ndis virus - internet verbinding weg

13 juli 2010

Hallo, na een virusmelding is mijn internet verbinding verbroken en krijg ik bij scans steeds melding van trojaans paard virus en rootkit agent oid. Ik wil dit probleem graag verholpen hebben. Wie kan helpen? Alvast bedankt voor de moeite!

Onderstaand HJT file:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 20:44:11, on 13-7-2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe

C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WUSB54GPv4.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\igfxpers.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Administrator\Desktop\scannerts\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = nu.nl | Het laatste nieuws het eerst op nu.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = HP Desktop web portal - HP Small and Medium Business

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = HP Desktop web portal - HP Small and Medium Business

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [setRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: WUSB54GPv4SVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter Wireless Network Monitor\WLService.exe

--

End of file - 7039 bytes

kape · 13 juli 2010

Dit logje ziet er nochtans erg netjes uit. Laten we even dieper kijken :

Download ComboFix van één van deze locaties:

Link 1

Link 2

* BELANGRIJK !!! Sla ComboFix.exe op je Bureaublad op

Lees hier meer over correct gebruik van Combofix.

Schakel alle antivirus- en antispywareprogramma's uit, want anders kunnen ze misschien conflicteren met ComboFix. Hier is een handleiding over hoe je ze kan uitschakelen: Klik hier Als het je niet lukt om ze uit te schakelen, ga dan gewoon door naar de volgende stap.
Dubbeklik op ComboFix.exe en volg de meldingen op het scherm.
ComboFix zal controleren of dat de Microsoft Windows Recovery Console reeds is geïnstalleerd. Als deze Recovery Console al is geïnstalleerd zal ComboFix automatisch verder gaan met het scannen naar malware
Volg anders de meldingen op het scherm om ComboFix de Microsoft Windows Recovery Console te laten downloaden en installeren. Wanneer de Recovery Console succesvol is geïnstalleerd, klik je op “JA” om verder te gaan met het scannen naar malware.

NOTA: Wanneer ComboFix start, kan het zijn dat je een foutmelding krijgt dat “De inhoud van het ComboFix pakket werd gewijzigd”. Ga dan niet verder met de instructies, maar download ComboFix opnieuw. Deze melding kan verschijnen wanneer een file-infector (Virut) actief is op de computer. Blijf je die melding krijgen dan meld je dit.

Wanneer ComboFix klaar is, zal het het een logbestand voor je maken. Post de inhoud van dit logbestand (te vinden als C:\ComboFix.txt) in je volgende bericht.

14 juli 2010

ComboFix meldt dat er geen Windows recovery console is. Daarvoor zou ik online moeten, maar dat kan dus niet. Ik heb Combofix desondanks door laten gaan (krijg melding over rootkit activity) en hieronder de logfile van combofix:

ComboFix 10-07-13.06 - Administrator 14-07-2010 11:02:04.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.633 [GMT 2:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))

.

2010-07-13 19:09 . 2010-07-13 19:09 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2010-07-13 19:09 . 2008-10-21 08:16 465152 ----a-w- c:\windows\system32\rt73.sys

2010-07-13 19:09 . 2005-11-03 15:41 32768 ----a-w- c:\windows\system32\GTGina.dll

2010-07-13 19:09 . 2005-02-01 16:18 17992 ----a-w- c:\windows\system32\drivers\bcm42rly.sys

2010-07-13 19:09 . 2005-02-01 16:18 17992 ----a-w- c:\windows\system32\bcm42rly.sys

2010-07-13 19:09 . 2005-02-01 16:18 17992 ----a-w- c:\windows\bcm42rly.sys

2010-07-13 19:09 . 2010-07-13 19:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield

2010-07-13 18:13 . 2010-07-13 18:13 -------- d-----w- C:\$AVG

2010-07-13 17:39 . 2010-07-13 17:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-13 17:39 . 2010-07-13 17:39 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-13 17:39 . 2010-07-13 17:39 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-07-13 17:38 . 2010-07-13 17:39 -------- d-----w- c:\windows\system32\drivers\Avg

2010-07-13 17:38 . 2010-07-13 17:38 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-13 17:38 . 2010-07-13 17:38 -------- d-----w- c:\program files\AVG

2010-07-13 17:38 . 2010-07-13 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-07-12 20:27 . 2003-10-13 13:30 94208 ----a-w- c:\windows\system32\GTW32N50.dll

2010-07-12 20:27 . 2003-09-25 20:15 15872 ----a-w- c:\windows\system32\GTNDIS5.sys

