probleempjes

fazantje

31-08-2010 23:18

Hallo,
Ik heb een probleempje en wel het volgende:
Mijn vrouw was games aan het downloaden van verschillende games sites en toen kreeg ze melding rechts onderin van Antimalware Doctor Inc.
Foute boel dus, dat had ze zelf al in de gaten.
Dus zij mij sms-en wat ze doen moest.
Alle stappen doorlopen van dit prikbord.
MBAM heeft er heel wat uit gehaald en hijackThis ziet er goed uit op iwingames na, maar daar zit het probleem niet.
Toen ik thuis was, waren de meldingen rechts onderin al weg dank zij MBAM, maar het zit/zat mij nog niet lekker.
Ik nogmaals MBAM laten draaien en verdomd nog weer 2 stuks gevonden.
Combo werkt niet met Win7 dus graag even hulp hoe verder, want mijn gevoel zegt dat er meer is:X
Hier de 2 MBAM logjes en het HijackThis logje:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Databaseversie: 4516
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
31-8-2010 19:24:23
mbam-log-2010-08-31 (19-24-23).txt
Scantype: Snelle scan
Objecten gescand: 137636
Verstreken tijd: 4 minuut/minuten, 34 seconde(n)
Geheugenprocessen geïnfecteerd: 1
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 6
Registerwaarden geïnfecteerd: 4
Registerdata geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 10
Geheugenprocessen geïnfecteerd:
C:\Users\vanzanten\AppData\Roaming\E464907687BF1E599DCE8D76C7B76165\mediafix70700en02.exe (Malware.Packer.Gen) -> Unloaded process successfully.
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XBV6RD5SZF (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mediafix70700en02.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcaeomxsnr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xbv6rd5szf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\metropolis (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registerdata geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Mappen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Bestanden geïnfecteerd:
C:\Users\vanzanten\AppData\Roaming\E464907687BF1E599DCE8D76C7B76165\mediafix70700en02.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\vanzanten\AppData\Local\Temp\wcaeomxsnr.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\vanzanten\AppData\Local\Temp\osarnwcmxe.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Users\vanzanten\AppData\Local\Temp\Ygn.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Users\vanzanten\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\vanzanten\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\vanzanten\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Users\vanzanten\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
Nu het logje van een paar uur later, na opnieuw opgestart:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Databaseversie: 4517
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
31-8-2010 22:58:39
mbam-log-2010-08-31 (22-58-39).txt
Scantype: Snelle scan
Objecten gescand: 136814
Verstreken tijd: 4 minuut/minuten, 24 seconde(n)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 1
Registerwaarden geïnfecteerd: 0
Registerdata geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 1
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels geïnfecteerd:
HKEY_CURRENT_USER\SOFTWARE\OTGV1DNWQQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Registerdata geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Mappen geïnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)
Bestanden geïnfecteerd:
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
Het HijackThis logje:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:23:13, on 1-8-2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fazantje.onzestart.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Aanmeldhulp voor Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: “C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe”
O4 - HKLM\..\Run: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice
O4 - HKLM\..\Run: “C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM\..\Run: “C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe” /s
O4 - HKLM\..\Run: “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM\..\Run: “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKCU\..\Run: C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19\..\RunOnce: C:\Windows\System32\mctadmin.exe (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20\..\Run: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20\..\RunOnce: C:\Windows\System32\mctadmin.exe (User ‘NETWORK SERVICE’)
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted IP range: http://192.168.2.1
O15 - ESC Trusted IP range: http://192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{928BDF55-302B-4227-8C6A-9D6065F134DC}: NameServer = 192.168.2.1
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updateservice (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
–
End of file - 5570 bytes
Alvast bedankt.
Teaser

