bundespolitzei

tulp85 · 8 maart 2012

als ik comfix gebruikt dan krijg ik meldingen van virusen moet ik die dan verwijderen of acepteren

kape · 8 maart 2012

Wie geeft die meldingen ? Je antivirusprogramma ? Dan is dan niet uitgeschakeld ... en bovendien is Combofix GEEN virus. Dus je mag gewoon doorgaan en zeker niet verwijderen.

tulp85 · 9 maart 2012

wederom zie hij dat er een tread was maar ik heb hem niet verwijderd het is mieschien mogelijk dat de tijd dat combo aan het werk was, de tijd dat ik de scaner heb uitgeschakeld verstreken was. hier het log bestand van combofix

ComboFix 12-03-09.03 - steve 09/03/2012 17:50:37.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3069.1951 [GMT 8:00]

Running from: c:\users\steve\Desktop\ComboFix.exe

Command switches used :: c:\users\steve\Desktop\CFScript.txt

AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}

SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Common Files\Spigot

c:\program files\Common Files\Spigot\Search Settings\baidu_ff.xml

c:\program files\Common Files\Spigot\Search Settings\baidu_ie.xml

c:\program files\Common Files\Spigot\Search Settings\config.ini

c:\program files\Common Files\Spigot\Search Settings\Lang\res1031.ini

c:\program files\Common Files\Spigot\Search Settings\Lang\res1033.ini

c:\program files\Common Files\Spigot\Search Settings\Lang\res1034.ini

c:\program files\Common Files\Spigot\Search Settings\Lang\res1036.ini

c:\program files\Common Files\Spigot\Search Settings\Lang\res1040.ini

c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe

c:\program files\Common Files\Spigot\Search Settings\wth.dll

c:\program files\Common Files\Spigot\Search Settings\yahoo_ff.xml

c:\program files\Common Files\Spigot\Search Settings\yahoo_ie.xml

c:\program files\Common Files\Spigot\Search Settings\yandex_ff.xml

c:\program files\Common Files\Spigot\Search Settings\yandex_ie.xml

c:\program files\Dealio Toolbar

c:\program files\Dealio Toolbar\IE\5.0\config.ini

c:\program files\Dealio Toolbar\Res\Lang\res1031.ini

c:\program files\Dealio Toolbar\Res\Lang\res1033.ini

c:\program files\Dealio Toolbar\Res\Lang\res1034.ini

c:\program files\Dealio Toolbar\Res\Lang\res1036.ini

c:\program files\Dealio Toolbar\Res\Lang\res1040.ini

c:\program files\Dealio Toolbar\WidgiHelper.exe

c:\program files\facemoods.com

c:\program files\facemoods.com\facemoods\1.4.17.6\facemoodsApp.dll

c:\program files\facemoods.com\facemoods\1.4.17.6\facemoodsEng.dll

c:\program files\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe

c:\program files\facemoods.com\facemoods\1.4.17.6\facemoodsTlbr.dll

c:\program files\facemoods.com\facemoods\1.4.17.6\uninstall.exe

c:\program files\PriceGong

c:\program files\PriceGong\2.5.3\FF\chrome.manifest

c:\program files\PriceGong\2.5.3\FF\chrome\content\options.js

c:\program files\PriceGong\2.5.3\FF\chrome\content\options.xul

c:\program files\PriceGong\2.5.3\FF\chrome\content\overlay.js

c:\program files\PriceGong\2.5.3\FF\chrome\content\PriceGong.png

c:\program files\PriceGong\2.5.3\FF\chrome\content\pricegong.xul

c:\program files\PriceGong\2.5.3\FF\chrome\locale\en-US\overlay.dtd

c:\program files\PriceGong\2.5.3\FF\chrome\locale\en-US\pricegong.dtd

c:\program files\PriceGong\2.5.3\FF\chrome\skin\overlay.css

c:\program files\PriceGong\2.5.3\FF\components\pg_inst.txt

c:\program files\PriceGong\2.5.3\FF\components\PriceGong.xpt

c:\program files\PriceGong\2.5.3\FF\components\PriceGongFF.dll

c:\program files\PriceGong\2.5.3\FF\components\PriceGongFF_50.dll

c:\program files\PriceGong\2.5.3\FF\components\PriceGongFF_60.dll

c:\program files\PriceGong\2.5.3\FF\install.rdf

c:\program files\PriceGong\2.5.3\PriceGong.crx

c:\program files\PriceGong\uninst.exe

c:\programdata\Tarma Installer

c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setup.dll

c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\_Setupx.dll

c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.exe

c:\programdata\Tarma Installer\{2E1037EA-038A-425F-86B9-6CD19B8497E9}\Setup.ico

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico

c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setup.dll

c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll

c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.exe

c:\programdata\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.ico

c:\users\steve\Taskmgr.exe

.

((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))

.

