Virus/spyware

lg

25-01-2010 11:19

Na de stappen te hebben gevolgd de logfiles.
Deze pc was geinfecteerd met tracur.b.43
Teven kan ik hitmanpro en spywareguid niet verwijderen
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:10:53, on 25-1-2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Marktplaats Zoekassistent\Marktplaats.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2046702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: (no name) - {c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM\..\Run: “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM\..\Run: “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM\..\Run: “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM\..\Run: “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM\..\Run: “C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM\..\Run: “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE
O4 - HKLM\..\Run: “C:\Program Files\Unlocker\UnlockerAssistant.exe”
O4 - HKCU\..\Run: C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: “C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe”
O4 - Startup: Canon IJ Status Monitor Canon MP510 Printer on SHAHAIRA.lnk = ?
O4 - Startup: Marktplaats Zoekassistent.lnk = C:\Program Files\Marktplaats Zoekassistent\Marktplaats.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - AppInit_DLLs: C:\Windows\System32\,C:\Windows\System32\,C:\Windows\System32\els32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Npm\Bin\Zanda.exe (file missing)
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
–
End of file - 8010 bytes
Malwarebytes' Anti-Malware 1.44
Database versie: 3633
Windows 6.0.6000
Internet Explorer 7.0.6000.16982
25-1-2010 10:54:10
mbam-log-2010-01-25 (10-54-10).txt
Scan type: Snelle Scan
Objecten gescand: 100715
Verstreken tijd: 5 minute(s), 5 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 0
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Argus

25-01-2010 13:36

Scan je PC eerst eens met de Onlinescanner van SuperAntiSpyware
Hijack This Uninstall lijst
Start Hijack This
Start Hijack This,Klik: Do a Systemscan only
Rechtsonder klik Config…. klik Misc Tools
Klik “Open Uninstall Manager”
Klik “Safe List”
Kopïeer Uninstall_list naar je Bureaublad en post de inhoud in je volgende Antwoord
Sluit Hijack This
lg

25-01-2010 15:45

zoals gevraagd
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9.2 - Nederlands
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVS Audio Converter version 6.1
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Bonjour
Canon MP510
Canon Utilities Easy-PhotoPrint
CCleaner
Compatibility Pack for the 2007 Office system
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Express Rip
Extensie voor Windows Live Toolbar (Windows Live Toolbar)
File Renamer - Basic
FirstSteps Diagnostics
Golden Records
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IdealSorter 2008
iPAQ WebReg
IsoBuster 2.4
iTunes
Java(TM) 6 Update 18
Junk Mail filter update
LimeWire 5.4.6
Malwarebytes' Anti-Malware
Markeringviewer (Windows Live Toolbar)
Marktplaats Zoekassistent (remove only)
Microsoft .NET Framework 3.5 Language Pack SP1 - nld
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Professional Editie 2003
Microsoft Office Visio Professional 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero 8 Essentials
neroxml
NOD32 antivirus systeem
NOD32 FiX
OLYMPUS Master 2
OLYMPUS muvee theaterPack
OpenOffice.org Installer 1.0
Orbit Downloader
PDF Settings
Peer2Peer-NE Toolbar
QuickPar 0.9
QuickTime
Real Alternative 1.8.0
Realtek High Definition Audio Driver
Smart Menu's (Windows Live Toolbar)
SoundTap Streaming Audio Recorder
Spelling Dictionaries Support For Adobe Reader 8
Taalpakket voor Microsoft .NET Framework 3.5 SP1 - NL
The KMPlayer (remove only)
TomTom HOME 2.7.2.1825
TomTom HOME Visual Studio Merge Modules
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VCRedistSetup
WavePad Sound Editor
WinAVI Video Converter 9.0
Windows Live - Hulpprogramma voor uploaden
Windows Live aanmeldhulp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites voor Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Writer
Windows Media Player Firefox Plugin
WinRAR
Xvid 1.1.3 final uninstall
Argus

