Register een gratis account om van alle functies op het forum gebruik te kunnen maken.

Problemen met uw computer, of heeft u advies nodig? PC Web Plus helpt u graag verder.

Welkom op PC Web Plus, op dit computerforum kunt u terecht voor gratis hulp bij computerproblemen en allerhande vragen over software, hardware en computerbeveiliging.

Als gast kunt u alleen het forum bekijken en meelezen met de verschillende discussies. U kunt echter geen reacties of commentaar geven op bestaande discussies, of nieuwe onderwerpen op het forum starten met uw vraag of probleem.

Klik op de onderstaande link om geheel gratis een gebruikersaccount op ons forum te registreren. Vanaf dat moment kunt u deelnemen aan de diverse discussies op het forum.

Klik hier om een gratis account te registreren! - of lees onze Welkomstgids door voor meer informatie over het gebruik van het forum.

Forumoverzicht Malware en virusinfectie problemen Hulp bij malware en virusinfectie problemen (HijackThis / RSIT / DDS logs) Opgeloste problemen / logs

Gesloten onderwerpen. Stuur een privé bericht naar een Moderator of de Administrator om het topic weer te laten openen.

Re: Buma-Stemra virus

Berichtdoor Acy11 » za 03 maart, 2012 15:39:21

Hoi,

Direct ook de volgende stappen aswMBR en DDS uitgevoerd. Dit zijn de resultaten.

aswMBR log:

aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-03 15:13:27
-----------------------------
15:13:27.770 OS Version: Windows 6.0.6000
15:13:27.770 Number of processors: 2 586 0xF0D
15:13:27.771 ComputerName: UserName:
15:13:48.407 Initialize success
15:14:14.744 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
15:14:14.748 Disk 0 Vendor: FUJITSU_ 8918 Size: 114473MB BusType: 3
15:14:14.779 Disk 0 MBR read successfully
15:14:14.784 Disk 0 MBR scan
15:14:14.788 Disk 0 unknown MBR code
15:14:14.793 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 107403 MB offset 63
15:14:14.823 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 7067 MB offset 219961980
15:14:14.831 Disk 0 scanning sectors +234436545
15:14:14.892 Disk 0 scanning C:\Windows\system32\drivers
15:14:22.256 Service scanning
15:14:23.315 Service .tdx \? **LOCKED** 123
15:14:43.904 Modules scanning
15:14:50.327 Disk 0 trace - called modules:
15:14:50.349 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
15:14:50.708 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c35500]
15:14:50.716 3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> [0x84dfe7c8]
15:14:50.726 5 acpi.sys[8065c32a] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84e09030]
15:14:50.735 Scan finished successfully
15:15:19.089 Disk 0 MBR has been saved successfully to "C:\Users\\Desktop\MBR.dat"
15:15:19.098 The log file has been saved successfully to "C:\Users\\Desktop\aswMBR.txt"


DDS.txt log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_30
Run by User at 15:22:06 on 2012-03-03
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\GFI Software\VIPRE\SBPIMSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\conime.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\GFI Software\VIPRE\SBAMSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\GFI Software\VIPRE\SBAMTray.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: uTorrentBar_NL Toolbar: {87775fdb-6972-41f9-ae51-8326e38cb206} - c:\program files\utorrentbar_nl\prxtbuTor.dll
mURLSearchHooks: uTorrentBar_NL Toolbar: {87775fdb-6972-41f9-ae51-8326e38cb206} - c:\program files\utorrentbar_nl\prxtbuTor.dll
uWindows: Load="c:\windows\system32\smss.exe:844230881.vbs"
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: uTorrentBar_NL Toolbar: {87775fdb-6972-41f9-ae51-8326e38cb206} - c:\program files\utorrentbar_nl\prxtbuTor.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} - Ask Search Assistant BHO
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: uTorrentBar_NL Toolbar: {87775fdb-6972-41f9-ae51-8326e38cb206} - c:\program files\utorrentbar_nl\prxtbuTor.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} -
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [2X9I7BYX2HVCZF8VFHSCXXYSYXRRGAK] 2f0071000000
uRunServices: [PlayerPlayer] c:\users\~1\appdata\local\temp\0.6116133340978206.exe
uRunServices: [0.6116133340978206] c:\users\\appdata\local\temp\0.6116133340978206.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SBAMTray] "c:\program files\gfi software\vipre\SBAMTray.exe"
mRun: [SBRegRebootCleaner] "c:\program files\gfi software\vipre\SBRC.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
TCP: DhcpNameServer = 10.0.0.138
TCP: Interfaces\{DF559764-E4CE-49BA-A800-BDDA662DEDA6} : DhcpNameServer = 10.0.0.138
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\\appdata\roaming\mozilla\firefox\profiles\eals0j79.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\users\\appdata\roaming\mozilla\firefox\profiles\eals0j79.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\\appdata\roaming\mozilla\firefox\profiles\eals0j79.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-10-26 101112]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2012-2-2 84600]
R2 SBAMSvc;VIPRE Internet Security;c:\program files\gfi software\vipre\SBAMSvc.exe [2011-11-1 3287472]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-9-9 77816]
R2 SBPIMSvc;SB Recovery Service;c:\program files\gfi software\vipre\SBPIMSvc.exe [2011-11-1 173424]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2009-8-28 22016]
S2 gupdate;Google Updateservice (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-18 135664]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-15 54632]
S3 fsssvc;De service Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-18 135664]
S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2009-8-28 22016]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-2-2 94584]
S3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-2-2 94584]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-2-2 93816]
.
=============== Created Last 30 ================
.
2012-03-02 17:56:31 -------- d-s---w- C:\ComboFix
2012-03-02 16:59:06 -------- d-----w- C:\TDSSStarter
2012-03-02 16:44:41 98816 ----a-w- c:\windows\sed.exe
2012-03-02 16:44:41 518144 ----a-w- c:\windows\SWREG.exe
2012-03-02 16:44:41 256000 ----a-w- c:\windows\PEV.exe
2012-03-02 16:44:41 208896 ----a-w- c:\windows\MBR.exe
2012-03-02 07:41:19 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-02 07:03:05 -------- d-----w- c:\users\\appdata\roaming\Malwarebytes
2012-03-02 07:02:57 -------- d-----w- c:\programdata\Malwarebytes
2012-03-02 07:02:55 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-02 07:02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-02 04:38:24 388096 ----a-r- c:\users\\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-02 04:38:21 -------- d-----w- c:\program files\Trend Micro
2012-03-01 18:06:44 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-03-01 17:00:52 -------- d-----w- c:\users\\appdata\roaming\EurekaLog
2012-02-29 21:36:25 -------- d-----w- c:\users\\appdata\roaming\CBS Interactive
2012-02-28 21:48:41 -------- d-----w- c:\programdata\CPA_VA
2012-02-28 21:21:05 -------- d-----w- c:\programdata\Comodo
2012-02-28 21:20:39 -------- d-----w- c:\program files\Comodo
2012-02-28 21:20:28 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-02-28 11:58:26 -------- d-----w- c:\users\\appdata\roaming\Wyroygz
2012-02-28 11:58:26 -------- d-----w- c:\users\\appdata\roaming\Cukara
2012-02-16 18:41:57 -------- d-----w- c:\program files\Conduit
2012-02-16 18:41:14 -------- d-----w- c:\users\appdata\local\Conduit
2012-02-16 18:41:03 -------- d-----w- c:\program files\uTorrentBar_NL
2012-02-16 18:40:39 -------- d-----w- c:\program files\uTorrent
2012-02-16 18:38:11 -------- d-----w- c:\users\\appdata\roaming\uTorrent
2012-02-12 22:14:59 646104 ----a-w- c:\program files\mozilla firefox\nss3.dll
2012-02-12 22:14:59 371672 ----a-w- c:\program files\mozilla firefox\nssckbi.dll
2012-02-12 22:14:59 109528 ----a-w- c:\program files\mozilla firefox\nssdbm3.dll
2012-02-12 22:14:59 105432 ----a-w- c:\program files\mozilla firefox\nssutil3.dll
2012-02-11 15:59:31 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-02-10 15:35:39 -------- d-sh--w- c:\users\\appdata\local\1cf6efbe
2012-02-09 14:53:39 -------- d-----w- C:\temp
.
==================== Find3M ====================
.
2012-02-28 15:25:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-07 09:08:58 236576 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 15:28:14,72 ===============
Acy11
PC Web Plus - Member
PC Web Plus - Member
 
