Hardnekkig virus (installer.exe enz...)

[tornado61]

het nieuwe combofix-logje:

ComboFix 09-12-26.04 - de haan 28-12-2009 13:14:27.3.1 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.511.364 [GMT 1:00]

Gestart vanuit: d:\data\de haan\Bureaublad\scan.exe

gebruikte Opdracht switches :: d:\data\de haan\Bureaublad\CFScript.txt

AV: Norman Security Suite *On-access scanning enabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1}

FILE ::

"c:\docume~1\maike\LOCALS~1\Temp\adxapie.sys"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ADXAPIE

-------\Service_adxapie

(((((((((((((((((((( Bestanden Gemaakt van 2009-11-28 to 2009-12-28 ))))))))))))))))))))))))))))))

.

2009-12-27 18:12 . 2009-12-27 18:24 -------- d-----w- C:\scan

2009-12-27 12:33 . 2009-12-27 12:33 -------- d-----w- c:\documents and settings\de haan\Application Data\Malwarebytes

2009-12-27 11:17 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-27 11:17 . 2009-12-27 11:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware12

2009-12-27 11:17 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-26 21:14 . 2009-12-26 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-12-26 21:14 . 2009-12-27 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-26 21:13 . 2009-12-26 21:13 -------- d-----w- c:\program files\Trend Micro

2009-12-23 21:27 . 2009-12-23 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2009-12-23 21:22 . 2009-12-27 13:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-12-23 21:22 . 2009-12-26 21:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-12-23 21:19 . 2009-12-23 21:19 -------- d-----w- c:\documents and settings\de haan\Application Data\AVG8

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-28 12:08 . 2008-01-12 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Rabo Support

2009-12-26 19:44 . 2008-05-25 09:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-12-21 19:13 . 2007-12-31 13:16 -------- d-----w- c:\program files\XviD

2009-12-12 18:57 . 2007-03-07 12:28 -------- d-----w- c:\program files\Thoroughbred Tycoon

2009-12-10 15:18 . 2004-08-04 12:00 90586 ----a-w- c:\windows\system32\perfc013.dat

2009-12-10 15:18 . 2004-08-04 12:00 508910 ----a-w- c:\windows\system32\perfh013.dat

2009-11-12 20:16 . 2007-03-04 15:41 -------- d-----w- c:\program files\Picasa2

2009-10-29 07:46 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll

2009-10-29 07:46 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2009-10-21 06:03 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 06:03 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 14:58 . 2004-08-04 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys

2009-10-13 10:53 . 2004-08-04 12:00 267264 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:54 . 2004-08-04 12:00 69632 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:54 . 2004-08-04 12:00 112640 ----a-w- c:\windows\system32\rastls.dll

2009-10-08 10:59 . 2009-01-24 12:31 21832 ----a-w- c:\windows\system32\drivers\nvcw32mf.sys

2009-10-07 12:07 . 2008-10-14 17:05 214344 ----a-w- c:\windows\system32\nscrnsav.scr

2007-07-26 20:33 . 2007-03-04 15:44 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2007-07-26 20:33 . 2007-03-04 15:44 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2007-07-26 20:33 . 2007-03-04 15:44 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2007-07-26 20:33 . 2007-03-04 15:44 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2007-07-26 20:33 . 2007-03-04 15:44 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-02-18 206184]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-25 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]

"nwiz"="nwiz.exe" [2006-08-11 1519616]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]

"Norman ZANDA"="c:\norman\Npm\Bin\ZLH.EXE" [2009-10-07 189824]

"SoundMan"="SOUNDMAN.EXE" [2005-02-23 77824]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-18 57393]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-18 40960]

"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

EPSON Status Monitor 3 Environment Check(2).lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-3-1 131584]

Rabo Session Monitor.lnk - c:\program files\Rabo\Support\RaboSessionMon.exe [2005-1-5 869888]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Snelstart HP Image Zone.lnk]

path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Snelstart HP Image Zone.lnk

backup=c:\windows\pss\Snelstart HP Image Zone.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-11 21:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]

2006-03-28 13:48 622592 ------r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]

2006-04-10 12:58 61440 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2004-02-12 12:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2007-03-02 14:24 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"d:\\data\\de haan\\Mijn documenten\\ActiveInstall_NL.exe"=