25-01-2010 16:38

Nog gescannt met SuperAntiSpyware?
Hijack This
Sluit alle vensters en start Hijack This
Klik : Do a Systemscan only
Zet een vinkje in het hokje voor:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
O3 - Toolbar: (no name) - {c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O20 - AppInit_DLLs: C:\Windows\System32\,C:\Windows\System32\,C:\Windows\System32\els32.dll
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Npm\Bin\Zanda.exe (file missing)
Klik op ‘Fix checked’ om de items te verwijderen.
Internet Explorer moet gesloten zijn als je Fix Checked klikt
Probeer Cleanup van Microsoft eens
Is NOD32 ook een onderdeel van HitmanPro? wanneer ja deze eerst via Services.msc de-activeren
lg

25-01-2010 16:57

Even via een andere pc
Nee nod 32 is standallone.
Er staat ook nog een map van spywareguard en hitmanpro op beide draaien niet meer op die pc maar zijn ook niet te
verwijderen.
Voorts geeft systeem herstel een probleem onverwachte fout 0x80070057
lg
lg

25-01-2010 17:03

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 17:00:41, on 25-1-2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16982)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Marktplaats Zoekassistent\Marktplaats.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: (no name) - {c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM\..\Run: “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM\..\Run: “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM\..\Run: “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM\..\Run: “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM\..\Run: “C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM\..\Run: “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE
O4 - HKLM\..\Run: “C:\Program Files\Unlocker\UnlockerAssistant.exe”
O4 - HKCU\..\Run: C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: “C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe”
O4 - Startup: Canon IJ Status Monitor Canon MP510 Printer on SHAHAIRA.lnk = ?
O4 - Startup: Marktplaats Zoekassistent.lnk = C:\Program Files\Marktplaats Zoekassistent\Marktplaats.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norman ZANDA - Unknown owner - C:\Program Files\Norman\Npm\Bin\Zanda.exe (file missing)
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
–
End of file - 7531 bytes
Argus

25-01-2010 17:16

Uninstaller
http://www.martau.com/
http://www.revouninstaller.com/
http://www.purgeie.com/delinv/index.htm
http://noeld.com/programs.asp?cat=misc#CopyLock
http://www.malwarebytes.org/fileassassin.php
http://www.innovatools.com/addremove-plus-download.html
http://www.nirsoft.net/utils/myuninst.html
http://www.runscanner.net/
Download Combofix naar je Bureaublad.
OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
Dubbelklik op Combofix.exe om het te starten.
Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
Klik op OK in het “NirCmd” venstertje.
Klik na afloop terug op Ja om het scannen op malware te starten.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.
Post het logje van ComboFix
* Bezoek volgende pagina met de instructies voor het downloaden en gebruiken van Combofix.
http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden
lg

