Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spysheriff Removed, Still Probs


  • This topic is locked This topic is locked
6 replies to this topic

#1 Diego

Diego

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 17 December 2005 - 09:39 AM

Hello,
Stumbled onto this site while looking for a sollution for a Spysheriff infection and it has been a great help.
I've followed the procedure to remove Spysheriff, Spysheriff is gone but....
apparently not everything is gone.
My homepage in internet explorer keeps changing back to 'about:blank' with links to anti-spyware nonsense.
I don't seem to be able to remove the entry -which i suspect causes it with- Hijackthis.
and I still have popup adds in explorer as well.

Thanks for the help
Greetings



Logfile of HijackThis v1.99.1
Scan saved at 15:33:30, on 17/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\winxg32.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ieyf.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Plextor\PlexTool.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {32FD5A16-7B87-D254-57E3-C8A486AA74D6} - C:\WINDOWS\addbr32.dll (file missing)
O2 - BHO: Class - {3B9CE314-9AD4-9792-05A7-D033A0AC7FC8} - C:\WINDOWS\mfcrk.dll
O2 - BHO: Class - {652035F3-D74E-54F9-A970-9AD5A4AC655B} - C:\WINDOWS\system32\crmu.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Class - {A707AB7B-D9B3-BFD8-18EC-6529CC0DA825} - C:\WINDOWS\system32\mswh.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl-be\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl-be\msntb.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [javaay.exe] C:\WINDOWS\javaay.exe
O4 - HKLM\..\Run: [ieyf.exe] C:\WINDOWS\system32\ieyf.exe
O4 - HKLM\..\Run: [ipdp32.exe] C:\WINDOWS\system32\ipdp32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PlexTools.lnk = C:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Interface Chat Voila - http://chat5.x-echo.com/version2/Applet/vchatsign.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.neptun.bme.hu/wfica.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by11fd.bay11.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/s...er/PROFILER.CAB
O16 - DPF: {92E7E45A-D8C8-480E-AF99-176E43997CAA} (Aurigma Image Uploader 3.5 Combo Control) - http://www.pixdiscount.be/clients/ImageUploader3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winxg32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Edited by Diego, 17 December 2005 - 02:13 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:18 PM

Posted 19 December 2005 - 08:10 AM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download AboutBuster.
Unzip AboutBuster in an own folder such as C:\AboutBuster.
Start AboutBuster.exe. Click OK, Update, Check For Update and download the updates if present.
Close aboutbuster now, because you may not run it yet, that's for later.
If You are getting an error when updating, please let me know first before you proceed with the next steps.

* Download and install CCleaner
Do not use it yet.

* Download this regfix: HSfix
Unzip it and place it on your desktop, don't use it yet!

* I see you already have ewido installed. Please update it, but don't let it scan yet.

* Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\gixin.dll/sp.html#12047%everything4find.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {32FD5A16-7B87-D254-57E3-C8A486AA74D6} - C:\WINDOWS\addbr32.dll (file missing)
O2 - BHO: Class - {3B9CE314-9AD4-9792-05A7-D033A0AC7FC8} - C:\WINDOWS\mfcrk.dll
O2 - BHO: Class - {652035F3-D74E-54F9-A970-9AD5A4AC655B} - C:\WINDOWS\system32\crmu.dll
O2 - BHO: Class - {A707AB7B-D9B3-BFD8-18EC-6529CC0DA825} - C:\WINDOWS\system32\mswh.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [javaay.exe] C:\WINDOWS\javaay.exe
O4 - HKLM\..\Run: [ieyf.exe] C:\WINDOWS\system32\ieyf.exe
O4 - HKLM\..\Run: [ipdp32.exe] C:\WINDOWS\system32\ipdp32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB
O23 - Service: Network Security Service (NSS) ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\winxg32.exe


* Close all open windows except hijackthis and click 'Fix Checked'.

* Navigate to and delete the following files if present:

C:\WINDOWS\system32\winxg32.exe
C:\WINDOWS\system32\ieyf.exe
C:\WINDOWS\System32\P2P Networking <== folder
C:\WINDOWS\javaay.exe
C:\WINDOWS\system32\ipdp32.exe

* Start Aboutbuster and let it scan.
Let it scan a second and third time until everything is gone.

* Doubleclick on HSfix you downloaded earlier before which is present on your desktop and when it asks you if you want to add the contents to the registry, click yes/ok

* Still in safe mode start Ccleaner.
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start>Control Panel>Internet Options>tab programs> and click restore websettings.

