fsorion.sys

[wajang]

Bij een collega stopt de PC (P4 1800, XP Pro) af en toe spontaan en hij krijgt o.a. een melding over fsorion.sys
Hier kunnne we niets over vinden, behalve een Frans forum.
Heeft er iemand wel eens iets over fsorion.sys gehoord?

 

[Pieter Arntz]

Geplaatst door wajang
Bij een collega stopt de PC (P4 1800, XP Pro) af en toe spontaan en hij krijgt o.a. een melding over fsorion.sys
Hier kunnne we niets over vinden, behalve een Frans forum.
Heeft er iemand wel eens iets over fsorion.sys gehoord?

Hoi wajang,

Kun je een HijackThis log van die computer (laten) plaatsen?

Groetjes,

Pieter

 

[wajang]

Kun je een HijackThis log van die computer (laten) plaatsen?

Ik zal het vragen, duurt nog wel even.

 

[pete1]

F-Secure fsorion.sys

onderdeel van virusscanner ?

pe.

 

[wajang]

Hier is ie dan:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\HistoryKill\histkill.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AntiCapsLock\CAPS.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\Program Files\F-Secure\BackWeb\BackWeb\Program\ServiceWrapper.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\F-Secure\Common\FSAA.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\PROGRA~1\F-Secure\BackWeb\BackWeb\Program\BackWeb.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FSGK32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Documents and Settings\Kees & Ciska\Local Settings\Temporary Internet Files\Content.IE5\PKL49RQI\HijackThis.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tdak.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tdak.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: AntiCapsLock.lnk = C:\Program Files\AntiCapsLock\CAPS.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ClientDownLoad3 - http://www.phonefree.com/download/ClientDownload3.cab
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://quickfix.chello.nl/sdccommon/download/tgctlsi.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://quickfix.chello.nl/sdccommon/download/tgctlins.cab
O16 - DPF: {01112800-3E00-11D2-8470-0060089874ED} (Support.com Probe Class) - http://quickfix.chello.nl/sdccommon/download/tgctlpr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1059D2E2-EA3E-11D5-AF3C-0060085C9531} (CAX Control) -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/TerraExplorer/Install/TEInstallPlugIn.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.euroklik.nl/plugins_met_herhaal_bezoek/pacmannl742.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://geotoo.mkm-wpe.net/activex/AxisCamControl.ocx
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.communities.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/1/007/nl.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.5299652778
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C79976AD-5141-4346-8F48-70D65B80281F} (IPGNetworkInfo.ExtendedSI) - http://quickfix.chello.nl/esupport/asp/IPGNetworkInfo.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

 

[crash]

Ziet eruit dat er Spyware op die pc zit.
Tdak.com is dacht ik een Lop.com variant.

Download Adaware 6 of Spybot S&D om je computer op spyware te scannen.
Vergeet niet te updaten voordat je gaat scannen.
Plaats daarna het log opnieuw.

 

[Pieter Arntz]

Hoi wajang,

Vink de onderstaande aan, sluit alle vensters behalve HijackThis en klik op Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tdak.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tdak.com/searchbar.html
R3 - Default URLSearchHook is missing
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll (file missing)
O2 - BHO: CSBrBHO - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
O16 - DPF: ClientDownLoad3 - http://www.phonefree.com/download/ClientDownload3.cab
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) -
O16 - DPF: {1059D2E2-EA3E-11D5-AF3C-0060085C9531} (CAX Control) -
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interact...stallPlugIn.cab
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.euroklik.nl/plugins_met_...pacmannl742.exe
O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} - http://www.cavello.com/dialxs/plugins/d/1/007/nl.exe
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) -

Start daarna opnieuw op.

Het ziet ernaar uit dat pete1 het bij het goede eind had wat betreft fsorion.sys.

Groetjes,

Pieter

 

[wajang]

Mijn collega heeft alles gefixt en wat pete1 schreef over f-secure nemen we mee in onze zoektocht. Er zit inderdaad F-secure op.
Hij heeft geen uitvallers meer gehad.
Tot zover bedankt voor het meedenken ook namens de Fam. J. te B.