01-09-2010 10:24

Doe eens een scan met deze
trojan scanner
Vertel de uitkomst
fazantje

01-09-2010 11:54

Hoi Teaser,
Bedankt voor jou hulp(tu)
De genoemde scanner werkte niet.
Dacht dus dat Combo niet voor Win 7 was, maar aleen niet voor de 64 bits versie.
Hier het combologje en een nieuw HijackThis logje:
ComboFix 10-08-31.02 - vanzanten 01-09-2010 11:39:27.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.31.1043.18.3071.1971
Gestart vanuit: c:\users\vanzanten\Desktop\ComboFix.exe
* Aanwezig AV is actief
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\iWin Games\iWinGamesHookIE.dll
c:\users\vanzanten\AppData\Roaming\.#
c:\users\vanzanten\AppData\Roaming\E464907687BF1E599DCE8D76C7B76165
c:\users\vanzanten\AppData\Roaming\E464907687BF1E599DCE8D76C7B76165\enemies-names.txt
c:\users\vanzanten\AppData\Roaming\E464907687BF1E599DCE8D76C7B76165\local.ini
c:\users\vanzanten\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor
c:\users\vanzanten\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\users\vanzanten\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\windows\system32\%appdata%
.
(((((((((((((((((((( Bestanden Gemaakt van 2010-08-01 to 2010-09-01 ))))))))))))))))))))))))))))))
.
2010-09-01 09:43 . 2010-09-01 09:43 ——– d—–w- c:\users\Default\AppData\Local\temp
2010-09-01 07:14 . 2010-09-01 07:16 ——– d—–w- c:\program files\Windows Live Safety Center
2010-08-31 15:19 . 2010-08-31 15:21 ——– d—–w- C:\Games
2010-08-31 15:18 . 2010-08-31 15:18 ——– d—–w- c:\users\vanzanten\AppData\Roaming\Peace Craft
2010-08-31 11:08 . 2010-08-31 11:08 ——– d—–w- c:\program files\Common Files\Oberon Media
2010-08-30 14:17 . 2010-08-30 14:17 ——– d—–w- c:\program files\Common Files\Sandlot Shared
2010-08-30 11:20 . 2010-08-30 11:20 ——– d—–w- c:\programdata\Trymedia
2010-08-30 11:13 . 2010-08-31 15:21 ——– d—–w- c:\program files\RealArcade
2010-08-29 16:52 . 2010-08-31 20:32 ——– d—–w- c:\program files\Gabest
2010-08-28 13:45 . 2010-08-31 15:44 ——– d—–w- c:\programdata\WildTangent
2010-08-28 10:45 . 2010-08-28 10:45 ——– d—–w- c:\program files\iWin.com
2010-08-28 10:43 . 2010-08-28 10:43 ——– d—–w- c:\programdata\iWin Games
2010-08-28 10:43 . 2010-07-07 20:50 46128 —-a-w- c:\programdata\iWin Games\firefox\iWinArcadeLauncher.exe
2010-08-28 10:43 . 2010-09-01 09:43 ——– d—–w- c:\program files\iWin Games
2010-08-27 11:52 . 2010-08-27 11:52 ——– d—–w- c:\users\vanzanten\AppData\Roaming\AlderGames
2010-08-27 11:51 . 2010-08-27 11:51 ——– d—–w- c:\program files\Bee Garden
2010-08-26 13:12 . 2010-08-26 13:33 ——– d—–w- c:\users\vanzanten\AppData\Roaming\PeaceCraft2
2010-08-26 10:19 . 2009-11-25 10:47 99176 —-a-w- c:\windows\system32\PresentationHostProxy.dll
2010-08-26 10:19 . 2009-11-25 10:47 49472 —-a-w- c:\windows\system32\netfxperf.dll
2010-08-26 10:19 . 2009-11-25 10:47 297808 —-a-w- c:\windows\system32\mscoree.dll
2010-08-26 10:19 . 2009-11-25 10:47 295264 —-a-w- c:\windows\system32\PresentationHost.exe
2010-08-26 10:19 . 2009-11-25 10:47 1130824 —-a-w- c:\windows\system32\dfshim.dll
2010-08-25 07:22 . 2010-04-07 07:10 571904 —-a-w- c:\windows\system32\oleaut32.dll
2010-08-17 14:02 . 2010-08-17 14:10 ——– d—–w- c:\users\vanzanten\AppData\Roaming\Microsoft Games
2010-08-17 14:02 . 2010-08-17 14:02 ——– d—–w- c:\program files\Common Files\Microsoft Games
2010-08-17 13:56 . 2010-08-17 13:56 ——– d—–w- c:\programdata\Microsoft Games
2010-08-15 06:29 . 2010-08-15 06:30 ——– d—–w- c:\program files\Google