Berichten: 26
Geregistreerd: vr 02 maart, 2012 16:11:12
OS: Windows vista

Re: Buma-Stemra virus

Berichtdoor Maxstar » za 03 maart, 2012 16:31:43

Hoi,

Note: Dit script is speciaal bedoeld voor deze PC, gebruik dit dan ook niet op andere PC's met een gelijkwaardig probleem.
Open Kladblok.
Kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:


DDS:
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} -
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} -
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} -
uRun: [2X9I7BYX2HVCZF8VFHSCXXYSYXRRGAK]
uRunServices: [PlayerPlayer]
uRunServices: [0.6116133340978206]

File::
c:\users\~1\appdata\local\temp\0.6116133340978206.exe
c:\users\appdata\local\temp\0.6116133340978206.exe

Dirlook::
c:\users\appdata\roaming\Wyroygz
c:\users\appdata\roaming\Cukara
c:\users\aappdata\local\1cf6efbe

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=-


Sla dit op op je Bureaublad als CFScript.txt


Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld:

Afbeelding

Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de Combofix.txt in je volgende antwoord.
Met vriendelijke groet,

Maxstar


Member of UNITE Unified Network of Instructors and Trained Eliminators (Unite Against Malware)
Avatar gebruiker
Maxstar
Administrator
Administrator
 
Berichten: 33979
Geregistreerd: za 27 sep, 2008 09:18:07
Kennisniveau: (3) Expert
OS: Windows 7
AV: Emsisoft Internet Security

Re: Buma-Stemra virus

Berichtdoor Acy11 » za 03 maart, 2012 18:52:11

Hier de log van Combofix.

FILE ::
"c:\users\ \appdata\local\temp\0.6116133340978206.exe"
"c:\users\~1\appdata\local\temp\0.6116133340978206.exe"

Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DFRDED7.tmp
C:\Program Files\Common Files\Uninstall
C:\ProgramData\Windows
C:\ProgramData\Windows\dsdd.dat
C:\ProgramData\Windows\nudr.dat
C:\Users\\AppData\Roaming\EurekaLog
C:\Users\\Documents\~WRL0404.tmp
C:\Windows\system32\drivers\snetcfg.exe
C:\Windows\system32\oobe\audit.exe
C:\Windows\system32\oobe\msoobe.exe
C:\Windows\system32\oobe\oobeldr.exe
C:\Windows\system32\oobe\Setup.exe
C:\Windows\system32\oobe\windeploy.exe


((((((((((((((((((((((((( 2012-02-03 至 2012-03-03 的新的檔案 )))))))))))))))))))))))))))))))


2012-03-03 17:15:21 . 2012-03-03 17:20:54 -------- d-----w- C:\Users\\AppData\Local\temp
2012-03-03 17:15:21 . 2012-03-03 17:15:21 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-03-02 16:59:06 . 2012-03-02 17:01:38 -------- d-----w- C:\TDSSStarter
2012-03-02 07:41:19 . 2012-03-02 07:41:19 40776 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2012-03-02 07:03:05 . 2012-03-02 07:03:05 -------- d-----w- C:\Users\\AppData\Roaming\Malwarebytes
2012-03-02 07:02:57 . 2012-03-02 07:02:57 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-02 07:02:55 . 2012-03-02 07:02:59 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2012-03-02 07:02:55 . 2011-12-10 14:24:06 20464 ----a-w- C:\Windows\system32\drivers\mbam.sys
2012-03-02 04:38:24 . 2012-03-02 04:38:24 388096 ----a-r- C:\Users\\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-02 04:38:21 . 2012-03-02 04:38:21 -------- d-----w- C:\Program Files\Trend Micro
2012-03-01 18:06:44 . 2012-03-01 18:15:44 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-03-01 16:33:48 . 2012-03-01 16:36:57 -------- d-----w- C:\Users\\AppData\Roaming\ImgBurn
2012-02-29 21:36:25 . 2012-02-29 21:36:25 -------- d-----w- C:\Users\\AppData\Roaming\CBS Interactive
2012-02-28 21:48:41 . 2012-03-01 18:17:37 -------- d-----w- C:\ProgramData\CPA_VA
2012-02-28 21:21:05 . 2012-02-28 21:48:49 -------- d-----w- C:\ProgramData\Comodo
2012-02-28 21:20:39 . 2012-03-01 15:27:53 -------- d-----w- C:\Program Files\Comodo
2012-02-28 21:20:28 . 2012-02-28 21:20:28 1700352 ----a-w- C:\Windows\system32\gdiplus.dll
2012-02-28 11:58:26 . 2012-02-28 20:17:01 -------- d-----w- C:\Users\\AppData\Roaming\Cukara
2012-02-28 11:58:26 . 2012-02-28 20:08:38 -------- d-----w- C:\Users\\AppData\Roaming\Wyroygz
2012-02-16 18:41:57 . 2012-02-16 18:41:57 -------- d-----w- C:\Program Files\Conduit
2012-02-16 18:41:14 . 2012-02-16 18:41:14 -------- d-----w- C:\Users\\AppData\Local\Conduit
2012-02-16 18:40:39 . 2012-02-16 18:40:39 -------- d-----w- C:\Program Files\uTorrent
2012-02-16 18:38:11 . 2012-02-28 02:55:48 -------- d-----w- C:\Users\\AppData\Roaming\uTorrent
2012-02-12 22:14:59 . 2012-02-28 20:32:20 646104 ----a-w- C:\Program Files\Mozilla Firefox\nss3.dll
2012-02-12 22:14:59 . 2012-02-28 20:32:20 371672 ----a-w- C:\Program Files\Mozilla Firefox\nssckbi.dll
2012-02-12 22:14:59 . 2012-02-28 20:32:19 109528 ----a-w- C:\Program Files\Mozilla Firefox\nssdbm3.dll
2012-02-12 22:14:59 . 2012-02-28 20:32:19 105432 ----a-w- C:\Program Files\Mozilla Firefox\nssutil3.dll
2012-02-11 15:59:31 . 2011-11-10 04:54:13 476904 ----a-w- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-02-10 15:35:39 . 2012-02-21 09:16:51 -------- d-sh--w- C:\Users\\AppData\Local\1cf6efbe
2012-02-09 14:53:39 . 2012-02-09 14:53:39 -------- d-----w- C:\temp
.


