program to purge the prefetch folder. You will get
the "first time" pop-up. Click OK

Select either the Recommended or Default option radio button
Click Set Prefetch Parameters tab.
Click Clean Prefetch Folder Now tab.

The active trojan prevents infected files and registry entries from being
deleted or rewrites them if changed/deleted. This will set up files to be
deleted when windows boots up before the trojan starts:

Click Start | Run
x:\Dellater.exe c:\windows\system32\fservice.exe
You should get a pop-up:
File Marked for Deletion After Reboot
c:\windows\system32\fservice.exe

Do the same thing for:
c:\windows\system\sservice.exe
c:\windows\system32\wininv.dll
c:\windows\system32\winkey.dll
c:\windows\winlogon.exe

Reboot in safe mode again
Don't worry about the pop-up message that it can't find fservice.exe -
errr....that good.

The above files should be gone and not recreated by the trojan. Note that
winlogon WILL exist in directories besides c:\windows. DON'T delete them.

open regedit
The registry entry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
\Winlogon\Shell
has a value of:
Explorer.exe C:\WINDOWS\system32\fservice.exe
Highlight the value name in the right pane and click Edit|Modify at the
top. Change the value to just:
Explorer.exe

In regedit navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Under policies is a subkey called Explorer (along with a subkey Run.
Highlight the Explorer key in the left pane under policies.
Right click on it and select delete.
Click Yes to delete.


Reboot in normal mode.
Windows will probably take a bit longer to load due to the prefetch
folder repopulating. It should speed up on the next reboot or two.
Check the above registry settings to insure they have not reverted.
Check your system to make sure that above deleted files are no longer in
existence anywhere (except winlogon.exe but there should be no
winlogon.exe in c:\windows).

Norton Internet Security should now be running (system tray). Norton
antivirus in the system tray may have a red X through it. This is becuse
Auto Protect hs been shut off. Reenable it in the NAV options.


Hope I got this all right and that it works for you. Many hours of
hacking, trial and error. Old memory ain't what it used to be. A good
challenge like the old days.
Pagina: 1
Reageer

Apple iPhone 17 LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq