Beste medeforumleden,

Ik heb het vervelende programma WinSpywareProtect op m'n systeem.
Hoe kan ik dit verwijderen?
Ik heb het programma Spyhunter aangeschaft, daarmee zou het programma te verwijderen zijn, dit is echter niet gelukt met dit programma.
In het onderstaande log zie ik geen verwijzingen naar WinSpywareProtect.


Dit is mijn Log, gemmakt met de nieuwste Hijjack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:00, on 20-7-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\windowslogonb.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Topro\tppoll.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\windowslogonb.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Microsoft Windows Express] windowslogonb.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [tppoll] C:\Program Files\Topro\tppoll.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sys2.exe] C:\Windows\Sys2.exe
O4 - HKLM\..\Run: [Sys3.exe] C:\Windows\Sys3.exe
O4 - HKLM\..\Run: [Sys4.exe] C:\Windows\Sys4.exe
O4 - HKLM\..\Run: [Sys6.exe] C:\Windows\Sys6.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [74aab500] rundll32.exe "C:\WINDOWS\system32\jkpeigae.dll",b
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -scan -minimized
O4 - HKLM\..\RunServices: [Microsoft Windows Express] windowslogonb.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [Device Detection] C:\Program Files\Albert Heijn Fotoservice\dd.exe
O4 - HKCU\..\Run: [Sys2.exe] C:\Windows\Sys2.exe
O4 - HKCU\..\Run: [Sys3.exe] C:\Windows\Sys3.exe
O4 - HKCU\..\Run: [Sys4.exe] C:\Windows\Sys4.exe
O4 - HKCU\..\Run: [Sys5.exe] C:\Windows\Sys5.exe
O4 - HKCU\..\Run: [Sys6.exe] C:\Windows\Sys6.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users.WINDOWS\Application Data\SecuriSoft SARL\WinSpywareProtect\wspwprtct.exe" /autorun
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: BitChe It! - C:\Program Files\BitCheIt\bc.hta
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1202384848984 (http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202384848984)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab (http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary...t.cab56907.cab (http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - http://messenger.zone.msn.com/binary...r.cab56986.cab (http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Pinnacle Systems tvtv Spooler (EpgSpooler) - Unknown owner - c:\progra~1\pinnacle\mediac~1\epgspo~2.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO. EXE
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 7275 bytes


Graag reactie.

Met vriendelijke groet,

Pjoterke

Hoi Pjoterke,

Ik ga even naar je logje kijken.

Ik ben nog wel in opleiding, en moet mijn fix eerst laten controleren. Het kan dus wat langer duren.

- Niels

Hallo Niels,

Ik heb m'n computer gescand met http://www.malwarebytes.org/ en WinspywareProtect lijkt verdwenen te zijn.

Dank voor je reactie.

Pjoterke

Hoi Pjoterke,

Deze wou ik je ook aanraden, samen met nog iets anders. Je kunt het beter even afwachten tot ik goedkeuring heb om mijn fix te plaatsen. Dan zijn we er daarna zeker van dat het volledig weg is, en er geen restjes zijn overgebleven ;)

- Niels

Hoi Niels,

Dank voor de reactie.
Inderdaad, er kan nog heteen en ander achtergebleven zijn.
Zie uit naar jou bevindingen.

Pjoterke.

Hoi Pjoterke,

Je hebt inderdaad troep op je pc staan. Volg de onderstaande stappen om eraf te komen ;).

1. Clean de Cache and Cookies in IE:
Sluit Internet Explorer.
Ga naar Configuratiescherm > Internet Opties > tab Algemeen
Klik de Cookies verwijderen knop
Klik op de Bestanden verwijderen knop ernaast
Vink aan: Ook alle off line items verwijderen, klik OKClean de Cache and Cookies in Firefox (In geval Firefox geïnstalleerd is):
Go to Extra > Opties.
Klik Privacy in het menu.
Klik op de knop wissen (Geschiedenis, Cookies, Cache).
Klik OK om het venster opnieuw te sluiten.Clean andere Temporary files + Prullenbak
Ga naar Start > Uitvoeren en typ: cleanmgr en klik ok.
Laat het je systeem scannen op bestanden die moeten verwijderd worden
Zorg er wel voor dat je daar enkel maar 'tijdelijke bestanden', 'tijdelijke internetbestanden' en 'prullenbak' staan aangevinkt.
Klik daarna op OK.2. Start MalwareBytes' Anti-Malware en klik op de tab Logs. Sla het logje wat daar staat even op.

3. Volg deze instructies (http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden) om ComboFix te downloaden.
Voer de instructies op die pagina uit, inclusief het installeren van de XP Recovery Console.

Indien je ComboFix al eerder hebt gebruikt, gelieve die versie te verwijderen en ComboFix opnieuw te downloaden via de bovenstaande link. ComboFix wordt namelijk bijna dagelijks geupdate.

Als je tijdens of na het downloaden van ComboFix of tijdens het gebruik van ComboFix een melding krijgt van je antivirus-of een andere scanner, schakel dan deze scanner uit en download ComboFix opnieuw. Sommige scanners zien bepaalde componenten die ComboFix gebruikt als verdacht en gaan deze blokkeren of verwijderen.
Dubbelklik op ComboFix.exe om ComboFix te openen.
Volg de instructies en aanvaard de disclaimer door op "Ja" te klikken.
Klik tijdens het draaien van ComboFix NIET in het venster, dit kan je systeem doet vastlopen.Wanneer ComboFix klaar is en eventueel na herstart zal er een log (ComboFix.txt) openen.
Post deze samen met een nieuw logje van HijackThis en het logje van MalwareBytes' in je volgende reactie.

- Niels

Hoi Niels,

Ik heb de zaken die je voorstelde uitgevoerd.
Hier de Log van hijackthis.log:
Wordt nl. gezien als Ongeldig Bestand ( Als bijlage )

De andere twee heb ik als bijlage meegestuurd.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:05, on 25-7-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Topro\tppoll.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [tppoll] C:\Program Files\Topro\tppoll.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: BitChe It! - C:\Program Files\BitCheIt\bc.hta
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202384848984
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Pinnacle Systems tvtv Spooler (EpgSpooler) - Unknown owner - c:\progra~1\pinnacle\mediac~1\epgspo~2.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO. EXE
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 5718 bytes



Pjoterke

Hoi Pjoterke,

Nog een paar restjes ;)

1. Zet de onderstaande dikgedrukte regels in een leeg kladblok bestand:

File::
C:\WINDOWS\system32\x4c0Pe6a.exe
C:\WINDOWS\system32\x4c0Pe6a.exe.a_a
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
Sla dit bestand vervolgens op als CFScript.txt op je bureaublad.
Sleep CFScript.txt naar Combofix toe zoals in het onderstaande voorbeeld.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Combofix zal weer gaan starten. Zodra deze klaar is zal er weer een logje openen, sla deze even op op je bureaublad.

3. Post het logje van Combofix in je volgende reply

- Niels

Hoi Niels,

Dank voor de snelle reactie.

Het Log:

ComboFix 08-07-24.1 - Thuis 2008-07-25 22:57:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1043.18.609 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Thuis.SPINOZA.000\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Thuis.SPINOZA.000\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
* Resident AV is active


FILE ::
C:\WINDOWS\system32\x4c0Pe6a.exe
C:\WINDOWS\system32\x4c0Pe6a.exe.a_a
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\x4c0Pe6a.exe
C:\WINDOWS\system32\x4c0Pe6a.exe.a_a
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-06-25 to 2008-07-25 ))))))))))))))))))))))))))))))
.

2008-07-25 22:53 . 2008-07-25 22:55 <DIR> dr-h----- C:\Documents and Settings\Thuis.SPINOZA.000\Onlangs geopend
2008-07-20 15:19 . 2008-07-20 15:19 <DIR> dr------- C:\Documents and Settings\LocalService.NT AUTHORITY.000\Favorieten
2008-07-20 14:12 . 2008-07-20 14:12 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-20 14:12 . 2008-07-20 14:12 <DIR> d-------- C:\Documents and Settings\Thuis.SPINOZA.000\Application Data\Malwarebytes
2008-07-20 14:12 . 2008-07-20 14:12 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-07-20 14:12 . 2008-07-18 19:15 36,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-20 14:12 . 2008-07-18 19:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-19 23:45 . 2008-07-19 23:45 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-19 23:18 . 2008-07-19 23:18 <DIR> dr------- C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Favorieten
2008-07-19 22:51 . 2008-07-19 22:51 <DIR> d-------- C:\Documents and Settings\Thuis.SPINOZA.000\Application Data\ESET
2008-07-19 22:49 . 2008-07-19 22:49 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ESET
2008-07-19 08:30 . 2008-07-19 08:30 <DIR> d-------- C:\Program Files\Xvid
2008-07-19 08:30 . 2008-04-27 10:33 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-07-19 08:30 . 2008-04-27 10:35 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-07-19 08:30 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-07-18 23:09 . 2008-07-18 23:09 <DIR> d-------- C:\!KillBox
2008-07-18 22:41 . 2008-07-18 22:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-17 22:34 . 2008-07-17 22:35 <DIR> d-------- C:\Program Files\Bit Che
2008-07-17 22:34 . 2008-07-17 22:34 <DIR> d-------- C:\Documents and Settings\Thuis.SPINOZA.000\Application Data\Convivea
2008-07-17 22:34 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\mswinsck.ocx
2008-07-17 22:31 . 2008-07-17 22:33 <DIR> d-------- C:\Program Files\BitCheIt
2008-07-15 08:20 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-15 08:20 . 2008-06-14 20:00 272,640 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-20 12:20 --------- d-----w C:\Documents and Settings\Thuis.SPINOZA.000\Application Data\uTorrent
2008-07-19 20:49 --------- d-----w C:\Program Files\ESET
2008-07-19 18:15 --------- d-----w C:\Program Files\uTorrent
2008-07-18 21:31 31,712 ----a-w C:\Documents and Settings\Thuis.SPINOZA.000\Application Data\GDIPFONTCACHEV1.DAT
2008-07-15 19:32 5,672 ----a-w C:\Documents and Settings\Thuis.SPINOZA.000\Application Data\mdb.bin
2008-07-08 22:50 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-07-08 22:49 --------- d-----w C:\Program Files\Lavasoft
2008-07-08 22:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 22:47 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-07-07 20:11 --------- d-----w C:\Documents and Settings\Thuis.SPINOZA.000\Application Data\dvdcss
2008-07-07 10:29 --------- d-----w C:\Documents and Settings\Thuis.SPINOZA.000\Application Data\Apple Computer
2008-06-22 11:04 --------- d-----w C:\Program Files\Henzo
2008-06-20 17:43 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-10 16:56 71,688 ----a-w C:\WINDOWS\system32\drivers\epfw.sys
2008-06-10 16:56 54,280 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys
2008-06-10 16:56 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys
2008-06-10 16:48 53,256 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 16:47 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2008-05-18 19:46 504,832 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
.

------- Sigcheck -------

2008-05-18 21:46 504832 7bba4ca9e82794985afff1d487a42b40 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-07-25_ 1.10.32.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-25 10:53:40 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_290.dat
+ 2008-07-25 10:53:41 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_434.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) )
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-01-04 15:17 1937408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 17:06 406016]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"tppoll"="C:\Program Files\Topro\tppoll.exe" [2005-03-02 18:12 24576]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2008-06-10 18:52 1447168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:03 15360]

C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= PCLEPIM1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programma's^Opstarten^HP Photosmart Premier Snelstart.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\HP Photosmart Premier Snelstart.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Snelstart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programma's^Opstarten^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programma's^Opstarten^Pinnacle Scheduler.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\Pinnacle Scheduler.lnk
backup=C:\WINDOWS\pss\Pinnacle Scheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Menu Start^Programma's^Opstarten^Snelstart HP Image Zone.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programma's\Opstarten\Snelstart HP Image Zone.lnk
backup=C:\WINDOWS\pss\Snelstart HP Image Zone.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Thuis.SPINOZA.000^Menu Start^Programma's^Opstarten^Diskeeper 10 Professional Edition Registration.lnk]
path=C:\Documents and Settings\Thuis.SPINOZA.000\Menu Start\Programma's\Opstarten\Diskeeper 10 Professional Edition Registration.lnk
backup=C:\WINDOWS\pss\Diskeeper 10 Professional Edition Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Thuis.SPINOZA.000^Menu Start^Programma's^Opstarten^Registration-PCTV.lnk]
path=C:\Documents and Settings\Thuis.SPINOZA.000\Menu Start\Programma's\Opstarten\Registration-PCTV.lnk
backup=C:\WINDOWS\pss\Registration-PCTV.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
--a------ 2006-06-07 13:35 319488 C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]
--a------ 2008-07-18 22:41 396288 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 15:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList]
--------- 2003-04-10 20:41 49152 C:\Program Files\Pinnacle\Pinnacle PCTV\LaunchList.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVRemote]
--------- 2002-10-11 14:40 61440 C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-01-20 09:05 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tppoll]
--a------ 2005-03-02 18:12 24576 C:\Program Files\Topro\tppoll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--a------ 2007-11-26 15:47 1206600 C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2004-09-23 23:44 57344 C:\WINDOWS\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-09-24 20:06 2559488 C:\WINDOWS\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Snelkoppeling naar eigenschappenvenster voor High Definition Audio]
--------- 2004-03-17 16:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-09-23 21:27 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 15:47]
R3 DCamUSBIntel;Eminent iCam;C:\WINDOWS\system32\Drivers\TP6800.sys [2005-03-04 19:22]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvb i.sys [2002-11-11 20:52]

*Newly Created Service* - CATCHME
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 22:59:01
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

************************************************** ************************
.
Voltooingstijd: 2008-07-25 22:59:39
ComboFix-quarantined-files.txt 2008-07-25 20:59:33
ComboFix2.txt 2008-07-24 23:10:53

Pre-Run: 25,984,253,952 bytes beschikbaar
Post-Run: 25,973,452,800 bytes beschikbaar

247

Hoi Pjoterke,

Je logje is schoon. Heb je verder nog problemen?

Lees nog even deze (http://www.jawwi.nl/nederlands/tips/beveiligen/beveiligen.html) tips om infecties te voorkomen.

Combofix mag je verwijderen. Dit kun je doen op de volgende manier: start -> uitvoeren -> combofix /u

- Niels

Hoi Niels,

Hartelijk dank,

Heb de tips nog eens doorgelezen en ga daar zeker gebruik van maken.

Pjoterke.

Graag gedaan

Aangezien deze opgelost is gaat er hier een slotje op