2010-08-11 06:05 . 2010-06-16 05:48 224256 —-a-w- c:\windows\system32\schannel.dll
2010-08-10 16:34 . 2010-08-10 16:34 310208 —-a-w- c:\users\vanzanten\AppData\Roaming\Azureus\plugins\mlab\ShaperProbeC.exe
2010-08-09 10:55 . 2010-08-09 10:55 ——– d—–w- c:\users\vanzanten\AppData\Roaming\Jumb-O-Fun Games
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-01 09:46 . 2009-10-11 14:23 ——– d—–w- c:\users\vanzanten\AppData\Roaming\LimeWire
2010-09-01 09:24 . 2009-10-10 12:13 ——– d—–w- c:\users\vanzanten\AppData\Roaming\Azureus
2010-09-01 07:15 . 2009-07-14 08:27 701326 —-a-w- c:\windows\system32\perfh013.dat
2010-09-01 07:15 . 2009-07-14 08:27 133358 —-a-w- c:\windows\system32\perfc013.dat
2010-08-31 20:51 . 2010-04-16 19:26 ——– d—–w- c:\program files\SpywareBlaster
2010-08-31 17:47 . 2010-01-10 15:31 ——– d—–w- c:\program files\Oberon Media
2010-08-31 09:51 . 2010-01-22 12:07 ——– d—–w- c:\program files\Simple Port Forwarding
2010-08-28 07:55 . 2009-10-10 12:15 179 —-a-w- c:\users\vanzanten\AppData\Roaming\Azureus\restart.bat
2010-08-26 13:09 . 2009-12-16 16:53 ——– d—–w- c:\program files\bfgclient
2010-08-26 10:20 . 2009-10-11 19:08 ——– d—–w- c:\program files\Microsoft.NET
2010-08-17 14:05 . 2009-08-20 12:11 ——– d–h–w- c:\program files\InstallShield Installation Information
2010-08-17 13:52 . 2009-07-14 04:52 ——– d—–w- c:\program files\Microsoft Games
2010-08-17 13:09 . 2010-02-07 12:35 ——– d—–w- c:\program files\1001 Nights The Adventures of Sindbad
2010-08-17 13:06 . 2010-04-06 10:33 ——– d—–w- c:\program files\Big Fish Games
2010-08-17 13:04 . 2010-03-03 14:51 ——– d—–w- c:\program files\Shaman Odyssey Tropic Adventure
2010-08-17 13:03 . 2010-06-02 11:13 ——– d—–w- c:\program files\Buried in Time
2010-08-17 13:03 . 2010-05-17 12:37 ——– d—–w- c:\program files\Drawn The Painted Tower
2010-08-17 13:02 . 2010-02-13 17:31 ——– d—–w- c:\program files\Games
2010-08-17 13:02 . 2010-02-27 16:56 ——– d—–w- c:\program files\Azada Ancient Magic
2010-08-15 21:52 . 2009-10-09 19:03 ——– d—–w- c:\program files\CCleaner
2010-08-10 16:32 . 2009-10-10 12:12 ——– d—–w- c:\program files\Vuze
2010-08-01 17:18 . 2009-08-20 12:07 ——– d—–w- c:\programdata\NVIDIA
2010-08-01 12:06 . 2009-11-08 17:03 ——– d—–w- c:\program files\SystemRequirementsLab
2010-08-01 12:02 . 2010-08-01 12:02 85504 —-a-w- c:\users\vanzanten\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-08-01 12:02 . 2009-11-08 17:03 ——– d—–w- c:\users\vanzanten\AppData\Roaming\SystemRequirementsLab
2010-07-31 17:12 . 2010-04-24 13:16 ——– d—–w- c:\program files\NVIDIA Corporation
2010-07-31 17:10 . 2010-07-31 17:10 ——– d—–w- c:\programdata\NVIDIA Corporation
2010-07-31 16:56 . 2010-07-31 16:56 290816 —-a-w- c:\users\vanzanten\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-07-31 16:56 . 2010-07-31 16:56 290816 —-a-w- c:\users\vanzanten\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-07-31 16:56 . 2010-07-31 16:56 290816 —-a-w- c:\users\vanzanten\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-07-31 16:56 . 2010-07-31 16:56 290816 —-a-w- c:\users\vanzanten\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-07-31 16:53 . 2010-07-31 16:53 ——– d—–w- c:\program files\Lavalys
2010-07-31 11:04 . 2010-07-31 11:04 ——– d—–w- c:\program files\Electronic Arts
2010-07-29 06:30 . 2010-08-11 06:06 197632 —-a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 06:06 82944 —-a-w- c:\windows\system32\iccvid.dll
2010-07-21 13:25 . 2010-07-20 15:35 ——– d—–w- c:\programdata\FarmFrenzy3_Madagascar
