Groen en dubbel lijnen onder woord.

marleen2 · 20 september 2011

ComboFix 11-09-19.05 - Patrick 20/09/2011 14:56:49.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2037.1431 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Patrick\Mijn documenten\Downloads\ComboFix.exe

AV: Avira AntiVir PersonalEdition *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Documenten\Server\admin.txt

c:\documents and settings\All Users\Documenten\Server\server.dat

c:\documents and settings\Patrick\Application Data\PriceGong

c:\documents and settings\Patrick\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Patrick\Application Data\PriceGong\Data\z.xml

c:\documents and settings\Patrick\Mijn documenten\~WRL0371.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL1290.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL1787.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL1841.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL2074.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL2075.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL2499.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL2695.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL2853.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL3231.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL3636.tmp

c:\documents and settings\Patrick\Mijn documenten\~WRL3747.tmp

c:\documents and settings\Patrick\WINDOWS

c:\program files\Microsoft Office\Office11\OSA.exe

C:\Thumbs.db

c:\windows\IsUn0413.exe

c:\windows\system32\11478.exe

c:\windows\system32\15724.exe

c:\windows\system32\16827.exe

c:\windows\system32\18467.exe

c:\windows\system32\19169.exe

c:\windows\system32\23281.exe

c:\windows\system32\24464.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\28145.exe

c:\windows\system32\29358.exe

c:\windows\system32\5705.exe

c:\windows\system32\6334.exe

c:\windows\system32\647349613

c:\windows\system32\9961.exe

c:\windows\system32\Thumbs.db

.

(((((((((((((((((((( Bestanden Gemaakt van 2011-08-20 to 2011-09-20 ))))))))))))))))))))))))))))))

.

2011-09-19 11:34 . 2011-09-19 11:34 388096 ----a-r- c:\documents and settings\Patrick\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-09-06 16:58 . 2011-09-06 16:58 -------- d-----w- c:\documents and settings\Patrick\.jordan

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-09 09:12 . 2008-04-15 12:00 602624 ----a-w- c:\windows\system32\crypt32.dll

2011-09-06 11:52 . 2011-06-19 06:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 15:00 . 2011-03-21 13:41 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-15 13:29 . 2008-04-15 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2008-04-15 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2008-12-15 12:31 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:31 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:31 . 2008-04-15 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2011-06-23 18:31 . 2008-04-15 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2008-04-15 12:00 385024 ------w- c:\windows\system32\html.iec

2011-09-07 16:42 . 2011-03-23 11:23 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2010-02-01 18:11 203776 --sh--w- c:\windows\system32\unrar.exe

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-07-07 20:32 . 68180553F674B487BE777CFD6BE70726 . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\753862110538d91277294ecede82cf33\SP2GDR\es.dll

[-] 2008-07-07 20:30 . 97912DC0679D2DA60CCE589BBC196D72 . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\753862110538d91277294ecede82cf33\SP3GDR\es.dll

[-] 2008-07-07 20:30 . 97912DC0679D2DA60CCE589BBC196D72 . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll

[-] 2008-07-07 20:26 . F6C37073A269C163A5FDAE5BFF47F367 . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\753862110538d91277294ecede82cf33\SP3QFE\es.dll

[-] 2008-07-07 20:23 . B3A4422CBD8DAA6710431F67C679DA24 . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\753862110538d91277294ecede82cf33\SP2QFE\es.dll

[7] 2008-04-15 12:00 . 42A7FC383B174D91162EBF44C8AA5349 . 246272 . . [2001.12.4414.701] . . c:\windows\system32\dllcache\es.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"XGIWatchDog"="XWatDog.exe" [2005-01-28 81920]

"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]

"Easy-PrintToolBox"="c:\program files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2006-10-17 398944]

"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-05 137752]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\FrostWire\\FrostWire.exe"=

"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

.

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/03/2011 15:41 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/03/2011 15:41 22216]

S1 ctredr15.sys;ctredr15.sys;\??\c:\windows\system32\drivers\ctredr15.sys --> c:\windows\system32\drivers\ctredr15.sys [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 20:19 13592]

S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\h:\grijze stick\everest\kerneld.wnt --> h:\grijze stick\everest\kerneld.wnt [?]

S3 Xgiv3;Xgiv3;c:\windows\system32\drivers\Xgiv3m.sys [15/05/2006 12:40 343040]

.

Inhoud van de 'Gedeelde Taken' map

.

2011-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

.

2011-03-14 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.be/

mStart Page = hxxp://downloads.phpnuke.org/nl/index.php?rvs=hompag

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1

FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\r26woi8r.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2603445&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - hxxp://downloads.phpnuke.org/nl/index.php?rvs=hompag

FF - prefs.js: browser.startup.homepage - hxxp://www.google.be

FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties

.

- - - - ORPHANS VERWIJDERD - - - -

.

WebBrowser-{3AD798D0-4642-4C55-BC14-CFE7DD19E0D1} - (no file)

WebBrowser-{65CA59EE-9920-4D7F-8C41-BFA12403261A} - (no file)

SafeBoot-MsMpSvc

AddRemove-Adobe Acrobat 5.0 - c:\windows\ISUN0413.EXE

AddRemove-Easy-WebPrint - c:\windows\IsUn0413.exe

AddRemove-XGI V3 Display Driver Setup - c:\program files\XGI Technology

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2011-09-20 15:02

Windows 5.1.2600 Service Pack 3 NTFS

.

scannen van verborgen processen ...

.

scannen van verborgen autostart items ...

.

scannen van verborgen bestanden ...

.

Scan succesvol afgerond

verborgen bestanden: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]

"ImagePath"="\??\h:\grijze stick\everest\kerneld.wnt"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

Voltooingstijd: 2011-09-20 15:04:14

ComboFix-quarantined-files.txt 2011-09-20 13:04

.

Pre-Run: 16.971.087.872 bytes beschikbaar

Post-Run: 18.128.592.896 bytes beschikbaar

.

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 482A7458B0A575F22AD0217AC2841EE6

kape · 20 september 2011

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

Firefox::

FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\r26woi8r.default\

FF - prefs.js: browser.search.defaulturl -

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht.

Hoe staat het inmiddels met groen en dubbele lijntjes ?

marleen2 · 20 september 2011

ComboFix 11-09-19.05 - Patrick 20/09/2011 15:51:51.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2037.1326 [GMT 2:00]

Gestart vanuit: c:\documents and settings\Patrick\Mijn documenten\Downloads\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\Patrick\Bureaublad\CFScript.txt..txt