2010-07-12 20:16 . 2010-07-12 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-12 20:16 . 2010-07-12 20:16 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-12 15:45 . 2010-07-12 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-12 15:45 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-12 15:45 . 2010-07-12 15:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-12 15:45 . 2010-07-12 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-12 15:45 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-12 11:55 . 2010-07-14 09:06 765952 ----a-w- c:\windows\system32\drivers\hbunurrg.sys

2010-07-12 11:55 . 2010-07-12 12:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\jurdjmrto

2010-07-08 18:59 . 2010-07-08 18:59 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe

2010-07-08 18:59 . 2010-07-08 18:59 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-07-08 18:58 . 2010-07-08 18:58 84054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe

2010-07-08 18:58 . 2010-07-08 18:58 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe

2010-07-08 18:56 . 2010-07-08 18:56 -------- d-----w- c:\program files\iPod

2010-07-08 18:56 . 2010-07-08 18:57 -------- d-----w- c:\program files\iTunes

2010-07-08 18:55 . 2010-07-08 18:55 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe

2010-07-08 18:52 . 2010-07-08 18:52 -------- d-----w- c:\program files\Bonjour

2010-07-08 18:49 . 2010-07-08 18:49 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

2010-06-27 18:07 . 2010-07-08 18:59 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-06-27 18:07 . 2010-06-27 18:07 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe

2010-06-27 18:07 . 2010-06-27 18:07 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-06-27 18:07 . 2010-06-27 18:07 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe

2010-06-27 18:07 . 2010-06-27 18:07 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe

2010-06-27 18:07 . 2010-06-27 18:07 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe

2010-06-27 18:07 . 2010-06-27 18:07 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe

2010-06-27 18:07 . 2010-06-27 18:07 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe

2010-06-27 18:07 . 2010-06-27 18:07 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe

2010-06-20 18:49 . 2010-07-12 18:30 -------- d-----w- c:\program files\VideoLAN

2010-06-20 18:48 . 2010-06-20 18:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sophos

2010-06-20 17:20 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-20 15:52 . 2010-06-20 15:52 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-18271997-n\msvcp71.dll

2010-06-20 15:52 . 2010-06-20 15:52 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-18271997-n\jmc.dll

2010-06-20 15:52 . 2010-06-20 15:52 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-18271997-n\msvcr71.dll

2010-06-20 15:52 . 2010-06-20 15:52 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6dc48260-n\decora-sse.dll

2010-06-20 15:52 . 2010-06-20 15:52 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6dc48260-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-13 19:09 . 2009-12-01 21:30 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-13 19:09 . 2010-01-29 14:06 -------- d-----w- c:\program files\Linksys

2010-07-12 18:30 . 2010-01-30 13:12 -------- d-----w- c:\program files\SHOUTcast Source

2010-07-12 18:30 . 2010-01-30 13:10 -------- d-----w- c:\program files\OpenSource Flash Video Splitter

2010-07-12 18:29 . 2009-12-01 14:04 -------- d-----w- c:\program files\Sophos

2010-07-12 11:56 . 2002-08-29 09:09 210816 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-07-08 18:59 . 2010-03-28 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-07-08 18:59 . 2010-03-28 22:09 -------- d-----w- c:\program files\DivX

2010-07-08 18:56 . 2010-01-29 15:30 -------- d-----w- c:\program files\Common Files\Apple

2010-07-08 18:55 . 2010-03-28 22:11 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-07-08 18:55 . 2010-03-28 22:11 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-06-09 23:01 . 2010-03-28 22:11 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-06-09 23:01 . 2010-03-28 22:11 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-06-09 23:01 . 2010-03-28 22:11 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys

2010-06-09 23:01 . 2010-03-28 22:11 133616 ------w- c:\windows\system32\pxafs.dll

2010-06-09 23:01 . 2010-03-28 22:11 126448 ------w- c:\windows\system32\pxinsi64.exe

2010-06-09 23:01 . 2010-03-28 22:11 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\23595\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\23595\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\23595\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\23595\AcrobatUpdater.exe

2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-05-06 10:41 . 2002-08-29 10:41 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-08-29 09:14 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 05:30 . 2001-08-17 21:55 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-18 18:35 . 2010-04-18 18:35 411368 ----a-w- c:\windows\system32\deployJava1.dll

.

