[IE] /?%20 spyware??

[anoniem]

Hallo mensen. Ik ben vanuit het Software -> Windows Forum naar jullie doorverwezen. Mijn IE zit al een tijdje een beetje vervelend te doen. Ik heb een toetsenbord waarbij de 'l' het niet altijd even goed doet. Als ik dan in mijn enthousiasme een internetadres eindigend op nl opgeef 'vergeet' ik nogal eens de laatste l. Op zo'n moment wordt ik doorverwezen naar een pagina waarbij er een rare code in het adres wordt geplakt: Als ik www.computertotaal.n intoets, wordt ik doorgestuurd naar: http:///?%20www.computertotaal.n Wat natuurlijk een 404 (page not found) geeft. Het is erg irritant dat ik dan niet snel even die extra l kan toevoegen om alsnog naar de juiste site te gaan! Men dacht dat het hier om spyware ging. Daarom heb ik HijackThis even gedraaid: [b:3b87cd90f5][list:3b87cd90f5]Logfile of HijackThis v1.98.2 Scan saved at 15:53:13, on 13-10-2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\gearsec.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\Tablet.exe C:\UGS180\plot\ugiipqd.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Utils\Wacom\TabUserW.exe C:\Program Files\Utils\4t Tray Minimizer\4t-min.exe C:\Program Files\WorkPace 3.0\WorkPace.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Apoint2K\HidFind.exe C:\WINDOWS\System32\WISPTIS.EXE C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Utils\Winamp\Winamp.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Development Center\HTML-kit\Bin\HTMLKit.exe C:\Program Files\Internet Explorer\iexplore.exe C:\hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.tue.nl/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Core Library - {A23AB93D-6CFF-442c-BB8A-41F6145F47E7} - C:\WINDOWS\System32\PDF1a06.dll O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\Utils\Internet\SafeGuard Pop-up Blocke\popupblocker.dll O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Network -p HPLaserJet1300 -pn "HP LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000 O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Utils\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF1a06.dll O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\Utils\4t Tray Minimizer\4t-min.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: TabUserW.lnk = C:\Program Files\Utils\Wacom\TabUserW.exe O4 - Global Startup: Workpace.lnk = C:\Program Files\WorkPace 3.0\workpace.cmd O8 - Extra context menu item: Druid: Download All Files - C:\Program Files\XemiComputers\Download Druid\Druid.html O8 - Extra context menu item: Druid: Download Highlighted Files - C:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Download - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\XemiComputers\Download Druid\Druid.exe O9 - Extra 'Tools' menuitem: Druid: Download All Files - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\XemiComputers\Download Druid\Druid.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - C:\Program Files\XemiComputers\Download Druid\DruidBar.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.babenet.com/cabs/videox.cab O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = campus.tue.nl O17 - HKLM\Software\..\Telephony: DomainName = campus.tue.nl O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = campus.tue.nl [/list:u:3b87cd90f5][/b:3b87cd90f5] Ik hoop dat jullie me hier vanaf kunnen helpen. Thanks. Jasper

[anoniem]

Hallo Jasper, Sluit alle open vensters, run HijackThis nog een keer en laat volgende items repareren: [b:f3644c219b] R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file) O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\Utils\Internet\SafeGuard Pop-up Blocke\popupblocker.dll O2 - BHO: Core Library - {A23AB93D-6CFF-442c-BB8A-41F6145F47E7} - C:\WINDOWS\System32\PDF1a06.dll O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF1a06.dll O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.babenet.com/cabs/videox.cab O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_EN_XP.cab O16 - DPF: {861FDA2A-2B57-4BDA-8B8B-305C9D5D8604} (_Multimedia Player) - http://www.pussyharem.com/stream/mmp.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup151.cab O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB [/b:f3644c219b] Als je dit gedaan hebt [url=http://users.pandora.be/marcvn/spyware/1378056.htm]start je de computer op in veilige modus[/url]. Zorg dat alle [url=http://users.pandora.be/marcvn/spyware/1117602.htm]verborgen bestanden weergegeven worden[/url], en verwijder de volgende bestanden of mappen indien aanwezig: C:\WINDOWS\System32\PDF1a06.dll Reboot de computer, run HijackThis opnieuw en post een nieuwe log.

[anoniem]

Thanks! Het is gelukt! Ik krijg geen %20 gebeuren meer! Het bestand dat je aangaf om te verwijderen bestond trouwens niet! Dit is mijn nieuwe Hijack log: [b:91f7401ada][list:91f7401ada]Logfile of HijackThis v1.98.2 Scan saved at 20:51:47, on 13-10-2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\gearsec.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\Tablet.exe C:\UGS180\plot\ugiipqd.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Utils\Wacom\TabUserW.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Utils\4t Tray Minimizer\4t-min.exe C:\Program Files\Apoint2K\HidFind.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\WorkPace 3.0\WorkPace.exe C:\hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.tue.nl/ O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\Utils\Internet\SafeGuard Pop-up Blocke\popupblocker.dll O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Network -p HPLaserJet1300 -pn "HP LaserJet 1300 PCL 6" -n 0 -l 1033 -sl 120000 O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\MAXTOR~1\Utils\OneTouch.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Utils\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\Utils\4t Tray Minimizer\4t-min.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: TabUserW.lnk = C:\Program Files\Utils\Wacom\TabUserW.exe O4 - Global Startup: Workpace.lnk = C:\Program Files\WorkPace 3.0\workpace.cmd O8 - Extra context menu item: Druid: Download All Files - C:\Program Files\XemiComputers\Download Druid\Druid.html O8 - Extra context menu item: Druid: Download Highlighted Files - C:\Program Files\XemiComputers\Download Druid\DruidHighLighted.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Download - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\XemiComputers\Download Druid\Druid.exe O9 - Extra 'Tools' menuitem: Druid: Download All Files - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\XemiComputers\Download Druid\Druid.exe O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Druid Bar - {A6B25D86-CB76-44C1-8E35-328EE8F4BEF0} - C:\Program Files\XemiComputers\Download Druid\DruidBar.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = campus.tue.nl O17 - HKLM\Software\..\Telephony: DomainName = campus.tue.nl O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = campus.tue.nl[/list:u:91f7401ada][/b:91f7401ada] Ik weet niet of ik nog meer kan verbeteren? Bedankt! Jasper

[anoniem]

Log lijkt me ok. Dat je C:\WINDOWS\System32\PDF1a06.dll niet kon vinden is mogelijk. Hijackthis verwijdert die bestand als het dat kan. groeten,