(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-02-28 15:25:01 . 2011-08-25 18:40:53 414368 ----a-w- C:\Windows\system32\FlashPlayerCPLApp.cpl
2012-01-06 04:19:30 . 2012-01-31 09:43:01 6557240 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{05081670-74A5-48D3-905C-076673AAA1A8}\mpengine.dll
2011-12-14 18:02:41 . 2011-12-14 18:02:41 913168 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-07 09:08:58 . 2009-10-03 09:12:07 236576 ------w- C:\Windows\system32\MpSigStub.exe
2012-02-28 20:32:22 . 2012-02-12 22:15:06 134104 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of c:\users\\appdata\local\1cf6efbe ----

2012-02-10 15:38:44 . 2012-02-20 02:37:21 2632 --sha-w- c:\users\\appdata\local\1cf6efbe\loader.tlb
2012-02-10 15:35:39 . 2012-02-10 15:35:39 2048 --sha-w- c:\users\\appdata\local\1cf6efbe\@

---- Directory of c:\users\\appdata\roaming\Cukara ----


---- Directory of c:\users\\appdata\roaming\Wyroygz ----

2012-02-28 20:07:09 . 2012-02-28 20:13:55 13709 ----a-w- c:\users\\appdata\roaming\Wyroygz\obiluxq.hug


((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))


*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{87775fdb-6972-41f9-ae51-8326e38cb206}"= "C:\Program Files\uTorrentBar_NL\prxtbuTor.dll" [2011-05-09 08:49:38 176936]

[HKEY_CLASSES_ROOT\clsid\{87775fdb-6972-41f9-ae51-8326e38cb206}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87775fdb-6972-41f9-ae51-8326e38cb206}]
2011-05-09 08:49:38 176936 ----a-w- C:\Program Files\uTorrentBar_NL\prxtbuTor.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{87775fdb-6972-41f9-ae51-8326e38cb206}"= "C:\Program Files\uTorrentBar_NL\prxtbuTor.dll" [2011-05-09 08:49:38 176936]

[HKEY_CLASSES_ROOT\clsid\{87775fdb-6972-41f9-ae51-8326e38cb206}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{87775FDB-6972-41F9-AE51-8326E38CB206}"= "C:\Program Files\uTorrentBar_NL\prxtbuTor.dll" [2011-05-09 08:49:38 176936]

[HKEY_CLASSES_ROOT\clsid\{87775fdb-6972-41f9-ae51-8326e38cb206}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"2X9I7BYX2HVCZF8VFHSCXXYSYXRRGAK"="2f0071000000" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 03:36:40 827392]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 17:50:02 4390912]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 14:37:58 174872]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 11:18:36 472776]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 14:12:08 317128]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57:24 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51:46 1836328]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 16:07:08 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 16:06:52 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 16:07:02 133656]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-09-21 14:36:12 305440]
"SBAMTray"="C:\Program Files\GFI Software\VIPRE\SBAMTray.exe" [2011-11-01 00:03:54 3045744]
"SBRegRebootCleaner"="C:\Program Files\GFI Software\VIPRE\SBRC.exe" [2011-10-31 23:42:04 200560]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 12:06:06 254696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38:00 34672 ----a-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 14:35:10 202024 ----a-w- C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-03-12 09:54:24 50696 ----a-w- C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 21:11:42 49152 ----a-w- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-02-13 09:38:36 159744 ----a-w- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-04-23 16:11:20 176128 ----a-w- C:\Program Files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

‘計劃任務’ 文件夾 裡的內容

2012-03-03 C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-18 13:25:49 . 2010-02-18 13:25:28]

2012-03-03 C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
- C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-18 13:25:49 . 2010-02-18 13:25:28]


------- 而外的掃描 -------

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.138
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\eals0j79.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
HKCU-RunServices-PlayerPlayer - C:\Users\~1\AppData\Local\Temp\0.6116133340978206.exe
HKCU-RunServices-0.6116133340978206 - C:\Users\\AppData\Local\Temp\0.6116133340978206.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
Notify-!SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
MSConfigStartUp-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-QuickTime Task - C:\Program Files\QuickTime\QTTask.exe

Tijdens de scan was de tekst in het blauwe scherm van de Administrator steeds in het Chinees. Nu zie je dit ook terug in de log. Enig idee hoe dit plotseling komt en hoe ik dit kan veranderen in mijn systeem? :conf:
Acy11
PC Web Plus - Member
PC Web Plus - Member
 
Berichten: 26
Geregistreerd: vr 02 maart, 2012 16:11:12
OS: Windows vista

Re: Buma-Stemra virus

Berichtdoor Maxstar » zo 04 maart, 2012 09:53:40

Hoi,

Het logje van ComboFix is niet compleet, plaats deze nogmaals. C:\ComboFix.txt
Acy11 schreef:Tijdens de scan was de tekst in het blauwe scherm van de Administrator steeds in het Chinees. Nu zie je dit ook terug in de log. Enig idee hoe dit plotseling komt en hoe ik dit kan veranderen in mijn systeem?

Is dit na een herstart van de computer nog steeds het geval?
Met vriendelijke groet,

Maxstar


Member of UNITE Unified Network of Instructors and Trained Eliminators (Unite Against Malware)
Avatar gebruiker
Maxstar
Administrator
Administrator
 
Berichten: 33979
Geregistreerd: za 27 sep, 2008 09:18:07
Kennisniveau: (3) Expert
OS: Windows 7
AV: Emsisoft Internet Security

Re: Buma-Stemra virus

Berichtdoor Acy11 » ma 05 maart, 2012 00:18:12

Hoi,

Het logje van ComboFix is niet compleet, plaats deze nogmaals. C:\ComboFix.txt


Ik heb Combofix opnieuw laten draaien, omdat ik geen verschillen zag in de log en hetgeen wat ik geplaatst had. Hier de nieuwe log van ComboFix:

