michrd

Ik Heb tot zover geen enkele melding meer gehad van AVG over conhost IK ben Blij >>> wat een &^%$@#$ Virus.... Heel erg bedankt voor jullie Hulp :-) Mich

ik heb na het opstarten van mijn avg de conhost naar quarantaine gestuurd ...en sindsdien geen meldingen van avg meer gehad hier is het logje van het bat bestandje : Deleting files C:\WINDOWS\TEMP\conhost.exe not found dit is het logfile van tdsskiller : \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot \Device\Harddisk0\DR0 - ok tdss zegt dat het cured word na reboot ....dus dat ga ik nu gelijk doen Toppp hoe jullie me geholpen hebben APLAUUUUUSSSS !!!! ik hoop dat ik conhost nooit meer krijg ...of de maker een keer op straat tegenkom hahahah ik ga re booten ...en laat zeker weten hier of het allemaal gelukt is / goed blijft gaan Superrrrrrrrrr

ComboFix 11-08-30.01 - mich 30-08-2011 17:39:26.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.3071.2474 [GMT 2:00] Gestart vanuit: c:\documents and settings\mich\Bureaublad\ComboFix.exe AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} . . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\mich\Application Data\Adobe\plugs c:\documents and settings\mich\Application Data\Adobe\plugs\mmc116.exe c:\documents and settings\mich\Application Data\Adobe\plugs\mmc227.exe c:\documents and settings\mich\Application Data\Adobe\shed c:\documents and settings\mich\Application Data\PriceGong c:\documents and settings\mich\Application Data\PriceGong\Data\1.xml c:\documents and settings\mich\Application Data\PriceGong\Data\a.xml c:\documents and settings\mich\Application Data\PriceGong\Data\b.xml c:\documents and settings\mich\Application Data\PriceGong\Data\c.xml c:\documents and settings\mich\Application Data\PriceGong\Data\d.xml c:\documents and settings\mich\Application Data\PriceGong\Data\e.xml c:\documents and settings\mich\Application Data\PriceGong\Data\f.xml c:\documents and settings\mich\Application Data\PriceGong\Data\g.xml c:\documents and settings\mich\Application Data\PriceGong\Data\h.xml c:\documents and settings\mich\Application Data\PriceGong\Data\i.xml c:\documents and settings\mich\Application Data\PriceGong\Data\J.xml c:\documents and settings\mich\Application Data\PriceGong\Data\k.xml c:\documents and settings\mich\Application Data\PriceGong\Data\l.xml c:\documents and settings\mich\Application Data\PriceGong\Data\m.xml c:\documents and settings\mich\Application Data\PriceGong\Data\mru.xml c:\documents and settings\mich\Application Data\PriceGong\Data\n.xml c:\documents and settings\mich\Application Data\PriceGong\Data\o.xml c:\documents and settings\mich\Application Data\PriceGong\Data\p.xml c:\documents and settings\mich\Application Data\PriceGong\Data\q.xml c:\documents and settings\mich\Application Data\PriceGong\Data\r.xml c:\documents and settings\mich\Application Data\PriceGong\Data\s.xml c:\documents and settings\mich\Application Data\PriceGong\Data\t.xml c:\documents and settings\mich\Application Data\PriceGong\Data\u.xml c:\documents and settings\mich\Application Data\PriceGong\Data\v.xml c:\documents and settings\mich\Application Data\PriceGong\Data\w.xml c:\documents and settings\mich\Application Data\PriceGong\Data\x.xml c:\documents and settings\mich\Application Data\PriceGong\Data\y.xml c:\documents and settings\mich\Application Data\PriceGong\Data\z.xml c:\documents and settings\mich\Application Data\Ybavep c:\documents and settings\mich\Application Data\Ybavep\ukyp.iri c:\documents and settings\mich\SendTo\RemoveOnReboot.exe c:\documents and settings\mich\WINDOWS C:\Documents c:\windows\system\Pncrt.dll . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_RKHIT -------\Service_RkHit . . (((((((((((((((((((( Bestanden Gemaakt van 2011-07-28 to 2011-08-30 )))))))))))))))))))))))))))))) . . 2011-08-30 04:56 . 2011-08-30 04:56 388096 ----a-r- c:\documents and settings\mich\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-08-30 04:56 . 2011-08-30 04:56 -------- d-----w- c:\program files\Trend Micro 2011-08-29 17:19 . 2011-08-29 17:19 -------- d-----w- c:\documents and settings\mich\Application Data\Systweak 2011-08-29 17:19 . 2011-08-29 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2011-08-29 17:18 . 