Conhost.exe 2

kape · 30 augustus 2011

TDSS is prima verlopen, bij Combofix is er iets misgegaan.

Dit mag je nog eens herdoen :

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

Firefox::

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\6pac91jj.default\

FF - prefs.js: browser.search.defaulturl –

FF - prefs.js: browser.search.selectedEngine –

FF - prefs.js: keyword.URL –

Sla dit bestand op je bureaublad op als CFScript.txt.

Bedoeling is dat je dit scriptje (CFScript.txt) IN de rode snelkoppeling van Combofix sleept en dan begint de verwerking van deze opdracht. Wil je dat nog eens herhalen en daarna een nieuw logje van Combofix plaatsen.

signer · 30 augustus 2011

Hopelijk is deze ok.

ComboFix 11-08-30.01 - HP_Administrator 30/08/2011 15:22:00.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.32.1043.18.1015.380 [GMT 2:00]

Gestart vanuit: c:\documents and settings\HP_Administrator\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\HP_Administrator\Bureaublad\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

.

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

.

(((((((((((((((((((( Bestanden Gemaakt van 2011-07-28 to 2011-08-30 ))))))))))))))))))))))))))))))

.

2011-08-29 20:24 . 2011-08-29 20:24 -------- d-----w- C:\$AVG8.VAULT$

2011-08-29 18:52 . 2011-08-29 18:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes

2011-08-29 18:52 . 2011-07-06 17:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-08-29 18:52 . 2011-08-29 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-08-29 18:52 . 2011-08-29 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-08-29 18:52 . 2011-07-06 17:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-28 20:12 . 2011-08-29 18:49 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sammsoft

2011-08-28 11:29 . 2011-08-28 11:29 388096 ----a-r- c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-28 11:29 . 2011-08-28 11:29 -------- d-----w- c:\program files\Trend Micro

2011-08-28 10:43 . 2011-08-28 10:43 1152 ----a-w- c:\windows\system32\windrv.sys

2011-08-28 10:43 . 2011-08-28 11:58 -------- d-----w- c:\program files\SpyNoMore

2011-08-28 10:35 . 2011-08-28 10:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-27 06:19 . 2011-06-03 05:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29 . 2009-01-12 06:27 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2009-01-12 06:27 10496 ------w- c:\windows\system32\drivers\ndistapi.sys

2011-06-28 17:37 . 2011-02-15 16:54 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-06-28 17:37 . 2011-02-15 16:54 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-06-24 14:10 . 2009-01-21 06:39 139656 ------w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:31 . 2009-01-12 06:27 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:31 . 2009-01-12 06:27 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:31 . 2009-01-12 06:27 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2009-01-12 06:27 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44 . 2009-01-12 06:27 293888 ----a-w- c:\windows\system32\winsrv.dll

2011-06-06 11:35 . 2009-01-12 06:27 1859072 ----a-w- c:\windows\system32\win32k.sys

2011-08-27 09:20 . 2011-07-17 14:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((( SnapShot@2011-08-30_05.59.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-08-30 11:58 . 2011-08-30 11:58 16384 c:\windows\Temp\Perflib_Perfdata_55c.dat

+ 2009-01-12 06:27 . 2011-08-30 09:53 91118 c:\windows\system32\perfc013.dat

+ 2009-01-12 06:27 . 2011-08-30 09:53 71478 c:\windows\system32\perfc009.dat

+ 2009-01-12 06:27 . 2011-08-30 09:53 509046 c:\windows\system32\perfh013.dat

+ 2009-01-12 06:27 . 2011-08-30 09:53 441160 c:\windows\system32\perfh009.dat

+ 2011-08-30 07:52 . 2011-08-30 07:52 807936 c:\windows\Installer\2590525.msi

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-03-18 06:11 2471240 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-26 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-26 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-26 137752]

"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]

"beid"="c:\program files\Belgium Identity Card\beid35gui.exe" [2009-06-04 2056192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]

"FLMOFFICE4DMOUSE"="c:\program files\Labtec\Desktop\V5.1\moffice.exe" [2009-06-30 958464]

"OFFICEKB"="c:\program files\Labtec\Desktop\V5.1\kbdap32a.exe" [2009-06-30 387584]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-17 2048352]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"RTHDCPL"="RTHDCPL.EXE" [2008-10-26 17021440]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-01-12 49208]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]

"SNM"="c:\program files\SpyNoMore\SNM.exe" [2010-07-12 1067984]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

.