------- Sigcheck -------

[-] 2010-07-12 11:56 . 476098883D83981C2CC860FD8DEF66F9 . 210816 . . [------] . . c:\windows\system32\drivers\ndis.sys

[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2002-08-29 . 3B350E5A2A5E951453F3993275A4523A . 167552 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\ndis.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-07-12_18.43.02 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-11 18:54 . 2009-07-11 18:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll

+ 2009-07-11 18:32 . 2009-07-11 18:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll

+ 2009-07-11 18:32 . 2009-07-11 18:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll

+ 2009-07-11 18:32 . 2009-07-11 18:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll

+ 2009-07-11 18:32 . 2009-07-11 18:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll

+ 2009-07-11 18:32 . 2009-07-11 18:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll

+ 2009-07-11 18:32 . 2009-07-11 18:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll

+ 2009-07-11 18:32 . 2009-07-11 18:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll

+ 2009-07-11 18:32 . 2009-07-11 18:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll

+ 2009-07-11 18:32 . 2009-07-11 18:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll

+ 2009-07-11 23:07 . 2009-07-11 23:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll

+ 2009-07-11 23:19 . 2009-07-11 23:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll

+ 2009-07-11 17:41 . 2009-07-11 17:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll

+ 2010-07-14 09:01 . 2010-07-14 09:01 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat

- 2003-05-19 20:17 . 2010-07-12 18:41 68156 c:\windows\system32\perfc009.dat

+ 2003-05-19 20:17 . 2010-07-14 09:05 68156 c:\windows\system32\perfc009.dat

+ 2010-01-29 14:06 . 2008-12-12 17:05 25264 c:\windows\system32\DRVSTORE\DFx24.tmp\purendis.sys

+ 2003-05-19 20:17 . 2010-07-14 09:05 435260 c:\windows\system32\perfh009.dat

- 2003-05-19 20:17 . 2010-07-12 18:41 435260 c:\windows\system32\perfh009.dat

+ 2010-07-13 17:38 . 2010-07-13 17:38 424448 c:\windows\Installer\14f80e.msi

+ 2009-07-11 18:46 . 2009-07-11 18:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll

+ 2009-07-11 18:46 . 2009-07-11 18:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]

"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2002-08-07 485376]

"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 143360]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2007-01-13 131072]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2007-01-13 163840]

"Persistence"="c:\windows\System32\igfxpers.exe" [2007-01-13 135168]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-13 2065760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-13 17:39 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13-7-2010 19:39 216400]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13-7-2010 19:38 243024]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [13-7-2010 19:38 308136]

R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [29-1-2010 16:06 627072]

--- Other Services/Drivers In Memory ---

*Deregistered* - hbunurrg

.

Contents of the 'Scheduled Tasks' folder

2010-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nu.nl/

mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp

uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/1Q00CDT/0409/bl7.asp

uInternet Settings,ProxyOverride = <local>

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hbunurrg]

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2934551863-1904042531-237644234-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,fe,f1,52,f2,1d,24,42,82,d0,34,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,79,fe,f1,52,f2,1d,24,42,82,d0,34,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~*]

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

Completion time: 2010-07-14 11:07:54

ComboFix-quarantined-files.txt 2010-07-14 09:07

ComboFix2.txt 2010-07-13 17:22

ComboFix3.txt 2010-07-12 18:44

Pre-Run: 886.521.982.976 bytes free

Post-Run: 886.518.366.208 bytes free

- - End Of File - - E2B476899BAC319E1774BD29A0B2579E

kape · 14 juli 2010

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\windows\system32\drivers\hbunurrg.sys

c:\windows\system32\drivers\bcm42rly.sys

c:\windows\system32\bcm42rly.sys

c:\windows\bcm42rly.sys

c:\windows\system32\GTNDIS5.sys

c:\windows\system32\GTW32N50.dll

c:\windows\system32\pxafs.dll

c:\windows\system32\pxinsi64.exe

c:\windows\system32\pxcpyi64.exe

Folder::

c:\documents and settings\Administrator\Local Settings\Application Data\jurdjmrto

Driver::

bcm42rly

hbunurrg

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.

14 juli 2010

Hierbij:

Combofix log:

ComboFix 10-07-13.06 - Administrator 14-07-2010 12:55:19.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.630 [GMT 2:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

"c:\windows\bcm42rly.sys"

"c:\windows\system32\bcm42rly.sys"

"c:\windows\system32\drivers\bcm42rly.sys"

"c:\windows\system32\drivers\hbunurrg.sys"

"c:\windows\system32\GTNDIS5.sys"

"c:\windows\system32\GTW32N50.dll"

"c:\windows\system32\pxafs.dll"

"c:\windows\system32\pxcpyi64.exe"

"c:\windows\system32\pxinsi64.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Local Settings\Application Data\jurdjmrto

c:\windows\bcm42rly.sys

c:\windows\system32\bcm42rly.sys

c:\windows\system32\drivers\bcm42rly.sys

c:\windows\system32\drivers\hbunurrg.sys

c:\windows\system32\GTNDIS5.sys

c:\windows\system32\GTW32N50.dll

c:\windows\system32\pxafs.dll

c:\windows\system32\pxcpyi64.exe

c:\windows\system32\pxinsi64.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_HBUNURRG

-------\Service_hbunurrg