ComboFix 12-03-02.01 - 03-2012 zo 23:17:05.2.2 - x86
執行位置: c:\users\ \Desktop\ComboFix.exe
Command switches used :: c:\users\ \Desktop\CFScript.txt
* 成功創造新還原點
.
FILE ::
"c:\users\ \appdata\local\temp\0.6116133340978206.exe"
"c:\users\ ~1\appdata\local\temp\0.6116133340978206.exe"
.
Error: Cfiles.dat
.
((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- 早前運行的結果 -------
.
C:\DFRDED7.tmp
c:\programdata\Windows\dsdd.dat
c:\programdata\Windows\nudr.dat
c:\users\ \Documents\~WRL0404.tmp
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\oobe\audit.exe
c:\windows\system32\oobe\msoobe.exe
c:\windows\system32\oobe\oobeldr.exe
c:\windows\system32\oobe\Setup.exe
c:\windows\system32\oobe\windeploy.exe
.
.
((((((((((((((((((((((((( 2012-02-04 至 2012-03-04 的新的檔案 )))))))))))))))))))))))))))))))
.
.
2012-03-04 22:36 . 2012-03-04 22:37 -------- d-----w- c:\users\ \AppData\Local\temp
2012-03-04 22:36 . 2012-03-04 22:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-02 16:59 . 2012-03-02 17:01 -------- d-----w- C:\TDSSStarter
2012-03-02 07:03 . 2012-03-02 07:03 -------- d-----w- c:\users\ \AppData\Roaming\Malwarebytes
2012-03-02 07:02 . 2012-03-02 07:02 -------- d-----w- c:\programdata\Malwarebytes
2012-03-02 07:02 . 2012-03-02 07:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-02 07:02 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-02 04:38 . 2012-03-02 04:38 388096 ----a-r- c:\users\ \AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-02 04:38 . 2012-03-02 04:38 -------- d-----w- c:\program files\Trend Micro
2012-03-01 18:06 . 2012-03-01 18:15 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-03-01 16:33 . 2012-03-01 16:36 -------- d-----w- c:\users\ \AppData\Roaming\ImgBurn
2012-02-29 21:36 . 2012-02-29 21:36 -------- d-----w- c:\users\ \AppData\Roaming\CBS Interactive
2012-02-28 21:48 . 2012-03-01 18:17 -------- d-----w- c:\programdata\CPA_VA
2012-02-28 21:21 . 2012-02-28 21:48 -------- d-----w- c:\programdata\Comodo
2012-02-28 21:20 . 2012-03-01 15:27 -------- d-----w- c:\program files\Comodo
2012-02-28 21:20 . 2012-02-28 21:20 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-02-28 11:58 . 2012-02-28 20:17 -------- d-----w- c:\users\ \AppData\Roaming\Cukara
2012-02-28 11:58 . 2012-02-28 20:08 -------- d-----w- c:\users\ \AppData\Roaming\Wyroygz
2012-02-16 18:41 . 2012-02-16 18:41 -------- d-----w- c:\program files\Conduit
2012-02-16 18:41 . 2012-02-16 18:41 -------- d-----w- c:\users\ \AppData\Local\Conduit
2012-02-16 18:40 . 2012-02-16 18:40 -------- d-----w- c:\program files\uTorrent
2012-02-16 18:38 . 2012-02-28 02:55 -------- d-----w- c:\users\ \AppData\Roaming\uTorrent
2012-02-12 22:14 . 2012-02-28 20:32 646104 ----a-w- c:\program files\Mozilla Firefox\nss3.dll
2012-02-12 22:14 . 2012-02-28 20:32 371672 ----a-w- c:\program files\Mozilla Firefox\nssckbi.dll
2012-02-12 22:14 . 2012-02-28 20:32 109528 ----a-w- c:\program files\Mozilla Firefox\nssdbm3.dll
2012-02-12 22:14 . 2012-02-28 20:32 105432 ----a-w- c:\program files\Mozilla Firefox\nssutil3.dll
2012-02-11 15:59 . 2011-11-10 04:54 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-02-10 15:35 . 2012-02-21 09:16 -------- d-sh--w- c:\users\ \AppData\Local\1cf6efbe
2012-02-09 14:53 . 2012-02-09 14:53 -------- d-----w- C:\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-28 15:25 . 2011-08-25 18:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-06 04:19 . 2012-01-31 09:43 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{05081670-74A5-48D3-905C-076673AAA1A8}\mpengine.dll
2011-12-14 18:02 . 2011-12-14 18:02 913168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-07 09:08 . 2009-10-03 09:12 236576 ------w- c:\windows\system32\MpSigStub.exe
2012-02-28 20:32 . 2012-02-12 22:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\ \appdata\local\1cf6efbe ----
.
2012-02-10 15:38 . 2012-02-20 02:37 2632 --sha-w- c:\users\ \appdata\local\1cf6efbe\loader.tlb
2012-02-10 15:35 . 2012-02-10 15:35 2048 --sha-w- c:\users\ \appdata\local\1cf6efbe\@
.
---- Directory of c:\users\ \appdata\roaming\Cukara ----
.
.
---- Directory of c:\users\ \appdata\roaming\Wyroygz ----
.
2012-02-28 20:07 . 2012-02-28 20:13 13709 ----a-w- c:\users\ \appdata\roaming\Wyroygz\obiluxq.hug
.
.
((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{87775fdb-6972-41f9-ae51-8326e38cb206}"= "c:\program files\uTorrentBar_NL\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{87775fdb-6972-41f9-ae51-8326e38cb206}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87775fdb-6972-41f9-ae51-8326e38cb206}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentBar_NL\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{87775fdb-6972-41f9-ae51-8326e38cb206}"= "c:\program files\uTorrentBar_NL\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{87775fdb-6972-41f9-ae51-8326e38cb206}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{87775FDB-6972-41F9-AE51-8326E38CB206}"= "c:\program files\uTorrentBar_NL\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{87775fdb-6972-41f9-ae51-8326e38cb206}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"2X9I7BYX2HVCZF8VFHSCXXYSYXRRGAK"="2f0071000000" [X]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"PlayerPlayer"="c:\users\YUANGY~1\AppData\Local\Temp\0.6116133340978206.exe" [BU]
"0.6116133340978206"="c:\users\ \AppData\Local\Temp\0.6116133340978206.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 4390912]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SBAMTray"="c:\program files\GFI Software\VIPRE\SBAMTray.exe" [2011-11-01 3045744]
"SBRegRebootCleaner"="c:\program files\GFI Software\VIPRE\SBRC.exe" [2011-10-31 200560]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
c:\program files\SUPERAntiSpyware\SASWINLO.DLL [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 14:35 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-03-12 09:54 50696 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 21:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
c:\program files\MSN Messenger\msnmsgr.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-02-13 09:38 159744 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-04-23 16:11 176128 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
‘計劃任務’ 文件夾 裡的內容
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 13:25]
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 13:25]
.
.
------- 而外的掃描 -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.138
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - c:\users\ \AppData\Roaming\Mozilla\Firefox\Profiles\eals0j79.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-04 23:37
Windows 6.0.6000 NTFS
.
掃描被隱藏的進程 ...
.
掃描被隱藏的啟動組 ...
.
掃描被隱藏的文件 ...
.
掃描完成
被隱藏的檔案: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.tdx]
"ImagePath"="\?"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
完成時間: 2012-03-04 23:42:19
ComboFix-quarantined-files.txt 2012-03-04 22:42
.
Pre-Run: 12.823.388.160 bytes beschikbaar
Post-Run: 12.685.168.640 bytes beschikbaar
.
- - End Of File - - FC6960232222378AD1306BE9D0B25995


Is dit na een herstart van de computer nog steeds het geval?


Bedoel je herstarten van ComboFix ipv computer? Ik doelde namelijk op het blauwe scherm dat ik te zien krijg bij het starten van ComboFix met als titel administrator: ComboFix.

Nou ieder geval was het deze keer wederom van toepassing.
Acy11
PC Web Plus - Member
PC Web Plus - Member
 
Berichten: 26
Geregistreerd: vr 02 maart, 2012 16:11:12
OS: Windows vista

Re: Buma-Stemra virus

Berichtdoor Maxstar » ma 05 maart, 2012 09:47:30

Hoi,

Ik ga dit eens navragen want dit is wel erg vreemd?
Zijn er op je systeem zelf nu ook dingen in het Chinees of alleen ComboFix?
Met vriendelijke groet,

Maxstar


Member of UNITE Unified Network of Instructors and Trained Eliminators (Unite Against Malware)
Avatar gebruiker
Maxstar
Administrator
Administrator
 
Berichten: 33979
Geregistreerd: za 27 sep, 2008 09:18:07
Kennisniveau: (3) Expert
OS: Windows 7
AV: Emsisoft Internet Security

Re: Buma-Stemra virus

Berichtdoor Acy11 » ma 05 maart, 2012 12:53:06

Hoi,

Ik weet niet precies hoe ik het in mijn systeem kan traceren.
Het enige wat ik nu zie, is dat Java in het Chinees is. Als ik met de muis op het icoontje op de taakbalk ga, staan er achter Java Update tekens.

Kan je hier wat mee?
Acy11
PC Web Plus - Member
PC Web Plus - Member
 
Berichten: 26
Geregistreerd: vr 02 maart, 2012 16:11:12
OS: Windows vista

Re: Buma-Stemra virus

Berichtdoor Maxstar » ma 05 maart, 2012 16:29:51

Hoi,
Acy11 schreef:Het enige wat ik nu zie, is dat Java in het Chinees is. Als ik met de muis op het icoontje op de taakbalk ga, staan er achter Java Update tekens.

Kan je hier eens een screenshot van maken en hier op het forum plaatsen.
Met vriendelijke groet,

Maxstar


Member of UNITE Unified Network of Instructors and Trained Eliminators (Unite Against Malware)
Avatar gebruiker
Maxstar
Administrator
Administrator
 
Berichten: 33979
Geregistreerd: za 27 sep, 2008 09:18:07
Kennisniveau: (3) Expert
OS: Windows 7
AV: Emsisoft Internet Security

Re: Buma-Stemra virus

Berichtdoor Acy11 » ma 05 maart, 2012 17:04:34

Hoi,

als ik erop klik, krijg ik het volgende scherm:

De onderstaande afbeelding is verkleind, klik op de thumbnail voor een vergroting.

Image
Acy11
PC Web Plus - Member
PC Web Plus - Member
 
Berichten: 26
Geregistreerd: vr 02 maart, 2012 16:11:12
OS: Windows vista

Re: Buma-Stemra virus

Berichtdoor Maxstar » ma 05 maart, 2012 17:34:57

Hoi,

Bedankt voor de screenshot, het is heel erg vreemd dat dit na het draaien van ComboFix is opgestreden.
Ik denk niet dat dit de oorzaak van ComboFix is geweest maar heb dit wel even bij de makers van ComboFix gemeld, en daar wacht ik nog op antwoord.