2010-07-20 15:34 . 2010-07-20 15:34 ——– d—–w- c:\program files\Farm Frenzy 3 Madagascar
2010-07-19 17:09 . 2010-07-19 17:09 ——– d—–w- c:\program files\Cybertek Games
2010-07-19 14:25 . 2009-12-16 17:00 ——– d—–w- c:\users\vanzanten\AppData\Roaming\PlayFirst
2010-07-19 14:25 . 2009-12-16 17:00 ——– d—–w- c:\programdata\PlayFirst
2010-07-09 22:37 . 2010-07-31 17:06 236136 —-a-w- c:\windows\system32\nvcod1922.dll
2010-07-09 22:37 . 2009-08-20 10:54 604776 —-a-w- c:\windows\system32\nvudisp.exe
2010-07-09 14:20 . 2010-07-09 14:20 1881704 —-a-w- c:\windows\system32\nvsvcr.dll
2010-07-07 11:46 . 2009-12-15 09:07 604776 —-a-w- c:\windows\system32\nvuninst.exe
2010-06-30 06:25 . 2010-08-11 06:06 978432 —-a-w- c:\windows\system32\wininet.dll
2010-06-22 02:47 . 2010-08-11 06:06 310784 —-a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 06:06 307200 —-a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 06:06 113664 —-a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-21 22:07 . 2010-07-31 17:12 26216 —-a-w- c:\windows\system32\nvhdap32.dll
2010-06-21 22:07 . 2009-08-20 10:54 600680 —-a-w- c:\windows\system32\nvuhda.exe
2010-06-21 22:07 . 2009-08-20 10:54 232040 —-a-w- c:\windows\system32\nvcohda.dll
2010-06-21 22:07 . 2010-07-31 17:12 105576 —-a-w- c:\windows\system32\drivers\nvhda32v.sys
2010-06-19 06:33 . 2010-08-11 06:06 3955080 —-a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 06:06 3899784 —-a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 06:06 37376 —-a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-11 06:06 2326016 —-a-w- c:\windows\system32\win32k.sys
2010-06-14 06:12 . 2010-08-11 06:06 1286016 —-a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-08 06:02 . 2010-08-11 06:06 1233920 —-a-w- c:\windows\system32\msxml3.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 –sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 –sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
“Sidebar”=“c:\program files\Windows Sidebar\sidebar.exe”
“ehTray.exe”=“c:\windows\ehome\ehTray.exe”
“RtHDVCpl”=“c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe”
“CLMLServer”=“c:\program files\CyberLink\Power2Go\CLMLSvc.exe”
“HP Software Update”=“c:\program files\HP\HP Software Update\HPWuSchd2.exe”
“egui”=“c:\program files\ESET\ESET NOD32 Antivirus\egui.exe”
“Malwarebytes Anti-Malware (reboot)”=“c:\program files\Malwarebytes' Anti-Malware\mbam.exe”
“VirtualCloneDrive”=“c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe”
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
“Adobe ARM”=“c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe”
c:\users\vanzanten\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE
“ConsentPromptBehaviorAdmin”= 5 (0x5)
“ConsentPromptBehaviorUser”= 3 (0x3)
“EnableUIADesktopToggle”= 0 (0x0)
“egui”=“c:\program files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice
R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
R2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe
R3 DCamUSBDigitalCamera;Digital Camera;c:\windows\system32\Drivers\mpixvid.sys
R3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\Wat\WatAdminSvc.exe
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys
R4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe
R4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys
S2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe
S3 netr28u;Stuurprogramma voor RT2870 USB draadloze LAN-kaart voor Vista;c:\windows\system32\DRIVERS\netr28u.sys
