antimalware doctor aflevering 2

kape · 14 juni 2010

Laat dit vetgedrukte bestand C:\WINDOWS\System32\svchost.exe eens scannen bij Jotti en hang het resultaat in je volgende bericht.

marky marc · 14 juni 2010

Hallo , ik moet nog starten met scannen maar de naam van artemis is al veranderd door mcafee in generic downloader.x!dzb.

Enkel ter info want het probleem is identiek.

Mvg

marky marc · 14 juni 2010

Niks gevonden in Svchost.exe door de verschillende scanners.

Even een verslagje van de chat met mcafee. Mannen zijn goed bezig daar. Is niet erg.

Virus Profile: Generic Downloader.x!dzbGoToAssist (17:21:27):

Uw Agent is aangekomen.

Klant (17:21:44):

goede middag,

Klant (17:22:03):

mijn internet verbinding was even onderbroken.

Galya (17:22:47):

Goededag! Bedankt dat u contact heeft opgenomen met de McAfee Ondersteuning.

Uw Serviceverzoeknummer is: 517874230

Een ogenblik alstublieft, ik zal uw account controleren.

Galya (17:24:33):

We hebben net gesproken

Klant (17:25:44):

ja , mijn internet was even onderbroken, pc heropgestart en mijn eerste melding in de quarnataine afdeling is generic downloader.x!dzb .

Klant (17:26:26):

artemis meldingen uit de qaurantaine verwijderd.

Galya (17:27:14):

Als u geenmogelijkheid heeft dit programma zelf te verwijderen kunt u het gewoon daar laten blijven

Galya (17:27:28):

Het programma kan niet de pc infecteren

Galya (17:27:41):

en het is ook geen virus , maar ongewenste programma

Klant (17:28:15):

welke mogelijkheden bestaan er om het te verwijderen ?

Galya (17:28:54):

Welke ziet u als u de quarantaine opent en het programma markeert

Klant (17:30:13):

herstellen / verwijderen / verzenden. Kan deze verwijderen maar na 10 minuten staat hij er opnieuw ! Elke 10 minuten gestart vanop een andere temp.

Galya (17:30:58):

In dit geval kunt u het programma daar laten blijven

Galya (17:31:04):

Kan ik u nog ergens mee van dienst zijn?

Klant (17:32:30):

blijkbaar niet . Moet ik elke dag mijn quarantaine leegmaken + temp folder ?

Galya (17:34:05):

Nee, niet nodig

Klant (17:34:18):

OK. Prettige dag nog .

Galya (17:34:43):

Ik wil u nogmaals bedanken voor het contact met McAfee. Als u verder geen vragen meer heeft dan mag u deze chatsessie beeindigen.

Ik wens u nog een prettige dag verder.

14 juni 2010 aangepast door marky marc

kape · 14 juni 2010

Enige zinvolle dat ik uit het gesprek haal, is dat het geen virus is, maar een programma ??? Zouden ze dan niet kunnen bepalen welk programma dat wel kan zijn ?

marky marc · 15 juni 2010

Bij mcafeesecurity.com staat het genoteerd als trojan maar met gering risico . Ondekt op 13/06 en er bestaat een dat. file om het te verwijderen maar deze is nog niet beschikbaar voor de "kleine" betaler. Zal eerdaags misschien in een update zitten.

Even wachten maar.

marky marc · 19 juni 2010

Nieuwe ontwikkelingen aan het front. Kreeg dezelfde problemen als bij vorige besmetting. Nieuwe combfix laten draaien. Niet simpel geweest. zie log.

ComboFix 10-06-18.03 - Marc 19/06/2010 17:18:01.17.2 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.1022.806 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Marc\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\Marc\Bureaublad\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\20654nm2.exe

c:\documents and settings\Marc\GoToAssistDownloadHelper.exe

c:\program files\McAfee.com\Agent\mcagent.exe

c:\program files\QuickTime\qttask.exe

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At25.job

c:\windows\Tasks\At26.job

c:\windows\Tasks\At27.job

c:\windows\Tasks\At28.job

c:\windows\Tasks\At29.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At30.job

c:\windows\Tasks\At31.job

c:\windows\Tasks\At32.job

c:\windows\Tasks\At33.job

c:\windows\Tasks\At34.job

c:\windows\Tasks\At35.job

c:\windows\Tasks\At36.job

c:\windows\Tasks\At37.job

c:\windows\Tasks\At38.job

c:\windows\Tasks\At39.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At40.job

