Combofix gedraaid na anti-malware doctor

[sibet]

Ik kreeg laatst bezoek van de anti-malware doctor.

Het meeste heb ik al kunnen verhelpen met malwarebytes antimalware, maar er bleven processen op de achtergrond lopen.

Ik heb via een post op dit forum dan combofix gedraaid.

Hieronder het resultaat. Dien ik hier nu nog iets mee aan te vangen verder?

Alvast bedankt!

ComboFix 10-08-11.05 - HVM 08/12/2010 11:12:51.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.526 [GMT 2:00]

Running from: c:\documents and settings\HVM\My Documents\My Received Files\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\HVM\Application Data\3EA80423575C9548C8E10C135447CA7B

c:\documents and settings\HVM\Application Data\3EA80423575C9548C8E10C135447CA7B\enemies-names.txt

c:\documents and settings\HVM\Application Data\3EA80423575C9548C8E10C135447CA7B\local.ini

c:\documents and settings\HVM\Application Data\3EA80423575C9548C8E10C135447CA7B\lsrslt.ini

c:\documents and settings\HVM\Local Settings\Application Data\cigmiwaww

c:\documents and settings\HVM\Local Settings\Application Data\cigmiwaww\udyyvgftssd.exe

C:\lsass.exe

c:\windows\system32\driVERs\ofogb.sys

c:\windows\system32\drivers\sokccpbf.sys

c:\windows\system32\drivers\sphnxebl.sys

c:\windows\system32\hatjggv.dll

c:\windows\system32\qxdodxv.dll

c:\windows\system32\Thumbs.db

c:\windows\Tasks\At1.job

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - Kitty had a snack

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\ndis.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CDJQPGKO

-------\Legacy_SPHNXEBL

-------\Service_cdjqpgko

-------\Service_sphnxebl

-------\Legacy_ofogb

-------\Service_ofogb

((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))

.

2010-08-11 13:20 . 2010-08-11 13:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\dpMagic Software

2010-08-11 12:57 . 2010-08-11 12:57 -------- d-----w- c:\documents and settings\HVM\Application Data\Office Genuine Advantage

2010-08-10 17:23 . 2010-08-10 17:23 -------- d-----w- c:\documents and settings\HVM\Application Data\Malwarebytes

2010-08-10 17:17 . 2010-08-10 17:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla

2010-08-10 16:42 . 2010-08-10 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-08-10 16:42 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-10 16:42 . 2010-08-10 17:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-10 16:42 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-04 18:37 . 2010-08-04 18:37 -------- d-----w- c:\documents and settings\HVM\EurekaLog

2010-07-26 13:02 . 2010-07-26 13:02 -------- d-----w- c:\program files\Common Files\Skype

2010-07-17 19:55 . 2010-07-17 19:55 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

2010-07-14 07:25 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-12 08:40 . 2008-04-27 12:27 -------- d-----w- c:\program files\Bonjour

2010-08-11 21:57 . 2008-07-25 20:54 -------- d-----w- c:\documents and settings\HVM\Application Data\uTorrent

2010-08-02 21:11 . 2009-05-29 08:08 -------- d-----w- c:\documents and settings\HVM\Application Data\Skype

2010-08-02 09:22 . 2009-05-29 08:10 -------- d-----w- c:\documents and settings\HVM\Application Data\skypePM

2010-07-26 13:02 . 2009-05-29 08:08 -------- d-----r- c:\program files\Skype

2010-07-26 13:02 . 2009-05-29 08:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

2010-07-14 08:18 . 2008-11-20 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek

2010-07-12 11:06 . 2010-07-12 11:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ

2010-07-12 11:05 . 2010-07-12 11:05 -------- d--h--w- c:\program files\CanonBJ

2010-06-14 14:31 . 2006-04-30 07:10 744448 ------w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2008-03-16 10:52 . 2008-03-16 10:52 1378 ------w- c:\program files\uninstal.log

2001-08-13 14:51 . 2001-08-13 14:51 1396337 ------w- c:\program files\Captura.exe

2008-02-26 15:10 . 2008-02-26 15:10 88 --sh--r- c:\windows\system32\299420F371.sys