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-10-12 110592]

HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\Hp\\HP Software Update\\hpwucli.exe"=

"c:\\Program Files\\Hp\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\wamp\\bin\\apache\\Apache2.2.17\\bin\\httpd.exe"=

"c:\\Program Files\\GIMPshop\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=

.

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/09/2009 8:25 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/09/2009 8:25 108552]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [15/02/2011 18:54 136360]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [13/09/2009 8:25 297752]

R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [20/01/2009 8:56 712704]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/01/2011 14:44 136176]

S3 ACSSCR;ACR38 Smart Card Reader;c:\windows\system32\drivers\a38usb.sys [24/03/2006 19:14 33536]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [5/11/2010 10:48 947528]

S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/01/2011 14:44 136176]

S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19/02/2010 13:37 517096]

.

--- Andere Services/Drivers In Geheugen ---

.

*NewlyCreated* - 59942266

*Deregistered* - 59942266

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Inhoud van de 'Gedeelde Taken' map

.

2011-06-25 c:\windows\Tasks\AdobeAAMUpdater-1.0-UW-3223ECC21047-HP_Administrator.job

- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-25 15:42]

.

2011-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-20 12:44]

.

2011-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-20 12:44]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://decopains.be/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: taxonweb.be

TCP: DhcpNameServer = 192.168.1.1 192.168.123.254

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\6pac91jj.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=

FF - prefs.js: browser.search.selectedEngine - SweetIM Search

FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2603445&q=

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-30 15:35

Windows 5.1.2600 Service Pack 3 NTFS

.

scannen van verborgen processen ...

.

scannen van verborgen autostart items ...

.

scannen van verborgen bestanden ...

.

Scan succesvol afgerond

verborgen bestanden: 0

.

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,22,02,91,99,7c,1d,9c,47,8e,16,97,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,22,02,91,99,7c,1d,9c,47,8e,16,97,\

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

.

- - - - - - - > 'winlogon.exe'(756)

c:\windows\system32\CLBCATQ.DLL

c:\windows\system32\igfxdev.dll

.

- - - - - - - > 'explorer.exe'(3084)

c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui

c:\windows\system32\webcheck.dll

.

Voltooingstijd: 2011-08-30 15:46:37

ComboFix-quarantined-files.txt 2011-08-30 13:46

ComboFix2.txt 2011-08-30 12:27

ComboFix3.txt 2011-08-30 06:07

.

Pre-Run: 28.013.846.528 bytes beschikbaar

Post-Run: 28.005.797.888 bytes beschikbaar

.

- - End Of File - - 49FA8FA8CC200CB48A1DEFCAB09F4A17

kape · 30 augustus 2011

De uitvoering is OK, maar mogelijk is de reactie op het gekopieerde scriptje niet helemaal in orde (de items zijn nog steeds aanwezig). Nog even opnieuw maar nu met dit (het verschil tussen de vorige opdracht en deze is zo klein dat je ze vermoedelijk zelfs niet zal zien, maar het is er wel) :

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

Firefox::

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\6pac91jj.default\

FF - prefs.js: browser.search.defaulturl -

FF - prefs.js: browser.search.selectedEngine -

FF - prefs.js: keyword.URL -

Sla dit bestand op je bureaublad op als CFScript.txt en dan verder zoals eerder aangegeven.

Even duimen dat het nu wél lukt ...

signer · 31 augustus 2011

Terug,hieronder het logje van combofix.

En heb nog eens een scan met TDSS gedaan eveneens.

ComboFix 11-08-30.02 - HP_Administrator 31/08/2011 9:52.5.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.32.1043.18.1015.477 [GMT 2:00]