c:\windows\Tasks\At41.job

c:\windows\Tasks\At42.job

c:\windows\Tasks\At43.job

c:\windows\Tasks\At44.job

c:\windows\Tasks\At45.job

c:\windows\Tasks\At46.job

c:\windows\Tasks\At47.job

c:\windows\Tasks\At48.job

c:\windows\Tasks\At49.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At50.job

c:\windows\Tasks\At51.job

c:\windows\Tasks\At52.job

c:\windows\Tasks\At53.job

c:\windows\Tasks\At54.job

c:\windows\Tasks\At55.job

c:\windows\Tasks\At56.job

c:\windows\Tasks\At57.job

c:\windows\Tasks\At58.job

c:\windows\Tasks\At59.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At60.job

c:\windows\Tasks\At61.job

c:\windows\Tasks\At62.job

c:\windows\Tasks\At63.job

c:\windows\Tasks\At64.job

c:\windows\Tasks\At65.job

c:\windows\Tasks\At66.job

c:\windows\Tasks\At67.job

c:\windows\Tasks\At68.job

c:\windows\Tasks\At69.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At70.job

c:\windows\Tasks\At71.job

c:\windows\Tasks\At72.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

 <pre>
c:\program files\McAfee.com\Agent\mcagent .exe ---^> c:\program files\McAfee.com\Agent\mcagent.exe
c:\program files\QuickTime\qttask .exe ---^> c:\program files\QuickTime\qttask.exe
</pre>

.

Besmet exemplaar van c:\windows\system32\kernel32.dll werd aangetroffen en gedesinfecteerd

Hersteld exemplaar van - c:\windows\ERDNT\cache\kernel32.dll

.

(((((((((((((((((((( Bestanden Gemaakt van 2010-05-19 to 2010-06-19 ))))))))))))))))))))))))))))))

.

2010-06-19 12:57 . 2010-06-19 12:57 45056 ----a-w- c:\windows\system32\JhD00NrB.dll

2010-06-18 15:09 . 2010-06-18 15:09 388096 ----a-r- c:\documents and settings\Marc\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-06-16 12:13 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-16 12:12 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-14 14:45 . 2010-06-14 14:45 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\Citrix

2010-06-11 13:32 . 2010-06-11 15:26 -------- d-----w- c:\documents and settings\Marc\DoctorWeb

2010-06-07 12:29 . 2010-06-07 12:29 140288 ----a-w- c:\windows\system32\drivers\ethhpxtw.sys

2010-06-04 17:53 . 2010-06-04 17:53 503808 ----a-w- c:\documents and settings\Marc\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e4ec1e2-n\msvcp71.dll

2010-06-04 17:53 . 2010-06-04 17:53 61440 ----a-w- c:\documents and settings\Marc\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-46c7c7c1-n\decora-sse.dll

2010-06-04 17:53 . 2010-06-04 17:53 499712 ----a-w- c:\documents and settings\Marc\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e4ec1e2-n\jmc.dll

2010-06-04 17:53 . 2010-06-04 17:53 348160 ----a-w- c:\documents and settings\Marc\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e4ec1e2-n\msvcr71.dll

2010-06-04 17:53 . 2010-06-04 17:53 12800 ----a-w- c:\documents and settings\Marc\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-46c7c7c1-n\decora-d3d.dll

2010-06-04 17:53 . 2010-06-04 17:52 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-03 18:20 . 2010-06-03 18:20 -------- d-----w- c:\documents and settings\Marc\Local Settings\Application Data\oespxrnvk

2010-06-02 10:07 . 2010-06-02 10:07 -------- d-----w- c:\windows\system32\siscardplugins

2010-06-02 10:07 . 2010-06-02 10:07 -------- d-----w- c:\windows\system32\beidpp

2010-06-02 10:07 . 2010-06-02 10:07 -------- d-----w- c:\program files\Belgium Identity Card

2010-05-21 12:15 . 2010-05-21 12:15 -------- d-----w- c:\windows\system32\XPSViewer

2010-05-21 12:15 . 2010-05-21 12:15 -------- d-----w- c:\program files\MSBuild

2010-05-21 12:15 . 2010-05-21 12:15 -------- d-----w- c:\program files\Reference Assemblies

2010-05-21 12:14 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll

2010-05-21 12:14 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2010-05-21 12:14 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2010-05-21 12:14 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll

2010-05-21 12:14 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2010-05-21 12:14 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

2010-05-21 12:14 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2010-05-21 12:14 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe

2010-05-21 12:14 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2010-05-21 12:14 . 2010-05-21 12:14 -------- d-----w- C:\7bfc1e3994985516f0a3765a

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-19 15:31 . 2010-05-05 18:14 -------- d-----w- c:\program files\QuickTime

