federal police cyber crime virus

kape · 6 juli 2012

Bij eerste gebruik kan Combofix behoorlijk lang nodig hebben ... misschien nog even laten runnen !

matti85 · 7 juli 2012

Hij staat nog steeds in hetzelfde scherm en is nu bijna 7u aan het lopen.

Ik ga de pc manueel uitschakelen, want het bureaublad is er niet.

kape · 7 juli 2012

Hij staat nog steeds in hetzelfde scherm en is nu bijna 7u aan het lopen

Dat is nu ook weer niet normaal

Probeer eens of je de huidige download kan laten scannen in "veilige modus" ? Loopt die ook vast, verwijder dan de huidige versie van het tooltje en download het opnieuw.

matti85 · 7 juli 2012

Hey kape,

Het is gelukt

Hierbij de logfile:

ComboFix 12-07-05.04 - Hubert 07/07/2012 14:50:21.3.2 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.32.1043.18.2045.1355 [GMT 2:00]

Gestart vanuit: c:\users\Hubert\Desktop\ComboFix.exe

AV: G Data InternetSecurity 2012 *Disabled/Updated* {39B780B4-63C2-05B0-3B40-8F7A21E4F496}

FW: G Data Personal Firewall *Disabled* {018C0191-29AD-04E8-101F-264FDF37B3ED}

SP: G Data InternetSecurity 2012 *Disabled/Updated* {82D66150-45F8-0A3E-01F0-B4085A63BE2B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-06-07 to 2012-07-07 ))))))))))))))))))))))))))))))

.

2012-07-07 13:15 . 2012-07-07 13:15 -------- d-----w- c:\users\Mathias.Home_PC_Hubert\AppData\Local\temp

2012-07-07 13:15 . 2012-07-07 13:15 -------- d-----w- c:\users\MATHIA~1~HOM\AppData\Local\temp

2012-07-07 13:15 . 2012-07-07 13:15 -------- d-----w- c:\users\Kristof\AppData\Local\temp

2012-07-07 13:15 . 2012-07-07 13:15 -------- d-----w- c:\users\Jozefa\AppData\Local\temp

2012-07-07 13:15 . 2012-07-07 13:15 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-07 08:57 . 2012-07-07 08:57 -------- d-----w- c:\users\Hubert\AppData\Local\DNA

2012-07-07 08:57 . 2012-07-07 13:12 -------- d-----w- c:\users\Hubert\AppData\Roaming\DNA

2012-07-06 19:37 . 2012-07-07 13:16 -------- d-----w- c:\users\Hubert\AppData\Local\temp

2012-07-05 14:20 . 2012-07-05 14:20 -------- d-----w- c:\program files\Common Files\Java

2012-07-05 14:15 . 2012-07-05 14:15 611224 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2012-07-05 13:16 . 2012-07-05 13:16 -------- d-----w- c:\program files\CCleaner

2012-07-05 07:39 . 2012-07-05 07:39 388096 ----a-r- c:\users\Hubert\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-07-05 07:39 . 2012-07-05 07:39 -------- d-----w- c:\program files\Trend Micro

2012-07-04 20:29 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DB603F7C-EBBC-4291-97D3-428DA5F38DA7}\mpengine.dll

2012-07-04 19:57 . 2012-07-04 19:57 -------- d-----w- c:\users\Hubert\AppData\Roaming\Malwarebytes

2012-07-04 19:56 . 2012-07-04 19:56 -------- d-----w- c:\programdata\Malwarebytes

2012-07-04 18:08 . 2012-07-04 18:08 -------- d-----w- c:\users\Hubert\AppData\Local\Apple Computer

2012-07-04 18:08 . 2012-07-04 18:08 -------- d-----w- c:\users\Hubert\AppData\Roaming\Apple Computer

2012-07-04 17:32 . 2012-07-04 17:32 -------- d-----w- c:\users\Hubert\AppData\Local\G DATA

2012-06-24 19:38 . 2012-06-24 19:38 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll

2012-06-24 19:38 . 2012-06-24 19:38 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll

2012-06-21 15:48 . 2012-06-21 15:48 -------- d-----w- c:\windows\nl

2012-06-21 15:47 . 2012-03-08 16:32 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2012-06-21 15:41 . 2012-06-21 15:41 89944 ----a-w- c:\program files\Common Files\Windows Live\.cache\5a771a0b1cd4fc402\DSETUP.dll

2012-06-21 15:41 . 2012-06-21 15:41 537432 ----a-w- c:\program files\Common Files\Windows Live\.cache\5a771a0b1cd4fc402\DXSETUP.exe

2012-06-21 15:41 . 2012-06-21 15:41 1801048 ----a-w- c:\program files\Common Files\Windows Live\.cache\5a771a0b1cd4fc402\dsetup32.dll

2012-06-21 12:47 . 2012-06-21 12:47 -------- d-----w- c:\users\Kristof\AppData\Local\Apple Computer

2012-06-21 12:44 . 2012-06-21 12:44 -------- d-----w- c:\users\Kristof\AppData\Roaming\Apple Computer

2012-06-21 07:23 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-21 07:23 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-21 07:23 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-06-21 07:23 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2012-06-21 07:22 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-21 07:22 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-21 07:22 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2012-06-21 07:22 . 2012-06-02 13:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2012-06-21 07:22 . 2012-06-02 13:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2012-06-13 08:56 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll

2012-06-13 08:56 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-06-13 08:56 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-06-13 08:55 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-06-13 08:55 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-07-05 14:15 . 2010-08-09 19:41 544656 ----a-w- c:\windows\system32\deployJava1.dll