Voer sowieso nog even een scan uit met MBAM.

Start MalwareBytes' Anti-Malware (MBAM)
  • Klik op het tabblad "Update" en vervolgens op "Controleer op updates"

    Bij problemen!!! (Lees de onderstaande instructies)

    Klik op het tabblad "scanner"
  • Kies de optie "snelle scan" en klik op "scannen"
  • Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien.
  • Zorg ervoor dat daar alles aangevinkt is, daarna klik op: "Verwijder geselecteerde".
  • Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten.
Het log wordt automatisch bewaard door MalwareBytes' Anti-Malware en kan je terugvinden door op de "Logs" tab te klikken in het programma.
Met vriendelijke groet,

Maxstar


Member of UNITE Unified Network of Instructors and Trained Eliminators (Unite Against Malware)
Avatar gebruiker
Maxstar
Administrator
Administrator
 
Berichten: 33979
Geregistreerd: za 27 sep, 2008 09:18:07
Kennisniveau: (3) Expert
OS: Windows 7
AV: Emsisoft Internet Security

Re: Buma-Stemra virus

Berichtdoor Acy11 » ma 05 maart, 2012 18:17:03

Hier de log.

5-3-2012 18:01:17
mbam-log-2012-03-05 (18-01-17).txt

Scantype: Snelle scan
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 192214
Verstreken tijd: 11 minuut/minuten, 15 seconde(n)

Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

(einde)


Ik denk niet dat dit de oorzaak van ComboFix is geweest maar heb dit wel even bij de makers van ComboFix gemeld, en daar wacht ik nog op antwoord.


Ok, thanks!
Acy11
PC Web Plus - Member
PC Web Plus - Member
 
Berichten: 26
Geregistreerd: vr 02 maart, 2012 16:11:12
OS: Windows vista

Re: Buma-Stemra virus

Berichtdoor Maxstar » di 06 maart, 2012 11:55:36

Hoi,

Verwijder ComboFix van het bureaublad, en download deze opnieuw.

Download ComboFix van één van deze locaties:

Link 1
Link 2

* BELANGRIJK !!! Sla ComboFix.exe op je Bureaublad op.

>>Hier<< kunt u lezen hoe u Combofix dient te gebruiken.

Let op!!! Windows Vista & 7 gebruikers dienen ComboFix als administrator uit te voeren "Rechtermuisknop uitvoeren als"

Schakel alle antivirus- en antispywareprogramma's uit, want anders kunnen ze misschien conflicteren met ComboFix.

* (hier of hier staat een handleiding over hoe je deze kan uitschakelen:)

  • Dubbelklik op "ComboFix.exe en ga "Akkoord" met de 'Disclaimer'
  • Als er een melding komt dat er "Een nieuwere versie van ComboFix" beschikbaar is klik dan op "Ja" om te updaten.
Afbeelding
  • Klik na het update nogmaals op "Akkoord" en ComboFix zal nu starten.
  • Het kan voorkomen dat de computer meerdere malen opnieuw gestart moet worden zoals bij bijvoorbeeld een aanwezige rootkit, dit is normaal.

* Noot !!! Als er een error wordt getoond met de melding "Illegal operation attempted on a registery key that has been marked for deletion." herstart dan de computer.

  • Wanneer ComboFix klaar is, zal het het een logbestand voor je maken. Post de inhoud van dit logbestand (te vinden als C:\ComboFix.txt) in je volgende bericht.
Met vriendelijke groet,

Maxstar


Member of UNITE Unified Network of Instructors and Trained Eliminators (Unite Against Malware)
Avatar gebruiker
Maxstar
Administrator
Administrator
 
Berichten: 33979
Geregistreerd: za 27 sep, 2008 09:18:07
Kennisniveau: (3) Expert
OS: Windows 7
AV: Emsisoft Internet Security

Re: Buma-Stemra virus

Berichtdoor Acy11 » wo 14 maart, 2012 12:31:26

Hoi Maxstar,

Mijn probleem met combofix is verholpen, maar nu is mijn pc wederom besmet met het buma virus. Ik begrijp eigenlijk niet hoe dit mogelijk is geweest. Zat het virus en/of rootkit na de vorige keer nog op de pc? Ik ben zelfs voor betere beveiliging overgestapt naar Avast, maar dit heeft helaas niet mogen baten.

Voor de verwijdering heb ik weer het stappenplan gevolgd. Daarna ook meteen een aswMBR en Combofix scan uitgevoerd.

Hier de logs van Mbam, Emsisoft, DDS, aswMBR en Combofix.

mbam-log

Scantype: Snelle scan
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 193856
Verstreken tijd: 13 minuut/minuten, 59 seconde(n)

Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden gedetecteerd: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell.Gen) -> Data: C:\Users\ AppData\Roaming\flint4ytw.exe -> Succesvol in quarantaine geplaatst en verwijderd.

Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 1
C:\Users\ \AppData\Local\temp\wpbt0.dll (Exploit.Drop) -> Succesvol in quarantaine geplaatst en verwijderd.

(einde)


Emsisoft Emergency Kit - Versie 1.0

Scaninstellingen:

Scantype: Diepe Scan
Objecten: Geheugen, Sporen, Cookies, C:\, D:\
Scan archieven: Aan
Heuristieken: Uit
ADS Scan: Aan

Scan gestart: 12-3-2012 21:09:16

C:\Kaspersky Rescue Disk 10.0\bases_rd\kjim.kdl Ontdekt: Virus.Win32.Malware!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/ER.class Ontdekt: JAVA.Agent!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/Inc.class Ontdekt: Exploit.Java.Blacole!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/a.class Ontdekt: Exploit.Java.CVE-2011-3544!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/b.class Ontdekt: Exploit.Java.CVE-2011-3544!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/c.class Ontdekt: Exploit.Java.CVE-2011-3544!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/t.class Ontdekt: Exploit.Java.CVE-2010!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4ac0c886-185a29df/Field.class Ontdekt: JAVA.Agent!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4ac0c886-185a29df/Inc.class Ontdekt: Exploit.Java.CVE!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4ac0c886-185a29df/m.class Ontdekt: Exploit.Java.CVE-2011-3544!IK

Gescand

Bestanden: 337549
Sporen: 405504
Cookies: 7
Processen: 61

Gevonden

Bestanden: 10
Sporen: 0
Cookies: 0
Processen: 0
Registersleutels: 0

Scan Geëindigd: 13-3-2012 4:43:43
Scantijd: 7:34:27

C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4ac0c886-185a29df/Inc.class Verwijderd Exploit.Java.CVE!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/t.class Verwijderd Exploit.Java.CVE-2010!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/a.class Verwijderd Exploit.Java.CVE-2011-3544!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/b.class Verwijderd Exploit.Java.CVE-2011-3544!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/c.class Verwijderd Exploit.Java.CVE-2011-3544!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4ac0c886-185a29df/m.class Verwijderd Exploit.Java.CVE-2011-3544!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/Inc.class Verwijderd Exploit.Java.Blacole!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\4a6c36e7-409be0f6/ER.class Verwijderd JAVA.Agent!IK
C:\Users\ \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\4ac0c886-185a29df/Field.class Verwijderd JAVA.Agent!IK
C:\Kaspersky Rescue Disk 10.0\bases_rd\kjim.kdl Verwijderd Virus.Win32.Malware!IK