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys
— Andere Services/Drivers In Geheugen —
*Deregistered* - easdrv
*Deregistered* - epfwtdir
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Inhoud van de ‘Gedeelde Taken’ map
2010-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe
2010-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe
.
.
——- Bijkomende Scan ——-
.
uStart Page = hxxp://fazantje.onzestart.nl/
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {928BDF55-302B-4227-8C6A-9D6065F134DC} = 192.168.2.1
FF - ProfilePath - c:\users\vanzanten\AppData\Roaming\Mozilla\Firefox\Profiles\bjpizzn2.default\
FF - prefs.js: browser.startup.homepage - hxxp://fazantje.onzestart.nl/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
—- FIREFOX POLICIES —-
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.xn–mgbaam7a8h”, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.xn–mgberp4a5d4ar”, true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“dom.ipc.plugins.enabled”, false);
.
- - - - ORPHANS VERWIJDERD - - - -
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
.
——————— VERGRENDELDE REGISTER SLEUTELS ———————
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
@Denied: (Full) (Everyone)
.
———————— Andere Aktieve Processen ————————
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\sppsvc.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Voltooingstijd: 2010-09-01 11:49:02 - machine werd herstart
ComboFix-quarantined-files.txt 2010-09-01 09:49
Pre-Run: 260.634.861.568 bytes beschikbaar
Post-Run: 260.586.774.528 bytes beschikbaar
- - End Of File - - 5691024E32CF33C1A8E0F71E0BFC7339
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:23:13, on 1-8-2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fazantje.onzestart.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Aanmeldhulp voor Windows Live ID - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: “C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe”
O4 - HKLM\..\Run: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice
O4 - HKLM\..\Run: “C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM\..\Run: “C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe” /s
O4 - HKLM\..\Run: “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM\..\Run: “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKCU\..\Run: C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19\..\RunOnce: C:\Windows\System32\mctadmin.exe (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20\..\Run: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20\..\RunOnce: C:\Windows\System32\mctadmin.exe (User ‘NETWORK SERVICE’)
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted IP range: http://192.168.2.1
O15 - ESC Trusted IP range: http://192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{928BDF55-302B-4227-8C6A-9D6065F134DC}: NameServer = 192.168.2.1
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updateservice (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
–
End of file - 5570 bytes
Alvast bedankt maar weer(
Fazantje.
fazantje

01-09-2010 12:33

Bedankt voor de hulp(tu)
Compie is weer toppie:)-D
Fazantje.
Piet

01-09-2010 18:50

Anders even wachten op onze Huib.
fazantje

01-09-2010 20:45

Het is toch mooi opgelost zo Piet, waarom dan wachten op mij:S
Ik denk, weet het wel zeker dat Teaser meer weet dan ik:D
Groetjes Huib:)

probleempjes

fazantje

Teaser

fazantje

fazantje

Piet

fazantje