25-01-2010 17:43

ComboFix 10-01-24.05 - Martin 25-01-2010 17:29:42.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.31.1043.18.3071.1965
Gestart vanuit: c:\users\Martin\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus systeem 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Aanwezig AV is actief
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1201653492-2640563079-1760352518-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\users\Martin\AppData\Roaming\02000000217ae6ca729C.manifest
c:\users\Martin\AppData\Roaming\02000000217ae6ca729O.manifest
c:\users\Martin\AppData\Roaming\02000000217ae6ca729P.manifest
c:\users\Martin\AppData\Roaming\02000000217ae6ca729S.manifest
c:\users\Martin\AppData\Roaming\Mozilla\Firefox\Profiles\4u4gtz4k.default\extensions\{e45adb4d-4c9e-43f8-aa23-1d9485d4bb78}
c:\users\Martin\AppData\Roaming\Mozilla\Firefox\Profiles\4u4gtz4k.default\extensions\{e45adb4d-4c9e-43f8-aa23-1d9485d4bb78}\chrome.manifest
c:\users\Martin\AppData\Roaming\Mozilla\Firefox\Profiles\4u4gtz4k.default\extensions\{e45adb4d-4c9e-43f8-aa23-1d9485d4bb78}\chrome\xulcache.jar
c:\users\Martin\AppData\Roaming\Mozilla\Firefox\Profiles\4u4gtz4k.default\extensions\{e45adb4d-4c9e-43f8-aa23-1d9485d4bb78}\defaults\preferences\xulcache.js
c:\users\Martin\AppData\Roaming\Mozilla\Firefox\Profiles\4u4gtz4k.default\extensions\{e45adb4d-4c9e-43f8-aa23-1d9485d4bb78}\install.rdf
c:\users\Martin\AppData\Roaming\SystemProc
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\twain_32.dll
.
(((((((((((((((((((( Bestanden Gemaakt van 2009-12-25 to 2010-01-25 ))))))))))))))))))))))))))))))
.
2010-01-25 14:10 . 2010-01-25 14:10 ——– d—–w- c:\users\Martin\AppData\Roaming\SUPERAntiSpyware.com
2010-01-25 14:10 . 2010-01-25 14:10 ——– d—–w- c:\programdata\SUPERAntiSpyware.com
2010-01-25 09:21 . 2010-01-25 09:21 388096 —-a-r- c:\users\Martin\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-25 09:21 . 2010-01-25 09:21 ——– d—–w- c:\program files\TrendMicro
2010-01-25 08:45 . 2010-01-25 10:06 ——– d—–w- c:\program files\Unlocker
2010-01-25 07:55 . 2010-01-25 07:55 680 —-a-w- c:\users\Martin\AppData\Local\d3d9caps.dat
2010-01-24 17:41 . 2010-01-24 17:40 512096 —-a-w- c:\windows\system32\drivers\amon.sys
2010-01-24 17:41 . 2010-01-24 17:40 298104 —-a-w- c:\windows\system32\imon.dll
2010-01-24 17:41 . 2010-01-24 17:40 15424 —-a-w- c:\windows\system32\drivers\nod32drv.sys
2010-01-24 17:40 . 2010-01-25 09:21 ——– d—–w- c:\program files\ESET
2010-01-24 16:33 . 2010-01-24 16:33 5115823 —-a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-24 16:21 . 2010-01-24 16:21 ——– d—–w- c:\users\Martin\AppData\Roaming\Malwarebytes
2010-01-24 16:21 . 2010-01-07 15:07 19160 —-a-w- c:\windows\system32\drivers\mbam.sys
2010-01-24 16:21 . 2010-01-24 16:21 ——– d—–w- c:\programdata\Malwarebytes
2010-01-24 16:21 . 2010-01-07 15:07 38224 —-a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 16:21 . 2010-01-24 16:33 ——– d—–w- c:\program files\Malwarebytes' Anti-Malware
2010-01-24 16:14 . 2010-01-24 16:14 ——– d—–w- c:\program files\Common Files\Java
2010-01-24 15:20 . 2010-01-24 15:20 ——– d—–w- c:\program files\CCleaner
2010-01-22 17:51 . 2010-01-25 08:38 ——– d—–w- c:\program files\SpywareGuard
2010-01-22 12:36 . 2010-01-22 12:36 ——– d—–w- c:\users\Martin\AppData\Local\Threat Expert
2010-01-19 20:00 . 2010-01-19 20:01 ——– d—–w- c:\users\Martin\AppData\Roaming\vlc