"c:\\Program Files\\BankingTools\\C@shflow\\C@shFlowApp.exe"=

"c:\\Program Files\\BankingTools\\C@shflow v3\\C@shflowApp.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=

"c:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=

R0 nlem32nt;NLEM32NT;c:\windows\system32\drivers\nlem32nt.sys [13-1-2008 14:53 32880]

R1 NGS;Norman General Security Driver;c:\norman\ngs\bin\ngs.sys [28-2-2009 10:25 25032]

R1 NPROSEC;Norman Security driver;c:\norman\ngs\bin\nprosec.sys [12-5-2009 20:47 56136]

R2 Ndiskio;Ndiskio;c:\norman\Nse\Bin\Ndiskio.sys [15-10-2009 18:30 24168]

R2 NPROSECSVC;Norman Security service;c:\norman\ngs\bin\nprosec.exe [12-5-2009 20:47 124232]

R2 NVOY;Norman Resource Provider;c:\norman\npm\bin\nvoy.exe [14-10-2008 18:05 128328]

R2 Srv_RaboComm;Rabo Comm Server;c:\windows\system32\RaboCommSrv.exe [13-1-2008 14:53 368128]

R3 nsesvc;Norman Scanner Engine Service;c:\norman\Nse\Bin\Nsesvc.exe [10-12-2009 18:14 283976]

R3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [24-1-2009 13:31 21832]

R3 nvcoas;Norman Virus Control on-access component;c:\norman\NVC\bin\Nvcoas.exe [21-2-2009 11:31 197960]

R3 Scheduler;Norman Scheduler Service;c:\norman\npm\bin\scheduler.exe [12-5-2009 20:48 132424]

S3 KMUSBSC2;KM USB Scan Svc2;c:\windows\system32\drivers\KMUSBSC2.sys [27-1-2008 20:24 25344]

S3 KMUSBSCN;KM USB Scan Svc;c:\windows\system32\drivers\KMUSBSCN.sys [27-1-2008 20:22 31232]

S3 NVCScheduler;Norman Virus Control Scheduler;"c:\norman\Npm\Bin\Nvcsched.exe" --> c:\norman\Npm\Bin\Nvcsched.exe [?]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - mchInjDrv

.

------- Bijkomende Scan -------

.

uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://195.86.127.26/activex/AMC.cab

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2009-12-28 13:27

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'explorer.exe'(2640)

c:\norman\nvc\bin\Niphk.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\norman\Npm\bin\ELOGSVC.EXE

c:\norman\Npm\Bin\Zanda.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\norman\Npm\Bin\Njeeves.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\SOUNDMAN.EXE

c:\norman\Nvc\Bin\Nip.exe

c:\norman\Nvc\Bin\cclaw.exe

c:\program files\Java\jre1.6.0_02\bin\jucheck.exe

.

**************************************************************************

.

Voltooingstijd: 2009-12-28 13:36:32 - machine werd herstart

ComboFix-quarantined-files.txt 2009-12-28 12:36

ComboFix2.txt 2009-12-27 18:24

ComboFix3.txt 2009-12-27 12:11

Pre-Run: 5.504.540.672 bytes beschikbaar

Post-Run: 5.442.252.800 bytes beschikbaar

- - End Of File - - 82621E5BAC385D0BB8C61925501BBE48

---------- Post toegevoegd om 15:11 ---------- Vorige post was om 15:10 ----------

het nieuwe Hijackthis-logje:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:06:19, on 28-12-2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16945)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Norman\Npm\bin\ELOGSVC.EXE

C:\Norman\Ngs\Bin\Nprosec.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Norman\Npm\Bin\Zanda.exe

C:\Norman\npm\bin\nvoy.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RaboCommSrv.exe

C:\WINDOWS\system32\svchost.exe

C:\Norman\Npm\Bin\scheduler.exe

C:\Norman\Npm\Bin\Njeeves.exe

C:\WINDOWS\System32\alg.exe

C:\Norman\nse\bin\NSESVC.EXE

C:\Norman\Nvc\Bin\nvcoas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Norman\Npm\Bin\ZLH.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Norman\Nvc\Bin\Nip.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Norman\Nvc\Bin\cclaw.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\TomTom HOME 2\HOMERunner.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Rabo\Support\RaboSessionMon.exe

C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Norman ZANDA] "C:\Norman\Npm\Bin\ZLH.EXE" /LOAD /SPLASH