2012-03-09 10:04 . 2012-03-09 10:04 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-03-06 19:58 . 2012-03-06 19:58 -------- d-----w- c:\program files\CCleaner

2012-03-03 04:28 . 2012-03-03 04:28 -------- d-----w- c:\program files\Application Updater

2012-03-03 03:51 . 2012-03-03 04:17 -------- d-----w- c:\program files\GridinSoft Trojan Killer

2012-03-03 03:21 . 2012-03-03 03:31 -------- d-----w- C:\hitat

2012-03-03 03:05 . 2012-03-03 03:05 -------- d-----w- c:\users\steve\AppData\Roaming\Malwarebytes

2012-03-03 03:05 . 2012-03-07 10:13 -------- d-----w- c:\programdata\Malwarebytes

2012-03-03 03:05 . 2012-03-03 15:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-03-03 03:05 . 2011-12-10 07:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-03 01:46 . 2012-03-03 01:46 -------- d-----w- c:\users\steve\AppData\Roaming\kodak

2012-02-21 17:52 . 2012-02-21 17:52 -------- d-----w- c:\programdata\Trymedia

2012-02-21 17:48 . 2012-02-21 17:48 -------- d-----w- c:\users\steve\AppData\Roaming\Jenkat

2012-02-10 04:29 . 2012-02-10 09:37 -------- d-----w- c:\program files\Real

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-02-10 04:29 . 2003-03-19 01:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

2012-01-25 18:00 . 2012-02-04 00:45 79360 ----a-w- c:\windows\system32\ff_vfw.dll

2012-01-04 14:28 . 2012-01-04 14:28 16128 ----a-w- c:\windows\system32\drivers\gtkdrv.sys

2012-01-04 00:48 . 2012-01-04 00:48 354176 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

2011-12-21 18:14 . 2012-02-04 00:45 151552 ----a-w- c:\windows\system32\ac3acm.acm

2011-12-12 00:17 . 2011-12-12 00:17 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

2012-01-26 15:59 1811296 ----a-w- c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.0.0.7\AVG Secure Search_toolbar.dll" [2012-01-26 1811296]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]

"MediaGet2"="c:\users\steve\AppData\Local\MediaGet2\mediaget.exe" [2012-01-27 8109800]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

"GameXN (update)"="c:\programdata\GameXN\GameXNGO.exe" [2012-02-07 347008]

"GameXN (news)"="c:\programdata\GameXN\GameXNGO.exe" [2012-02-07 347008]

"GameXN"="c:\programdata\GameXN\GameXNGO.exe" [2012-02-07 347008]

"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-08-09 1176064]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 159744]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]

"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]

"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]

"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-17 2339168]

"beid"="c:\program files\Belgium Identity Card\beid35gui.exe" [2011-07-06 2068480]

"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-01-26 939872]

"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-26 928096]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli DPPWDFLT

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter

"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

"ehTray.exe"=c:\windows\ehome\ehTray.exe

"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized

"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

"Sidebar"=c:\program files\Windows Sidebar\sidebar.exe /autoRun

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

"ContentTransferWMDetector.exe"=c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe

"DpAgent"=c:\program files\DigitalPersona\Bin\dpagent.exe

"facemoods"="c:\program files\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe" /md I

"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe

"QPService"="c:\program files\HP\QuickPlay\QPService.exe"

"hpWirelessAssistant"=c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "c:\program files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-08-23 09:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-09 c:\windows\Tasks\FinalTorrent Update Checker.job

- c:\program files\FinalTorrent\FTCheckForUpdates.exe [2011-09-16 07:24]

.

2012-02-25 c:\windows\Tasks\HPCeeScheduleForsteve.job

- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-03-07 19:58]

.

2012-03-09 c:\windows\Tasks\User_Feed_Synchronization-{E5780BE7-AE92-40D4-B551-0E0FC5CD97B6}.job

- c:\windows\system32\msfeedssync.exe [2012-02-16 04:44]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

TCP: DhcpNameServer = 195.130.130.4 195.130.131.4

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll

DPF: {8C922C73-FFFA-45A3-B2C2-BC1E30074267} - hxxp://www.sony.be/bravia/RegistrationAgent.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-10 - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{872B5B88-9DB5-4310-BDD0-AC189557E5F5} - (no file)

WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)

AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.6\uninstall.exe

AddRemove-PriceGong - c:\program files\PriceGong\uninst.exe

AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe

AddRemove-FoxTab FLV Player - c:\program files\FoxTabFLVPlayer\Uninstall\Uninstall.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2012-03-09 18:05

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'lsass.exe'(924)

c:\windows\system32\DPPWDFLT.dll

.

Completion time: 2012-03-09 18:12:57

ComboFix-quarantined-files.txt 2012-03-09 10:12

ComboFix2.txt 2012-03-07 18:20

ComboFix3.txt 2012-03-07 16:25

.

Pre-Run: 95,204,806,656 bytes free

Post-Run: 95,151,464,448 bytes free

.

- - End Of File - - AD4EB8755ED2CDBAA9BFAF69F93D030F

9 maart 2012 aangepast door tulp85
begelijdende aanvulling

kape · 9 maart 2012

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"facemoods"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Sla dit bestand op je bureaublad op als CFScript.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht.

tulp85 · 9 maart 2012

ComboFix 12-03-09.03 - steve 10/03/2012 3:33.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3069.1722 [GMT 8:00]

Running from: c:\users\steve\Desktop\ComboFix.exe

Command switches used :: c:\users\steve\Desktop\CFScript.txt

AV: AVG Internet Security 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

FW: AVG Firewall *Disabled* {621CC794-9486-F902-D092-0484E8EA828B}

SP: AVG Internet Security 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))

.

2012-03-09 19:40 . 2012-03-09 19:40 -------- d-----w- c:\users\Default\AppData\Local\temp