Verwijderd

Bestanden: 10
Sporen: 0
Cookies: 0



DDS
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\alg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conime.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
uURLSearchHooks: H - No File
uWinlogon: Userinit=c:\users\ \appdata\roaming\flint4ytw.exe,c:\windows\system32\userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} - Ask Search Assistant BHO
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} -
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {87775FDB-6972-41F9-AE51-8326E38CB206} - No File
uRun: [2X9I7BYX2HVCZF8VFHSCXXYSYXRRGAK] 2f0071000000
uRun: [K3aRyluP6SiCkoR] c:\users\ \appdata\roaming\flint4ytw.exe
uRunServices: [PlayerPlayer] c:\users\~1\appdata\local\temp\0.6116133340978206.exe
uRunServices: [0.6116133340978206] c:\users\\appdata\local\temp\0.6116133340978206.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SBRegRebootCleaner] "c:\program files\gfi software\vipre\SBRC.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
TCP: DhcpNameServer = 10.0.0.138
TCP: Interfaces\{DF559764-E4CE-49BA-A800-BDDA662DEDA6} : DhcpNameServer = 10.0.0.138
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\\appdata\roaming\mozilla\firefox\profiles\eals0j79.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-3-9 24408]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-3-9 610648]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-3-9 337112]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-3-9 20696]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-3-9 57688]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-3-9 44768]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2009-8-28 22016]
S2 gupdate;Google Updateservice (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-18 135664]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-15 54632]
S3 fsssvc;De service Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-18 135664]
S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2009-8-28 22016]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-2-2 94584]
S3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-2-2 94584]
.
=============== Created Last 30 ================
.
2012-03-13 19:14:01 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-03-13 14:07:43 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{8111a7a2-c1b9-4e26-b61e-25e9bd12d27a}\mpengine.dll
2012-03-09 19:17:18 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-09 19:17:18 24408 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-03-09 19:17:17 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-09 19:14:16 41184 ----a-w- c:\windows\avastSS.scr
2012-03-09 19:10:32 -------- d-----w- c:\program files\AVAST Software
2012-03-09 18:27:13 -------- d-----w- c:\users\\appdata\local\temp
2012-03-09 18:25:24 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-09 18:03:17 -------- d-----w- C:\ComboFix
2012-03-06 15:48:37 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-03-06 15:48:37 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-03-06 15:44:09 -------- d-----w- c:\program files\iPod
2012-03-06 15:44:02 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-03-06 15:44:02 -------- d-----w- c:\program files\iTunes
2012-03-02 16:59:06 -------- d-----w- C:\TDSSStarter
2012-03-02 16:44:41 98816 ----a-w- c:\windows\sed.exe
2012-03-02 16:44:41 518144 ----a-w- c:\windows\SWREG.exe
2012-03-02 16:44:41 256000 ----a-w- c:\windows\PEV.exe
2012-03-02 16:44:41 208896 ----a-w- c:\windows\MBR.exe
2012-03-02 07:03:05 -------- d-----w- c:\users\ \appdata\roaming\Malwarebytes
2012-03-02 07:02:57 -------- d-----w- c:\programdata\Malwarebytes
2012-03-02 07:02:55 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-02 07:02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-02 04:38:24 388096 ----a-r- c:\users\\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-02 04:38:21 -------- d-----w- c:\program files\Trend Micro
2012-03-01 18:06:44 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-02-29 21:36:25 -------- d-----w- c:\users\\appdata\roaming\CBS Interactive
2012-02-28 21:48:41 -------- d-----w- c:\programdata\CPA_VA
2012-02-28 21:21:05 -------- d-----w- c:\programdata\Comodo
2012-02-28 21:20:39 -------- d-----w- c:\program files\Comodo
2012-02-28 21:20:28 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-02-28 11:58:26 -------- d-----w- c:\users\\appdata\roaming\Wyroygz
2012-02-28 11:58:26 -------- d-----w- c:\users\\appdata\roaming\Cukara
2012-02-16 18:41:57 -------- d-----w- c:\program files\Conduit
2012-02-16 18:41:14 -------- d-----w- c:\users\\appdata\local\Conduit
.
==================== Find3M ====================
.
2012-03-13 19:11:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-28 15:25:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 1:51:24,05 ===============


aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
Run date: 2012-03-14 02:12:58
-----------------------------
02:12:58.404 OS Version: Windows 6.0.6000
02:12:58.405 Number of processors: 2 586 0xF0D
02:12:58.407 ComputerName: UserName:
02:12:59.919 Initialize success
02:13:00.151 AVAST engine defs: 12031301
02:13:05.925 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
02:13:05.929 Disk 0 Vendor: FUJITSU_ 8918 Size: 114473MB BusType: 3
02:13:05.936 Disk 0 MBR read successfully
02:13:05.941 Disk 0 MBR scan
02:13:05.947 Disk 0 unknown MBR code
02:13:05.953 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 107403 MB offset 63
02:13:05.976 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 7067 MB offset 219961980
02:13:05.986 Disk 0 scanning sectors +234436545
02:13:06.047 Disk 0 scanning C:\Windows\system32\drivers
02:13:15.355 Service scanning
02:13:16.448 Service .tdx \? **LOCKED** 123
02:13:36.393 Modules scanning
02:13:43.899 Disk 0 trace - called modules:
02:13:44.291 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
02:13:44.300 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85be6a08]
02:13:44.309 3 ntkrnlpa.exe[824b07e2] -> nt!IofCallDriver -> [0x8516a770]
02:13:44.319 5 acpi.sys[8066932a] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84c11030]
02:13:45.402 AVAST engine scan C:\Windows
02:13:49.013 AVAST engine scan C:\Windows\system32
02:16:08.042 AVAST engine scan C:\Windows\system32\drivers
02:16:24.880 AVAST engine scan C:\Users\
02:18:28.019 Disk 0 MBR has been saved successfully to "C:\Users\ \Desktop\MBR.dat"
02:18:28.035 The log file has been saved successfully to "C:\Users\ \Desktop\aswMBR2.txt"
ComboFix
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\ \AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_1.ini
c:\users\ \AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_2.ini
c:\users\ \AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_1.ini
c:\users\ \AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\dmc\Desktop_2.ini
c:\users\ \AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr\Desktop_1.ini
c:\users\ \AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom\Usb 2.0 Driver\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr\Desktop_2.ini
c:\users\ \AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr\Desktop_1.ini
c:\users\ \AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr\Desktop_2.ini
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2012-02-14 to 2012-03-14 ))))))))))))))))))))))))))))))
.
.
2012-03-13 19:15 . 2012-03-13 19:15 -------- d-----w- c:\program files\Common Files\Java
2012-03-13 19:14 . 2012-03-13 19:12 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-13 19:11 . 2012-03-13 19:11 -------- d-----w- c:\program files\Java
2012-03-13 14:07 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8111A7A2-C1B9-4E26-B61E-25E9BD12D27A}\mpengine.dll
2012-03-09 19:17 . 2012-02-23 16:12 337112 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-09 19:17 . 2012-02-23 16:10 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-09 19:17 . 2012-02-23 16:10 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-09 19:17 . 2012-02-23 16:10 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-09 19:17 . 2012-02-23 16:12 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-09 19:17 . 2012-02-23 16:11 24408 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-03-09 19:17 . 2012-02-23 16:10 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-09 19:14 . 2012-02-23 16:23 41184 ----a-w- c:\windows\avastSS.scr
2012-03-09 19:14 . 2012-02-23 16:23 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-09 19:10 . 2012-03-09 19:10 -------- d-----w- c:\program files\AVAST Software
2012-03-06 15:48 . 2009-05-18 12:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-03-06 15:48 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-03-06 15:44 . 2012-03-06 15:44 -------- d-----w- c:\program files\iPod
2012-03-06 15:44 . 2012-03-06 15:48 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-03-06 15:44 . 2012-03-06 15:48 -------- d-----w- c:\program files\iTunes
2012-03-06 15:40 . 2012-03-06 15:40 -------- d-----w- c:\program files\Apple Software Update
2012-03-02 16:59 . 2012-03-02 17:01 -------- d-----w- C:\TDSSStarter
2012-03-02 07:03 . 2012-03-02 07:03 -------- d-----w- c:\users\ \AppData\Roaming\Malwarebytes
2012-03-02 07:02 . 2012-03-02 07:02 -------- d-----w- c:\programdata\Malwarebytes
2012-03-02 07:02 . 2012-03-02 07:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-02 07:02 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-02 04:38 . 2012-03-02 04:38 388096 ----a-r- c:\users\ AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-02 04:38 . 2012-03-02 04:38 -------- d-----w- c:\program files\Trend Micro
2012-03-01 16:33 . 2012-03-01 16:36 -------- d-----w- c:\users\ \AppData\Roaming\ImgBurn
2012-02-29 21:36 . 2012-02-29 21:36 -------- d-----w- c:\users\ \AppData\Roaming\CBS Interactive
2012-02-28 21:48 . 2012-03-01 18:17 -------- d-----w- c:\programdata\CPA_VA
2012-02-28 21:21 . 2012-02-28 21:48 -------- d-----w- c:\programdata\Comodo
2012-02-28 21:20 . 2012-03-01 15:27 -------- d-----w- c:\program files\Comodo
2012-02-28 21:20 . 2012-02-28 21:20 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2012-02-28 11:58 . 2012-02-28 20:17 -------- d-----w- c:\users\ \AppData\Roaming\Cukara
2012-02-28 11:58 . 2012-02-28 20:08 -------- d-----w- c:\users\ \AppData\Roaming\Wyroygz
2012-02-16 18:41 . 2012-02-16 18:41 -------- d-----w- c:\program files\Conduit
2012-02-16 18:41 . 2012-03-12 19:50 -------- d-----w- c:\users\ \AppData\Local\Conduit
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-13 19:11 . 2010-11-28 22:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-28 15:25 . 2011-08-25 18:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 08:18 . 2009-10-03 09:12 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-28 20:32 . 2012-02-12 22:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-02-23 16:23 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"2X9I7BYX2HVCZF8VFHSCXXYSYXRRGAK"="2f0071000000" [X]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"PlayerPlayer"="c:\users\ ~1\AppData\Local\Temp\0.6116133340978206.exe" [BU]
"0.6116133340978206"="c:\users\ \AppData\Local\Temp\0.6116133340978206.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 4390912]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
c:\program files\SUPERAntiSpyware\SASWINLO.DLL [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 14:35 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-03-12 09:54 50696 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 21:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
c:\program files\MSN Messenger\msnmsgr.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-02-13 09:38 159744 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-04-23 16:11 176128 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Andere Services/Drivers In Geheugen ---
.
*Deregistered* - aswMBR
.
Inhoud van de 'Gedeelde Taken' map
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 13:25]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 13:25]
.
.
------- Bijkomende Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.138
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - c:\users\ \AppData\Roaming\Mozilla\Firefox\Profiles\eals0j79.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS VERWIJDERD - - - -
.
URLSearchHooks-{87775fdb-6972-41f9-ae51-8326e38cb206} - (no file)
WebBrowser-{87775FDB-6972-41F9-AE51-8326E38CB206} - (no file)
HKCU-Run-K3aRyluP6SiCkoR - c:\users\ \AppData\Roaming\flint4ytw.exe
HKLM-Run-SBRegRebootCleaner - c:\program files\GFI Software\VIPRE\SBRC.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-14 02:39
Windows 6.0.6000 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
.
C:\avast! sandbox
.
Scan succesvol afgerond
verborgen bestanden: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.tdx]
"ImagePath"="\?"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Voltooingstijd: 2012-03-14 02:43:51
ComboFix-quarantined-files.txt 2012-03-14 01:43
ComboFix2.txt 2012-03-09 18:27
.
Pre-Run: 3.754.053.632 bytes beschikbaar
Post-Run: 3.620.409.344 bytes beschikbaar
.
- - End Of File - - E6CDA4E8B8DA0CEE9DEDD1A941B7C543
Acy11
PC Web Plus - Member
PC Web Plus - Member
 
Berichten: 26
Geregistreerd: vr 02 maart, 2012 16:11:12
OS: Windows vista

Re: Buma-Stemra virus

Berichtdoor Maxstar » wo 14 maart, 2012 12:50:18

Hoi,
Acy11 schreef:maar nu is mijn pc wederom besmet met het buma virus. Ik begrijp eigenlijk niet hoe dit mogelijk is geweest. Zat het virus en/of rootkit na de vorige keer nog op de pc?

De vorige keer waren we nog niet helemaal klaar, maar weet je toevallig nog wanneer je weer geïnfecteerd raakte? Was dit bij het bezoeken van een specifieke website of bepaalde download?

Plaats de volgende logjes a.u.b. even helemaal compleet, want nu ontbreken overal de headers van de logjes.

Note: Dit script is speciaal bedoeld voor deze PC, gebruik dit dan ook niet op andere PC's met een gelijkwaardig probleem.
Open Kladblok.
Kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:


DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} -
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} -
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} -
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} -
TB: {87775FDB-6972-41F9-AE51-8326E38CB206} -
uRun: [2X9I7BYX2HVCZF8VFHSCXXYSYXRRGAK]
uRun: [K3aRyluP6SiCkoR]
uRunServices: [PlayerPlayer]
uRunServices: [0.6116133340978206]

File::
c:\users\~1\appdata\local\temp\0.6116133340978206.exe
c:\users\appdata\local\temp\0.6116133340978206.exe

Folder::
c:\users\appdata\roaming\Wyroygz
c:\users\appdata\roaming\Cukara
c:\program files\Conduit
c:\users\appdata\local\Conduit

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,"


Sla dit op op je Bureaublad als CFScript.txt


Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld:

Afbeelding

Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt, en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw DDS logje.
Met vriendelijke groet,

Maxstar


Member of UNITE Unified Network of Instructors and Trained Eliminators (Unite Against Malware)
Avatar gebruiker
Maxstar
Administrator
Administrator
 
Berichten: 33979
Geregistreerd: za 27 sep, 2008 09:18:07
Kennisniveau: (3) Expert
OS: Windows 7
AV: Emsisoft Internet Security

Re: Buma-Stemra virus

Berichtdoor Acy11 » wo 14 maart, 2012 14:14:36

Hoi,

De vorige keer waren we nog niet helemaal klaar, maar weet je toevallig nog wanneer je weer geïnfecteerd raakte? Was dit bij het bezoeken van een specifieke website of bepaalde download?