2008-02-26 15:10 . 2008-02-26 15:10 2828 --sh--w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-3 110592]

Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-2-28 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2006-09-06 07:37 34344 ------w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2006-12-14 02:06 28672 ------w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Soulseek\\slsk.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Whisper Technology\\FTP Surfer\\Surfer.exe"=

"c:\\Program Files\\Brother\\Brmfl06b\\FAXRX.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\SoulseekNS\\slsk.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [9/29/2007 2:28 AM 19504]

R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [7/12/2007 6:38 AM 569344]

R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [5/23/2007 1:59 AM 30336]

S3 ACSSCR;ACR38 Smart Card Reader;c:\windows\system32\drivers\a38usb.sys [1/10/2009 1:02 PM 33536]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SPHNXEBL

*Deregistered* - sphnxebl

.

Contents of the 'Scheduled Tasks' folder

2010-08-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]

2010-08-12 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 13:07]

2010-08-10 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-01-25 16:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.be/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:6522

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

Trusted Zone: navigram.com\www

Trusted Zone: getmirar.com\click

Trusted Zone: mirarsearch.com\click

Trusted Zone: mirarsearch.com\redirect

Trusted Zone: net-nucleus.com\awbeta

FF - ProfilePath - c:\documents and settings\HVM\Application Data\Mozilla\Firefox\Profiles\8zaxoxtm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/webhp?hl=nl

FF - plugin: c:\documents and settings\HVM\Application Data\Facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\UninstFl.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-08-12 11:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2262407663-1368723996-2586089899-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2479FC8C-E819-0C8A-CFC9-05F4E05B71EA}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2479FC8C-E819-0C8A-CFC9-05F4E05B71EA}\InProcServer32*]

"jaajbdphkibhccaakllk"=hex:6a,61,6b,68,6e,67,66,64,6b,64,6c,66,63,6a,6c,62,6f,

65,70,6f,00,30

"iaajpcffhkeldcddjh"=hex:6a,61,6c,68,6e,67,6c,66,67,68,6a,67,67,64,6a,62,6f,67,

6c,6f,00,30

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1420)

c:\program files\Lenovo\HOTKEY\tphklock.dll

- - - - - - - > 'explorer.exe'(3988)

c:\windows\system32\WININET.dll

c:\windows\system32\btmmhook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Whisper Technology\FTP Surfer\wtftpshx.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\IPSSVC.EXE

c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\windows\system32\PSIService.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\windows\System32\TPHDEXLG.exe

c:\program files\Lenovo\Rescue and Recovery\rrservice.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe

c:\program files\Pure Networks\Network Magic\nmsrvc.exe

c:\program files\lenovo\system update\suservice.exe

c:\program files\Common Files\Lenovo\Logger\logmon.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-08-12 11:37:34 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-12 09:37

Pre-Run: 63,728,730,112 bytes free

Post-Run: 66,564,083,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B29B45CD83304CDE279EEC7AC255FE38

[kweezie wabbit]

Combofix heeft al flink opgeruimd.

Kan je het laatste logje van malwarebytes eens posten en dan het volgende uitvoeren.

Download HijackThis.

Klik bij "HijackThis Downloads" op "Installer".

Dubbelklik op HijackThis.msi

Hijackthis wordt nu op je PC geïnstalleerd, een snelkoppeling wordt op je bureaublad geplaatst.

HijackThis zal openen na het installeren.

Klik op "Do a systemscan and save a logfile".

Er opent een kladblokvenster, hou gelijktijdig de CTRL en A-toets ingedrukt, nu is alles geselecteerd. Hou gelijktijdig de CTRL en C-toets ingedrukt, nu is alles gekopieerd. Plak nu het HJT logje in je bericht door CTRL en V-toets.

Let op : Windows Vista & 7 gebruikers dienen HijackThis als “administrator” uit te voeren via rechtermuisknop “uitvoeren als administrator". Indien dit via de snelkoppeling niet lukt voer je HijackThis als administrator uit in de volgende map : C:\Program Files\Trend Micro\HiJackThis.