2011-08-29 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2011-08-29 17:18 . 2011-08-29 17:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-08-29 17:16 . 2011-08-29 17:16 -------- d-----w- c:\documents and settings\mich\Application Data\Uzte 2011-08-29 14:39 . 2011-07-28 11:06 17280 ----a-w- c:\windows\system32\roboot.exe 2011-08-29 14:07 . 2011-08-29 14:07 1152 ----a-w- c:\windows\system32\windrv.sys 2011-08-29 14:05 . 2011-08-29 17:10 -------- d-----w- c:\documents and settings\mich\Application Data\GetRightToGo 2011-08-28 16:56 . 2011-08-28 16:56 -------- d-----w- c:\windows\system32\wbem\Repository 2011-08-28 07:20 . 2011-08-28 07:20 -------- d-----w- c:\documents and settings\mich\Application Data\Malwarebytes 2011-08-28 07:20 . 2011-08-28 07:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-08-20 04:49 . 2011-08-20 04:49 -------- d-----w- c:\documents and settings\mich\Local Settings\Application Data\http_twitter.com_0 . . . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-07-15 13:29 . 2008-04-15 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2011-07-08 14:02 . 2008-04-15 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys 2011-06-24 14:10 . 2010-10-20 10:25 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2011-06-23 18:31 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2011-06-23 18:31 . 2008-04-15 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2011-06-23 18:31 . 2008-04-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2011-06-23 12:05 . 2008-04-15 12:00 385024 ----a-w- c:\windows\system32\html.iec 2011-06-20 17:44 . 2008-04-15 12:00 293888 ----a-w- c:\windows\system32\winsrv.dll 2011-06-06 11:35 . 2008-04-15 12:00 1859072 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080] "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-08 110696] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-08 13851752] "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-25 1753192] "AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664] "H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-05-11 200069] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184] "LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-12-25 421888] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] . c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664] Snelstart HP Image Zone.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys] @="" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\SecondLifeViewer2\\SLVoice.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Imprudence\\SLVoice.exe"= "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"= "c:\\Program Files\\SecondLifeViewer2\\slplugin.exe"= "c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"= "c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"= "c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"= "c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"= . R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13-9-2010 16:27 22992] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7-9-2010 3:48 32592] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7-9-2010 3:48 248656] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7-9-2010 3:49 297168] R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [8-2-2011 5:33 269520] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19-8-2010 21:42 134480] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19-8-2010 21:42 24144] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19-8-2010 21:42 27216] R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [20-10-2010 16:16 33792] R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [14-1-2008 12:06 21632] R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [20-10-2010 10:58 100712] S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18-4-2011 17:39 7398752] S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4-1-2011 16:13 136176] S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4-1-2011 16:13 136176] S4 cpuz134;cpuz134;\??\c:\docume~1\mich\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\mich\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?] . Inhoud van de 'Gedeelde Taken' map . 2011-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-04 14:13] . 