Voordat ik een serie wilde streamen, werd ik doorgelinkt naar Ad.fly

ComboFix 12-03-13.01 - 14-03-2012 13:18:21.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.31.1043.18.2038.1035 [GMT 1:00]
Gestart vanuit: c:\users\ Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\ \Desktop\CFScript.txt
.
FILE ::
"c:\users\ \appdata\local\temp\0.6116133340978206.exe"
"c:\users\ ~1\appdata\local\temp\0.6116133340978206.exe"
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Conduit
c:\program files\Conduit\Community Alerts\Alert.dll
c:\users\ \appdata\local\Conduit
c:\users\ \appdata\roaming\Cukara
c:\users\ \appdata\roaming\Wyroygz
c:\users\ \appdata\roaming\Wyroygz\obiluxq.hug
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2012-02-14 to 2012-03-14 ))))))))))))))))))))))))))))))
.
.
2012-03-14 12:30 . 2012-03-14 12:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-14 01:43 . 2012-03-14 12:30 -------- d-----w- c:\users\ \AppData\Local\temp
2012-03-13 19:15 . 2012-03-13 19:15 -------- d-----w- c:\program files\Common Files\Java
2012-03-13 19:14 . 2012-03-13 19:12 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-03-13 19:11 . 2012-03-13 19:11 -------- d-----w- c:\program files\Java
2012-03-13 14:07 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8111A7A2-C1B9-4E26-B61E-25E9BD12D27A}\mpengine.dll
2012-03-09 19:17 . 2012-03-07 00:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-09 19:17 . 2012-03-07 00:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-09 19:17 . 2012-03-07 00:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-09 19:17 . 2012-03-07 00:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-09 19:17 . 2012-03-07 00:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-09 19:17 . 2012-03-07 00:02 24408 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-03-09 19:17 . 2012-03-07 00:01 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-09 19:14 . 2012-03-07 00:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-09 19:14 . 2012-03-07 00:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-09 19:10 . 2012-03-09 19:10 -------- d-----w- c:\program files\AVAST Software
2012-03-06 15:48 . 2009-05-18 12:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-03-06 15:48 . 2008-04-17 11:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-03-06 15:44 . 2012-03-06 15:44 -------- d-----w- c:\program files\iPod
2012-03-06 15:44 . 2012-03-06 15:48 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-03-06 15:44 . 2012-03-06 15:48 -------- d-----w- c:\program files\iTunes
2012-03-06 15:40 . 2012-03-06 15:40 -------- d-----w- c:\program files\Apple Software Update
2012-03-02 16:59 . 2012-03-02 17:01 -------- d-----w- C:\TDSSStarter
2012-03-02 07:03 . 2012-03-02 07:03 -------- d-----w- c:\users\ \AppData\Roaming\Malwarebytes
2012-03-02 07:02 . 2012-03-02 07:02 -------- d-----w- c:\programdata\Malwarebytes
2012-03-02 07:02 . 2012-03-02 07:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-02 07:02 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-02 04:38 . 2012-03-02 04:38 388096 ----a-r- c:\users\ \AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-02 04:38 . 2012-03-02 04:38 -------- d-----w- c:\program files\Trend Micro
2012-03-01 16:33 . 2012-03-01 16:36 -------- d-----w- c:\users\ \AppData\Roaming\ImgBurn
2012-02-29 21:36 . 2012-02-29 21:36 -------- d-----w- c:\users\ \AppData\Roaming\CBS Interactive
2012-02-28 21:48 . 2012-03-01 18:17 -------- d-----w- c:\programdata\CPA_VA
2012-02-28 21:21 . 2012-02-28 21:48 -------- d-----w- c:\programdata\Comodo
2012-02-28 21:20 . 2012-03-01 15:27 -------- d-----w- c:\program files\Comodo
2012-02-28 21:20 . 2012-02-28 21:20 1700352 ----a-w- c:\windows\system32\gdiplus.dll
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-13 19:11 . 2010-11-28 22:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-28 15:25 . 2011-08-25 18:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 08:18 . 2009-10-03 09:12 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-28 20:32 . 2012-02-12 22:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"PlayerPlayer"="c:\users\ ~1\AppData\Local\Temp\0.6116133340978206.exe" [BU]
"0.6116133340978206"="c:\users\ \AppData\Local\Temp\0.6116133340978206.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 4390912]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-07 4241512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
c:\program files\SUPERAntiSpyware\SASWINLO.DLL [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 01:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-09-20 14:35 202024 ----a-w- c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2007-03-12 09:54 50696 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-16 21:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
c:\program files\MSN Messenger\msnmsgr.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2007-02-13 09:38 159744 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-04-23 16:11 176128 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
Inhoud van de 'Gedeelde Taken' map
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 13:25]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-18 13:25]
.
.
------- Bijkomende Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.138
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
FF - ProfilePath - c:\users\ \AppData\Roaming\Mozilla\Firefox\Profiles\eals0j79.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-14 13:30
Windows 6.0.6000 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.tdx]
"ImagePath"="\?"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Voltooingstijd: 2012-03-14 13:34:07
ComboFix-quarantined-files.txt 2012-03-14 12:34
ComboFix2.txt 2012-03-14 01:43
ComboFix3.txt 2012-03-09 18:27
.
Pre-Run: 3.143.655.424 bytes beschikbaar
Post-Run: 3.003.981.824 bytes beschikbaar
.
- - End Of File - - E23553B4327D1F35E9BF9CDB8667F0C9


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_31
Run by at 13:51:57 on 2012-03-14
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.31.1043.18.2038.1009 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\System32\alg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRunServices: [PlayerPlayer] c:\users\ ~1\appdata\local\temp\0.6116133340978206.exe
uRunServices: [0.6116133340978206] c:\users\ \appdata\local\temp\0.6116133340978206.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {EF0D1A14-1033-41A2-A589-240C01EDC078} - hxxp://dl.pplive.com/PluginSetup.cab
TCP: DhcpNameServer = 10.0.0.138
TCP: Interfaces\{DF559764-E4CE-49BA-A800-BDDA662DEDA6} : DhcpNameServer = 10.0.0.138
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ \appdata\roaming\mozilla\firefox\profiles\eals0j79.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\5.0.61118.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-3-9 24408]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-3-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-3-9 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-3-9 20696]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-3-9 57688]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-3-14 44768]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2009-8-28 22016]
S2 gupdate;Google Updateservice (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-18 135664]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-15 54632]
S3 fsssvc;De service Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-18 135664]
S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2009-8-28 22016]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-2-2 94584]
S3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-2-2 94584]
.
=============== Created Last 30 ================
.
2012-03-14 12:34:11 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-14 12:16:02 -------- d-----w- C:\ComboFix
2012-03-14 01:43:54 -------- d-----w- c:\users\ \appdata\local\temp
2012-03-14 01:23:33 518144 ----a-w- c:\windows\SWREG.exe
2012-03-14 01:23:33 256000 ----a-w- c:\windows\PEV.exe
2012-03-14 01:23:33 208896 ----a-w- c:\windows\MBR.exe
2012-03-14 01:23:32 98816 ----a-w- c:\windows\sed.exe
2012-03-13 19:14:01 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-03-13 14:07:43 6552120 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{8111a7a2-c1b9-4e26-b61e-25e9bd12d27a}\mpengine.dll
2012-03-09 19:17:18 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-09 19:17:18 24408 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-03-09 19:17:17 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-09 19:14:16 41184 ----a-w- c:\windows\avastSS.scr
2012-03-09 19:10:32 -------- d-----w- c:\program files\AVAST Software
2012-03-06 15:48:37 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-03-06 15:48:37 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2012-03-06 15:44:09 -------- d-----w- c:\program files\iPod
2012-03-06 15:44:02 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-03-06 15:44:02 -------- d-----w- c:\program files\iTunes
2012-03-02 16:59:06 -------- d-----w- C:\TDSSStarter
2012-03-02 07:03:05 -------- d-----w- c:\users\ \appdata\roaming\Malwarebytes
2012-03-02 07:02:57 -------- d-----w- c:\programdata\Malwarebytes
2012-03-02 07:02:55 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-02 07:02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-02 04:38:24 388096 ----a-r- c:\users\ \appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-02 04:38:21 -------- d-----w- c:\program files\Trend Micro
2012-02-29 21:36:25 -------- d-----w- c:\users\ \appdata\roaming\CBS Interactive
2012-02-28 21:48:41 -------- d-----w- c:\programdata\CPA_VA
2012-02-28 21:21:05 -------- d-----w- c:\programdata\Comodo
2012-02-28 21:20:39 -------- d-----w- c:\program files\Comodo
2012-02-28 21:20:28 1700352 ----a-w- c:\windows\system32\gdiplus.dll
.
==================== Find3M ====================
.
2012-03-13 19:11:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-28 15:25:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 08:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 13:53:31,70 ===============
Acy11
PC Web Plus - Member
PC Web Plus - Member
 
Berichten: 26
Geregistreerd: vr 02 maart, 2012 16:11:12
OS: Windows vista

VorigeVolgende

Keer terug naar Opgeloste problemen / logs

Wie is er online

Gebruikers op dit forum: Geen geregistreerde gebruikers. en 1 gast