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Rabo Session Monitor.lnk = C:\Program Files\Rabo\Support\RaboSessionMon.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://195.86.127.26/activex/AMC.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.EXE

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norman NJeeves - Norman ASA - C:\Norman\Npm\Bin\Njeeves.exe

O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe

O23 - Service: Norman Security service (NPROSECSVC) - Norman ASA - C:\Norman\Ngs\Bin\Nprosec.exe

O23 - Service: Norman Scanner Engine Service (nsesvc) - Norman ASA - C:\Norman\nse\bin\NSESVC.EXE

O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\Bin\nvcoas.exe

O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Unknown owner - C:\Norman\Npm\Bin\Nvcsched.exe (file missing)

O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Norman\npm\bin\nvoy.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Norman Scheduler Service (Scheduler) - Norman ASA - C:\Norman\Npm\Bin\scheduler.exe

O23 - Service: Rabo Comm Server (Srv_RaboComm) - Rabobank Nederland - C:\WINDOWS\system32\RaboCommSrv.exe

--

End of file - 8741 bytes

(veilige modus is trouwens gelukt... gewoon op f5 drukken, norman kon ik niet zien in veilige modus, maar combofix zei wel dat norman aan stond :S)

28 december 2009 aangepast door kape

[kape]

Dit ziet er goed uit. Hoe staat het nu met de problemen ?

[tornado61]

ik heb nergens last meer van, maar ik zei in een eerder bericht iets over een trojan in system 32, kan ik dat bestand verwijderen of is het belangrijk?

[kape]

Dit mag je nog doen om de resten van de besmetting op te ruimen : verwijderen van gebruikte programma’s, een cleaning en het verwijderen van de besmette herstelpunten.

Verwijder Combofix: Start -> Uitvoeren en typ: ComboFix /Uninstall

Dit zal Combofix verwijderen + gerelateerde mappen en bestanden, herstelt de klokinstellingen opnieuw, verbergt de bestandsextensies, gaat verborgen bestanden en systeembestanden terug verbergen en maakt een nieuw herstelpunt.

Verwijder volgende vetgedrukte map met Windows Verkenner : C:\Qoobox (indien nog aanwezig).

Download CCleaner. Klik op deze pagina op één van de mirrorsites van MajorGeeks en dan start de download van CCleaner automatisch en gratis op.

Installeer het en start CCleaner op. Klik in de linkse kolom op “Cleaner”. Klik achtereenvolgens op ‘Analyseren’ en 'Schoonmaken'. Soms is 1 analyse niet voldoende. Deze procedure mag je herhalen tot de analyse geen fouten meer aangeeft. Klik vervolgens in de linkse kolom op “Register” en klik op ‘Scan naar problemen”. Als er fouten gevonden worden klik je op ”Herstel geselecteerde problemen” en ”OK”. Dan krijg je de vraag om een back-up te maken. Klik op “JA”. Kies dan “Herstel alle geselecteerde fouten”. Sluit hierna CCleaner terug af.

Wil je dit uitgebreid in beeld bekijken, klik dan hier voor de handleiding.

That's it !

ik heb nergens last meer van, maar ik zei in een eerder bericht iets over een trojan in system 32, kan ik dat bestand verwijderen of is het belangrijk?

Hiermee bedoel je waarschijnlijk die Rootkit in System32 ? Die is ondertussen al netjes mee opgeruimd

[tornado61]

Combofix wil niet Deïnstalleren volgens mij, hij begint gewoon weer met scannen en norman vond het als een virus (zomaar!?, eerst niet) :

EICAR_TEST_FILE_NOT_A_VIRUS_

de naam zegt het al, maar klopt het?

28 december 2009 aangepast door tornado61

[kape]

Heb je de opdracht correct ingebracht met een spatie vóór de slash en geen spatie na de slash ? Dus : ComboFix /Uninstall

Not-a-virus zegt genoeg. Wordt herkend als geen normaal bestand, maar niet als een virus. De meeste antivirusscanners hebben het moeilijk met Combofix (geheel ten onrechte).

[tornado61]

ok

ik zal even kijken

---------- Post toegevoegd om 18:26 ---------- Vorige post was om 18:19 ----------

ja, is gelukt, ik schreef unistall i.p.v uninstall

ccleaner zal ik zo opstarten

[kape]

En ... alles netjes opgeruimd nu ?

[tornado61]

ja alles netjes

[kape]

OK, dan zetten we dit topic op "opgelost"