2011-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-04 14:13] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.bing.com/ mStart Page = hxxp://www.bing.com/ IE: &SHOUTcast Search - c:\documents and settings\All Users\Application Data\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html TCP: DhcpNameServer = 212.54.35.25 212.54.40.25 . - - - - ORPHANS VERWIJDERD - - - - . WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKCU-Run-Spyware Doctor - c:\documents and settings\mich\Bureaublad\sdsetup_revwire207[1].exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2011-08-30 19:55 Windows 5.1.2600 Service Pack 3 NTFS . scannen van verborgen processen ... . scannen van verborgen autostart items ... . scannen van verborgen bestanden ... . Scan succesvol afgerond verborgen bestanden: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover Windows 5.1.2600 Disk: Hitachi_HDS721616PLAT80 rev.P22OA8BA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 . device: opened successfully user: MBR read successfully error: Read Een apparaat dat op het systeem is aangesloten, werkt niet. kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0x8A2C931B user & kernel MBR OK copy of MBR has been found in sector 312560640 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL" . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- . [HKEY_USERS\S-1-5-21-725345543-1801674531-1920980409-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6510B3E4-6EE6-A205-C777-56C343079B5B}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "ialpigngifofabcodc"=hex:6b,61,68,70,6c,63,64,62,6f,66,6b,6f,65,67,6a,63,67,64, 69,63,6c,66,00,02 "hanpkefgmpclnbjj"=hex:6a,61,61,70,66,63,70,6c,6e,66,64,6e,69,69,66,66,69,6c, 65,70,00,ff "iahnafbkinmlepkboj"=hex:63,61,67,70,6d,66,00,7c "dbfpecamgachgadgmgocacdgkcgnfedpmipgiagm"=hex:68,61,6b,6e,66,63,6c,68,62,68, 62,70,67,6c,6e,6f,00,00 "jbfpecamgachgadgmgocncbeiinlljcmbhlmkohmjnokafommegi"=hex:68,61,6b,6e,66,63, 6c,68,62,68,62,70,67,6c,6e,6f,00,00 "dbfpecamgachgadgmgocddggffiaknhhjamnonbb"=hex:6a,61,6e,62,66,63,69,61,6b,62, 61,62,6e,6f,6c,63,64,63,70,6d,00,00 "dbfphhpeklgjehagjlamnpcigofpmigfpcjeione"=hex:68,61,6b,6e,66,63,6c,68,62,68, 62,70,67,6c,6e,6f,00,00 "jbfphhpeklgjehagjlammaocaaggmnfkccholpeccoekhgghmmjd"=hex:68,61,6b,6e,66,63, 6c,68,62,68,62,70,67,6c,6e,6f,00,00 "dbfphhpeklgjehagjlamgapgemcfplkfachagcap"=hex:62,61,6e,62,00,00 . --------------------- DLLs Geladen Onder Lopende Processen --------------------- . - - - - - - - > 'explorer.exe'(1224) c:\windows\system32\webcheck.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\windows\system32\nvsvc32.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\windows\SOUNDMAN.EXE c:\windows\system32\RUNDLL32.EXE c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe c:\program files\Logitech\Video\FxSvr2.exe c:\program files\HP\Digital Imaging\bin\hpqgalry.exe c:\windows\system32\wscntfy.exe c:\windows\TEMP\conhost.exe c:\program files\Common Files\Java\Java Update\jucheck.exe . ************************************************************************** . Voltooingstijd: 2011-08-30 20:03:22 - machine werd herstart ComboFix-quarantined-files.txt 2011-08-30 18:03 . Pre-Run: 21.178.150.912 bytes beschikbaar Post-Run: 23.165.616.128 bytes beschikbaar . WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect . - - End Of File - - FA8878DA7F0CD23CB2DD48524A636A45 ---------- Post toegevoegd om 20:13 ---------- Vorige post was om 20:06 ---------- Hier is mijn Combog textfile : Het Duurde erg Lang ....en toen Combo mijn pc wilde afsluiten heb ik anderhalf uur gewacht hij bleef hangen op : U word Nu Afgemeld >>>> na meer dan anderhalf uur heb ik gereset bij het blauwe afmeld beeld van windows ...en gelijk mijn avg weer afgezet Daarna ging Combo door en gaf deze logfile . Zodra deze klaar was heb ik AVG weer aangezet en kreeg direkt de melding Virus Bitcoinminer.A - Conhost.exe in C:/windows Temp ---------- Post toegevoegd om 20:16 ---------- Vorige post was om 20:13 ---------- Hier is mijn Nieuwe Hijack logfile van 20.15 uur : Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 20:15:46, on 30-8-2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG10\avgwdsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\AVG\AVG10\avgtray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Common Files\Java\Java Update\jucheck.