2010-01-16 11:24 . 2009-11-25 10:19 56816 —-a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-13 10:08 . 2009-10-19 14:42 156672 —-a-w- c:\windows\system32\t2embed.dll
2010-01-13 10:08 . 2009-10-19 14:39 24064 —-a-w- c:\windows\system32\lpk.dll
2010-01-13 10:08 . 2009-10-19 14:37 72704 —-a-w- c:\windows\system32\fontsub.dll
2010-01-13 10:08 . 2009-10-19 14:37 10240 —-a-w- c:\windows\system32\dciman32.dll
2010-01-13 10:08 . 2009-10-19 11:45 289792 —-a-w- c:\windows\system32\atmfd.dll
2010-01-13 10:08 . 2009-10-19 14:36 34304 —-a-w- c:\windows\system32\atmlib.dll
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 16:35 . 2007-09-25 11:59 692336 —-a-w- c:\windows\system32\perfh013.dat
2010-01-25 16:35 . 2007-09-25 11:59 123636 —-a-w- c:\windows\system32\perfc013.dat
2010-01-25 16:26 . 2008-06-07 09:58 12 —-a-w- c:\windows\bthservsdp.dat
2010-01-24 17:50 . 2008-05-03 12:48 ——– d—–w- c:\program files\FTDv3.8
2010-01-24 16:16 . 2008-08-31 13:21 ——– d—–w- c:\programdata\Spybot - Search & Destroy
2010-01-24 16:13 . 2008-12-08 11:10 411368 —-a-w- c:\windows\system32\deploytk.dll
2010-01-24 16:07 . 2008-05-16 19:41 ——– d—–w- c:\program files\Java
2010-01-23 17:48 . 2010-01-23 17:48 1372 —-a-w- c:\users\Martin\AppData\Roaming\KqmXrcmKoJB6O.vbs
2010-01-22 13:28 . 2008-07-29 12:52 560 —-a-w- c:\users\Martin\AppData\Roaming\wklnhst.dat
2010-01-22 08:57 . 2010-01-22 08:57 1372 —-a-w- c:\users\Martin\AppData\Roaming\AG6wLzcZ2W9MR.vbs
2010-01-21 14:13 . 2010-01-21 14:13 1372 —-a-w- c:\users\Martin\AppData\Roaming\K86XLBRE51o6o.vbs
2010-01-20 19:44 . 2010-01-20 19:44 1372 —-a-w- c:\users\Martin\AppData\Roaming\qNbP21pmz4DSmn2.vbs
2010-01-20 19:21 . 2010-01-20 19:21 1372 —-a-w- c:\users\Martin\AppData\Roaming\g95yj.vbs
2010-01-20 18:56 . 2008-06-19 11:57 ——– d—–w- c:\program files\Microsoft Silverlight
2010-01-20 13:39 . 2010-01-20 13:39 1372 —-a-w- c:\users\Martin\AppData\Roaming\FC87a.vbs
2010-01-19 21:04 . 2010-01-19 21:04 1372 —-a-w- c:\users\Martin\AppData\Roaming\bB3qwOzbq0vMV1T.vbs
2010-01-19 20:57 . 2008-07-09 14:14 ——– d—–w- c:\program files\Orbitdownloader
2010-01-19 20:38 . 2008-06-17 16:31 ——– d—–w- c:\users\Martin\AppData\Roaming\LimeWire
2010-01-19 19:57 . 2010-01-19 19:57 1372 —-a-w- c:\users\Martin\AppData\Roaming\S3N3VAa.vbs
2010-01-14 10:12 . 2009-10-03 07:52 181120 ——w- c:\windows\system32\MpSigStub.exe
2010-01-14 09:46 . 2006-11-02 11:18 ——– d—–w- c:\program files\Windows Mail
2009-12-24 16:35 . 2009-12-24 16:35 970504 —-a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-18 12:52 . 2010-01-22 08:46 832512 —-a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48 . 2010-01-22 08:46 56320 —-a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 08:46 78336 —-a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:48 . 2010-01-22 08:46 52736 —-a-w- c:\windows\AppPatch\iebrshim.dll
2009-12-18 12:46 . 2010-01-22 08:46 72704 —-a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 08:46 26624 —-a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 08:46 48128 —-a-w- c:\windows\system32\mshtmler.dll
2009-11-09 13:34 . 2009-12-10 08:34 24064 —-a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:07 . 2009-12-10 08:34 31232 —-a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:01 . 2009-12-10 08:34 398848 —-a-w- c:\windows\system32\drivers\http.sys
2009-10-29 07:59 . 2009-11-26 13:15 2048 —-a-w- c:\windows\system32\tzres.dll
2007-11-03 10:14 . 2007-11-03 09:31 8192 –sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