2010-06-19 13:03 . 2010-05-01 08:34 112 ----a-w- c:\documents and settings\All Users\Application Data\6pq0BV.dat

2010-06-18 14:33 . 2009-11-24 10:29 -------- d-----w- c:\program files\Everest Poker

2010-06-17 09:13 . 2008-04-21 13:32 -------- d-----w- c:\documents and settings\Marc\Application Data\OpenOffice.org2

2010-06-17 09:11 . 2008-04-21 13:35 1 ----a-w- c:\documents and settings\Marc\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys

2010-06-16 12:13 . 2010-04-27 14:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-15 17:16 . 2007-03-21 14:42 -------- d-----w- c:\program files\McAfee

2010-06-13 11:09 . 2008-10-22 17:04 -------- d-----w- c:\program files\USD

2010-06-12 18:27 . 2006-01-07 10:28 -------- d-----w- c:\program files\BoontyGames

2010-06-12 18:26 . 2006-12-15 13:58 -------- d-----w- c:\program files\Belgacom

2010-06-12 18:24 . 2006-12-19 12:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-06-12 18:24 . 2006-01-05 14:24 -------- d-----w- c:\program files\support.com

2010-06-12 18:18 . 2005-12-15 01:49 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-12 18:18 . 2006-12-25 13:19 -------- d-----w- c:\program files\Ubisoft

2010-06-12 08:43 . 2010-05-14 18:41 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll

2010-06-12 08:43 . 2009-03-30 16:31 300384 ----a-w- c:\documents and settings\Marc\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll

2010-06-08 09:30 . 2007-07-11 09:12 -------- d-----w- c:\program files\CCleaner

2010-06-04 17:53 . 2005-12-15 01:44 -------- d-----w- c:\program files\Common Files\Java

2010-06-04 17:52 . 2005-12-15 01:44 -------- d-----w- c:\program files\Java

2010-06-03 18:19 . 2004-09-14 08:38 182656 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-06-02 10:06 . 2006-06-14 09:53 29184 ----a-w- c:\windows\system32\drivers\usbccid.sys

2010-05-22 12:14 . 2004-09-14 08:38 91518 ----a-w- c:\windows\system32\perfc013.dat

2010-05-22 12:14 . 2004-09-14 08:38 510428 ----a-w- c:\windows\system32\perfh013.dat

2010-05-21 17:52 . 2006-01-05 16:03 42080 ----a-w- c:\documents and settings\Marc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-20 11:30 . 2010-05-20 11:30 -------- d-----w- c:\program files\SunnyDesign

2010-05-17 19:53 . 2010-05-17 19:53 942960 ----a-w- c:\documents and settings\Marc\Local Settings\Application Data\MvtApp.exe

2010-05-12 13:23 . 2010-05-12 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt

2010-05-12 13:23 . 2010-05-12 13:23 -------- d-----w- c:\documents and settings\Marc\Application Data\Sunbelt

2010-05-12 13:21 . 2010-05-12 13:21 -------- d-----w- c:\program files\Sunbelt Software

2010-05-03 14:17 . 2010-01-08 09:45 -------- d-----w- c:\program files\iTunes

2010-05-01 10:52 . 2005-12-15 01:52 -------- d-----w- c:\program files\Common Files\Sonic Shared

2010-05-01 09:57 . 2005-12-15 01:52 -------- d-----w- c:\program files\Sonic

2010-04-30 09:48 . 2010-04-30 09:48 -------- d-----w- c:\program files\Trend Micro

2010-04-27 14:19 . 2010-04-27 14:19 -------- d-----w- c:\documents and settings\Marc\Application Data\Malwarebytes

2010-04-27 14:18 . 2010-04-27 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-04-08 12:15 . 2010-04-08 12:15 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2006-11-08 15:01 . 2006-11-08 15:01 774144 ----a-w- c:\program files\RngInterstitial.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6A91056-83E0-4C6E-8DCC-43FC0DFE7A0A}]

2010-06-19 12:57 45056 ----a-w- c:\windows\system32\JhD00NrB.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 45056]

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-25 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2008-11-07 15:41 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2010-02-18 09:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Java\\jre1.6.0_07\\launch4j-tmp\\frd.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [25/12/2008 13:14 10384]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [13/12/2008 14:04 210216]

S1 ethhpxtw;ethhpxtw;c:\windows\system32\drivers\ethhpxtw.sys [7/06/2010 14:29 140288]

S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2010 17:26 135664]

S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [29/08/2006 0:54 10664]

.