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe C:\Program Files\AVG\AVG10\avgemcx.exe C:\Program Files\AVG\AVG10\avgnsx.exe C:\Program Files\AVG\AVG10\avgchsvx.exe C:\Program Files\AVG\AVG10\avgrsx.exe C:\Program Files\AVG\AVG10\avgcsrvx.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Bing R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: SHOUTcast Loader - {ccec60fc-2608-4e58-9659-3ffc159e8ea9} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: SHOUTcast Radio Toolbar - {0457331d-8ca6-4f97-9c26-6a9ef2b2dba8} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &SHOUTcast Search - C:\Documents and Settings\All Users\Application Data\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1287579073281 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update-service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe O24 - Desktop Component AutorunsDisabled: (no name) - (no file) -- End of file - 7995 bytes ---------- Post toegevoegd om 20:18 ---------- Vorige post was om 20:16 ---------- ik hoop dat Jullie Hier iets mee Kunnen bij Voorbaat Heel veel dank voor al jullie Tijd

ik heb uit veilige modes de specificaties van het virus voor de zeker heid hier maar bij gevoegd maker : Ufasoft version: 6.0.1994.0 Bitcoin-miner Bitcoin-miner.exe volgens mijn zoektocht op internet naar conhost (bitcoin-miner) is het in duitsland gemaakt mischien dat jullie hier iets meer mee kunnen Mich

hoi Dankje wel voor de snelle reactie ik hoop dat jullie wat met mijn logfile kunnen ...ik had autoruns.exe ( microsoft ook al draaien daar zag ik niets ongewoons , en de virus werd gelijk al weer gezien door avg Bij voor baat danl Hier is mijn logfile van Hijackthis: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 6:57:39, on 30-8-2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG10\avgwdsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\AVG\AVG10\avgtray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\AVG\AVG10\avgnsx.exe C:\Program Files\AVG\AVG10\avgemcx.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\AVG\AVG10\avgchsvx.exe C:\Program Files\AVG\AVG10\avgrsx.exe C:\Program Files\AVG\AVG10\avgcsrvx.exe C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\Program Files\WinRAR\WinRAR.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\DOCUME~1\mich\LOCALS~1\Temp\Rar$EX00.500\autoruns.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\msiexec.exe C:\Program Files\Common Files\Java\Java Update\jucheck.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo! Nederland R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Bing R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen R3 - URLSearchHook: SHOUTcast Toolbar Search Class - {14f0d511-36a2-41ca-ae01-ba4f87282c97} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: SHOUTcast Loader - {ccec60fc-2608-4e58-9659-3ffc159e8ea9} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: SHOUTcast Radio Toolbar - {0457331d-8ca6-4f97-9c26-6a9ef2b2dba8} - C:\Program Files\SHOUTcast Radio Toolbar\shoutcasttb.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [spyware Doctor] C:\Documents and Settings\mich\Bureaublad\sdsetup_revwire207[1].exe -min O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &SHOUTcast Search - C:\Documents and Settings\All Users\Application Data\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1287579073281 O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update-service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe O24 - Desktop Component AutorunsDisabled: (no name) - (no file) -- End of file - 8702 bytes

Conhost.exe Virus :thumpdown:het lijkt erop dat heel veel mensen hetzelfde hebben ...ik heb dus ook al heel veel geprobeerd ...aleen in veilige modus kan ik conhost vinden maar dat kan niet verwijderd worden ...Mijn avg geeft om de 2 minuten een bedreiging ...en het bestand is niet te vinden ( of zit in een map) en is niet te verwijderen ...in de quarantaine staat hij weer wel Met Autoruns van Microsoft vind hij ook niets ...er moet een ander programmaatje zijn wat Conhost dus iedere keer weer opstart . Ik hoop dat hier snel iets aan gedaan kan worden Bij voorbaat Dank aan degene die hier een oplossing voor heeft