“WMPNSCFG”=“c:\program files\Windows Media Player\WMPNSCFG.exe”
“TomTomHOME.exe”=“c:\program files\TomTom HOME 2\TomTomHOMERunner.exe”
“Windows Mobile-based device management”=“c:\windows\WindowsMobile\wmdSync.exe”
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe”
“iTunesHelper”=“c:\program files\iTunes\iTunesHelper.exe”
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
“Adobe ARM”=“c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
“SunJavaUpdateSched”=“c:\program files\Common Files\Java\Java Update\jusched.exe”
“Malwarebytes Anti-Malware (reboot)”=“c:\program files\Malwarebytes' Anti-Malware\mbam.exe”
“nod32kui”=“c:\program files\Eset\nod32kui.exe”
c:\users\Martin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Canon IJ Status Monitor Canon MP510 Printer on SHAHAIRA.lnk - c:\windows\system32\rundll32.exe
Marktplaats Zoekassistent.lnk - c:\program files\Marktplaats Zoekassistent\Marktplaats.exe
@=“Service”
“AntiVirusOverride”=“”
“FirewallOverride”=“”
R1 nod32drv;nod32drv;c:\windows\System32\drivers\nod32drv.sys
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys
S3 BthAvrcp;Bluetooth AVRCP-profiel;c:\windows\System32\drivers\BthAvrcp.sys
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys
S3 fsssvc;De service Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Inhoud van de ‘Gedeelde Taken’ map
.
.
——- Bijkomende Scan ——-
.
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\users\Martin\AppData\Roaming\Mozilla\Firefox\Profiles\4u4gtz4k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\users\Martin\AppData\Roaming\Mozilla\Firefox\Profiles\4u4gtz4k.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS VERWIJDERD - - - -
BHO-{c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
Toolbar-{c0d70ed8-d984-40c3-9666-8939ce76ea13} - (no file)
WebBrowser-{C0D70ED8-D984-40C3-9666-8939CE76EA13} - (no file)
HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
AddRemove-LimeWire - d:\muziek nog gainen\LimeWire\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 17:37
Windows 6.0.6000 NTFS
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
.
——————— VERGRENDELDE REGISTER SLEUTELS ———————
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
Voltooingstijd: 2010-01-25 17:40:20
ComboFix-quarantined-files.txt 2010-01-25 16:40
Pre-Run: 123.024.592.896 bytes beschikbaar
Post-Run: 122.973.188.096 bytes beschikbaar
- - End Of File - - 37C016ED60BD8E765294E45F6066F144
Argus

25-01-2010 19:03

Verwijder c:\program files\SpywareGuard
ComboFix verwijderen
Ga naar Start - Uitvoeren en kopïeer het volgende er in:
Combofix /Uninstall
Download TFC en sla deze op je Bureaublad op.
Dubbelklik op TFC.exe om het programma te openen.
Het programma zal alle andere programma's sluiten, zorg er dus voor dat je al je werk hebt opgeslagen voordat je verder gaat.
Klik op de knop Start om het programma te starten. Hoe lang het programma nodig heeft, kan verschillen.
Dit kan kan slechts een paar seconden zijn, maar ook 5 minuten.
Laat het programma ongestoord zijn werk doen totdat het klaar is.
Als het programma klaar is, dan zal het je computer opnieuw opstarten. Als dit niet gebeurt, start dan je computer handmatig opnieuw op.
En Update Vista
lg

25-01-2010 19:37

De juiste melding van systeem herstel is parameter onjuist 0x80070057 en wordt vervolgens afgesloten
de ander pc is bezig met tfc.
Is er nog een logfile nodig?
LG

Virus/spyware

lg

Argus

lg

Argus

lg

lg

Argus

lg

Argus

lg