Inhoud van de 'Gedeelde Taken' map

2010-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 15:26]

2010-06-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 15:26]

2009-08-14 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-21 10:22]

2009-11-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-21 10:22]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.hln.be/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html

IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe

Trusted Zone: dexia.be\directnet

Trusted Zone: internet

Trusted Zone: mcafee.com

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-06-19 17:32

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x867CAEC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7656f28

\Driver\ACPI -> ACPI.sys @ 0xf74e8cb8

\Driver\atapi -> atapi.sys @ 0xf74a0852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,69,ba,e7,f8,7c,31,49,a3,08,b5,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,69,ba,e7,f8,7c,31,49,a3,08,b5,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(656)

c:\windows\system32\Ati2evxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3544)

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\program files\Logitech\SetPoint\lgscroll.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_dut.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\drivers\CDAC11BA.EXE

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Voltooingstijd: 2010-06-19 17:40:10 - machine werd herstart

ComboFix-quarantined-files.txt 2010-06-19 15:40

ComboFix2.txt 2010-06-08 09:13

Pre-Run: 27.483.381.760 bytes beschikbaar

Post-Run: 26.692.145.152 bytes beschikbaar

- - End Of File - - E6C319A2A1455F70C66D4F7532919753

kape · 19 juni 2010

Combofix heeft al flink wat ongewenst spul weggehaald, maar er moet nog wat extra gebeuren :

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\windows\system32\JhD00NrB.dll

c:\windows\system32\drivers\ethhpxtw.sys

c:\documents and settings\All Users\Application Data\6pq0BV.dat

Folder::

C:\7bfc1e3994985516f0a3765a

c:\program files\BoontyGames

Driver::

ethhpxtw

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6A91056-83E0-4C6E-8DCC-43FC0DFE7A0A}]

Renv::

c:\program files\McAfee.com\Agent\mcagent .exe

c:\program files\QuickTime\qttask .exe

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.

marky marc · 19 juni 2010

Ik heb het verslagje ingekort want dat van de boonty games was enkele pagina's lang. Als je het volledig verslag wil zien zal ik het wel eens raren.

Groetjes.

ComboFix 10-06-18.03 - Marc 19/06/2010 19:05:12.18.2 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.1022.809 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Marc\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\Marc\Bureaublad\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\documents and settings\All Users\Application Data\6pq0BV.dat"

"c:\windows\system32\drivers\ethhpxtw.sys"

"c:\windows\system32\JhD00NrB.dll"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\7bfc1e3994985516f0a3765a

c:\7bfc1e3994985516f0a3765a\amd64\filterpipelineprintproc.dll

c:\7bfc1e3994985516f0a3765a\amd64\msxpsdrv.cat

c:\7bfc1e3994985516f0a3765a\amd64\msxpsdrv.inf

c:\7bfc1e3994985516f0a3765a\amd64\msxpsinc.gpd

c:\7bfc1e3994985516f0a3765a\amd64\msxpsinc.ppd

c:\7bfc1e3994985516f0a3765a\amd64\mxdwdrv.dll

c:\7bfc1e3994985516f0a3765a\amd64\xpssvcs.dll

c:\7bfc1e3994985516f0a3765a\i386\filterpipelineprintproc.dll

c:\7bfc1e3994985516f0a3765a\i386\msxpsdrv.cat

c:\7bfc1e3994985516f0a3765a\i386\msxpsdrv.inf

c:\7bfc1e3994985516f0a3765a\i386\msxpsinc.gpd

c:\7bfc1e3994985516f0a3765a\i386\msxpsinc.ppd

c:\7bfc1e3994985516f0a3765a\i386\mxdwdrv.dll

c:\7bfc1e3994985516f0a3765a\i386\xpssvcs.dll

c:\documents and settings\All Users\Application Data\6pq0BV.dat

c:\program files\BoontyGames

c:\program files\BoontyGames\Components\bureau.url

c:\program files\BoontyGames\Components\Joystick.ico

c:\program files\BoontyGames\Components\start.url

c:\program files\BoontyGames\pokersuperstars2{235914}.exe

c:\program files\BoontyGames\Ultimate Mahjong\backgrounds\_default.jpg

c:\progr

c:\program files\BoontyGames\Ultimate Mahjong\tilesets\realistic.ts

c:\program files\BoontyGames\Ultimate Mahjong\tilesets\TEMPLATE

c:\program files\BoontyGames\Ultimate Mahjong\unins000.dat

c:\program files\BoontyGames\Ultimate Mahjong\unins000.exe

c:\program files\BoontyGames\Ultimate Mahjong\website.url

c:\windows\system32\drivers\ethhpxtw.sys

c:\windows\system32\JhD00NrB.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_ethhpxtw