* Reboot your PC back to normal.

* Perform an onlinescan with Bitdefender and/or Housecall (check here autodelete) and let it delete everything it is finding.

* Post a new hijackthis-log + log from ewido.

by the way, I see you are most probably dutch, so if you want to post in dutch, that's ok for me. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Diego

Diego
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 20 December 2005 - 05:19 PM

Hallo
Ja ik ben Nederlandstalig! De wereld is blijkbaar zo groot nog niet.
Bedankt voor de procedure die je me gegeven hebt, ik heb ze uitgeprobeerd. Misschien kan je verder helpen op basis van volgende gegevens? In het Hijackthis log zitten toch ook nog een paar vreemde 'gevallen'. Alvast bedankt voor de moeite en groeten uit Oost-Vlaanderen!

Yesterday I installed Norton Internet Security 2006 which seems to have removed some other probs (no more popups when performing searches in google/bogus warnings). The computer behaves normal; but the homepage in IE keeps returning to the symantec site (their procedure to get it back to the site I want seems to work, but after restart; same problem again).
However, I followed your procedure and at the end used Norton instead of Bitdef/housecall and during the scan one file/problem turned up : adware.iefeats. Yesterday when i first scanned with norton it also turned up several times. Found a procedure to solve the problem on the norton site (haven't tried it yet).
Ewido also found a few things
In Hijackthis: marked the R3 to be removed (as you descrivbed), but it's still/back here.

Greetings

New Hijackthislog:


Logfile of HijackThis v1.99.1
Scan saved at 22:48:26, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\BITWARE\NT\bwprnmon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Plextor\PlexTool.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3712D7D0-9565-F99D-D800-6036A77E45C4} - C:\WINDOWS\crdy32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {8A75EA04-9575-A22B-4FC7-E64CB83DA5F3} - C:\WINDOWS\mfcbu32.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Class - {9FA51816-BD9F-7A8E-1737-44978508516A} - C:\WINDOWS\system32\addlr.dll (file missing)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl-be\msntb.dll
O2 - BHO: Class - {F5175406-F001-516B-847A-DA5FC41F90DC} - C:\WINDOWS\system32\javapw32.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\nl-be\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PlexTools.lnk = C:\Program Files\Plextor\PlexTool.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Interface Chat Voila - http://chat5.x-echo.com/version2/Applet/vchatsign.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.neptun.bme.hu/wfica.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by11fd.bay11.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/s...er/PROFILER.CAB
O16 - DPF: {92E7E45A-D8C8-480E-AF99-176E43997CAA} (Aurigma Image Uploader 3.5 Combo Control) - http://www.pixdiscount.be/clients/ImageUploader3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe


Ewidolog

---------------------------------------------------------
ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 20:43:42, 20/12/2005
+ Rapport samenvatting: 15063CB

+ Scan resultaten:

HKLM\SOFTWARE\Classes\CLSID\{46C8C875-7053-566F-B7DF-A8735884B10E} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{8424A742-21C5-E92B-D6A5-2B565D796258} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{90DEE38B-0DB3-A3CA-6F69-126542AD0FA1} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\CLSID\{F065E398-2ACB-9034-8B2A-28A827FF521F} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
C:\Documents and Settings\Diego\Cookies\diego@247realmedia[2].txt -> Spyware.Cookie.247realmedia : Schoongemaakt met een backup
C:\Documents and Settings\Diego\Cookies\diego@atdmt[2].txt -> Spyware.Cookie.Atdmt : Schoongemaakt met een backup
C:\Documents and Settings\Diego\Cookies\diego@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Schoongemaakt met een backup
C:\Documents and Settings\Diego\Cookies\diego@statcounter[1].txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
C:\Documents and Settings\Guy\Cookies\guy@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Schoongemaakt met een backup
C:\RECYCLER\S-1-5-21-1708537768-606747145-725345543-500\Dc1.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\addho.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\apitb.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\d3aj32.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\ipcm32.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\javaly.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\javast.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\msjr.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\nethn.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\netvu32.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\ntvw.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\system32\sysnz32.exe -> Trojan.Agent.bi : Schoongemaakt met een backup
C:\WINDOWS\_isAE:gnala -> Downloader.Agent.td : Schoongemaakt met een backup
C:\WINDOWS\_isAE:hbiwf -> Downloader.Agent.td : Schoongemaakt met een backup
C:\WINDOWS\_isAE:tkden -> Downloader.Agent.td : Schoongemaakt met een backup