2012-06-04 07:51 . 2012-06-04 07:51 658512 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2012-06-01 18:16 . 2012-06-01 18:16 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2012-06-24 19:38 . 2012-02-18 14:40 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2010-07-07 13:51 . 2009-10-27 11:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2012-07-07 323392]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]

"Bluetooth HCI Monitor"="HCIMNTR.DLL" [2006-12-07 9728]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-12-06 180224]

"CTxfiHlp"="CTXFIHLP.EXE" [2007-07-18 23552]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-28 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-28 8429568]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-28 81920]

"Ulead Photo Express Calendar Checker"="c:\program files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 69632]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"G Data AntiVirus Tray Application"="c:\program files\G Data\InternetSecurity\AVKTray\AVKTray.exe" [2011-09-22 1012232]

"GDFirewallTray"="c:\program files\G Data\InternetSecurity\Firewall\GDFirewallTray.exe" [2011-11-08 1616904]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs REG_MULTI_SZ BthServ

bdx REG_MULTI_SZ scan

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Inhoud van de 'Gedeelde Taken' map

.

2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-31 18:39]

.

2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-31 18:39]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.be/

mWindow Title = Telenet Internet

IE: Afbeelding verzenden naar &Bluetooth-apparaat... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Pagina verzenden naar &Bluetooth-apparaat... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

IE: {{878AC5FC-BE78-4bae-896C-7F75B790A71E} - c:\program files\PokerStars.BE\PokerStarsUpdate.exe

Trusted Zone: adobe.com\www

Trusted Zone: entriq.net\man

Trusted Zone: telenet.be\messagent

Trusted Zone: telenet.be\pctv

Trusted Zone: telenet.be\www

TCP: DhcpNameServer = 195.130.130.132 195.130.131.132

FF - ProfilePath - c:\users\Hubert\AppData\Roaming\Mozilla\Firefox\Profiles\4lwba98m.default\

FF - prefs.js: browser.search.selectedEngine - Ask

FF - prefs.js: browser.startup.homepage - hxxp://www.telenet.be

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=

.

- - - - ORPHANS VERWIJDERD - - - -

.

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)

HKLM-Run-Corel Print Office 2000 - F:\Setup32.exe

HKLM-Run-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

AddRemove-Agfa ScanWise 1.40 - c:\windows\IsUn0413.exe

AddRemove-Cardiris - c:\windows\IsUn0413.exe

AddRemove-TimeAdjuster - c:\program files\TimeAdjuster\Uninstall.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2012-07-07 15:16

Windows 6.0.6002 Service Pack 2 NTFS

.

scannen van verborgen processen ...

.

scannen van verborgen autostart items ...

.

scannen van verborgen bestanden ...

.

Scan succesvol afgerond

verborgen bestanden: 0

.

**************************************************************************

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

.

- - - - - - - > 'Explorer.exe'(6352)

c:\program files\G Data\InternetSecurity\Shredder\Reisswlf.dll

.

Voltooingstijd: 2012-07-07 15:19:44

ComboFix-quarantined-files.txt 2012-07-07 13:19

.

Pre-Run: 25.720.750.080 bytes beschikbaar

Post-Run: 25.636.601.856 bytes beschikbaar

.

- - End Of File - - 9BEC45EC44FEA7A2E4BEBF0208A9DACE

kape · 7 juli 2012

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Firefox::

FF - ProfilePath - c:\users\Hubert\AppData\Roaming\Mozilla\Firefox\Profiles\4lwba98m.default\

FF - prefs.js: browser.search.selectedEngine –

FF - prefs.js: keyword.URL -

Sla dit bestand op je bureaublad op als CFScript.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht.

matti85 · 7 juli 2012

ComboFix 12-07-05.04 - Hubert 07/07/2012 18:59:25.4.2 - x86

Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.32.1043.18.2045.1179 [GMT 2:00]

Gestart vanuit: c:\users\Hubert\Desktop\ComboFix.exe

gebruikte Opdracht switches :: c:\users\Hubert\Desktop\CFScript.txt

AV: G Data InternetSecurity 2012 *Disabled/Outdated* {39B780B4-63C2-05B0-3B40-8F7A21E4F496}

FW: G Data Personal Firewall *Disabled* {018C0191-29AD-04E8-101F-264FDF37B3ED}

SP: G Data InternetSecurity 2012 *Disabled/Outdated* {82D66150-45F8-0A3E-01F0-B4085A63BE2B}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-06-07 to 2012-07-07 ))))))))))))))))))))))))))))))

.

2012-07-07 17:26 . 2012-07-07 17:26 -------- d-----w- c:\users\Mathias.Home_PC_Hubert\AppData\Local\temp

2012-07-07 17:26 . 2012-07-07 17:26 -------- d-----w- c:\users\MATHIA~1~HOM\AppData\Local\temp

2012-07-07 17:26 . 2012-07-07 17:26 -------- d-----w- c:\users\Kristof\AppData\Local\temp

2012-07-07 17:26 . 2012-07-07 17:26 -------- d-----w- c:\users\Jozefa\AppData\Local\temp

2012-07-07 17:26 . 2012-07-07 17:26 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-07 08:57 . 2012-07-07 08:57 -------- d-----w- c:\users\Hubert\AppData\Local\DNA

2012-07-07 08:57 . 2012-07-07 17:21 -------- d-----w- c:\users\Hubert\AppData\Roaming\DNA

2012-07-06 19:37 . 2012-07-07 17:26 -------- d-----w- c:\users\Hubert\AppData\Local\temp