::Einde rapport

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:18 PM

Posted 20 December 2005 - 05:29 PM

Hoi,

Eerst nog even wat restanten opruimen:

* Start Hijackthis en vink volgende items aan:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {3712D7D0-9565-F99D-D800-6036A77E45C4} - C:\WINDOWS\crdy32.dll (file missing)
O2 - BHO: Class - {8A75EA04-9575-A22B-4FC7-E64CB83DA5F3} - C:\WINDOWS\mfcbu32.dll (file missing)
O2 - BHO: Class - {9FA51816-BD9F-7A8E-1737-44978508516A} - C:\WINDOWS\system32\addlr.dll (file missing)
O2 - BHO: Class - {F5175406-F001-516B-847A-DA5FC41F90DC} - C:\WINDOWS\system32\javapw32.dll (file missing)


* Sluit alle open vensters.(belangrijk!!)
Klik daarna op Fix checked onderaan en sluit HijackThis.

Volgens norton heb je ergens in Norton zelf de optie: Symantec Home Page Assistance gekozen die verantwoordelijk is voor die startpagina.
Kan je dit niet uitzetten?
Ik zie in de screenshots van de Symantec Home Page Assistance dat je daar ook kan kiezen uit verschillende opties wat betreft je startpagina.
Kies daar: Enter my Homepage en vul je startpagina in.

Anders, als Norton hier lastig blijft doen, dan zal ik gewoon die optie afzetten.

Voer ook nog het volgende uit..

* Download: Hoster
Unzip hoster naar een eigen map.
Start Hoster.exe.
Er is een grote kans dat wanneer je hoster.exe start, dat het een melding geeft dat de hosts-file niet bestaat en of je er n wilt aanmaken.
Klik ja.
Indien je die melding niet krijgt, klik in hoster: Restore original Hosts.

Deze hijacker is ook verantwoordelijk om de ActiveX security te veranderen naar 'alles toestaan'.
Om dit te fixen...Open Internet Explorer extra > internet opties > beveiliging > het internet.
Klik standaardniveau > OK.
Klik aangepast niveau
In het ActiveX onderdeel:
Vink aan 'ActiveX die niet gemarkeerd zijn als veilig initialiseren en uitvoeren in scripts" naar 'uitschakelen'.
Vink aan bij "ActiveX-besturingselementen met handtekening en zonder handtekening downloaden" naar 'vragen'.

Laat me weten hoe alles achteraf werkt.

Groeten uit Brugge :thumbsup: (idd, de wereld is klein)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Diego

Diego
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 25 December 2005 - 05:41 AM

Hallo,
Alles ziet er nu redelijk normaal uit.
Behalve 1 ding: op n XP-account (die langswaarde infectie is binnengekomen) kan de wallpaper niet meer worden gewijzigd. Als je naar het scherm in properties gaat kan je nergens iets selecteren.

Dank en groeten en prettige feesten!!

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:18 PM

Posted 25 December 2005 - 05:46 AM

Ok, geen probleem.

Log in op die account waar je het bureaublad niet kan wijzigen en voer het volgende uit:

Open kladblok en kopieer en plak volgende vetgedrukte erin:
(vergeet REGEDIT4 niet te kopieren en plakken!)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=-
"WallpaperLocalFileTime"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoHTMLWallPaper"=-
"NoAddingComponents"=-
"NoChangingWallpaper"=-
"NoComponents"=-
"NoDeletingComponets"=-
"NoEditingComponents"=-


Sla dit op als fix.reg kies voor opslaan als *alle bestanden en plaats het op je bureaublad.
Zo moet die regfix er nadien uitzien: Posted Image
Dubbelklik erop.
Bij de vraag of je het wilt toevoegen aan het register, klik je op ja/ok.

Laat me weten of dit het probleem heeft opgelost.
Nadien, Ga naar start > configuratiescherm > vormgeving en thema's > de achtergrond van het bureaublad wijzigen > bureaublad aanpassen > tab website en vink daar alles uit wat je vindt en klik op verwijderen.
(behalve de 'mijn huidige pagina' -- die moet je niet verwijderen)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:18 PM

Posted 02 January 2006 - 06:19 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users