ComboFix 17-10-04.01 - Gebruiker 04-10-2017 17:38:14.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2047.1557 [GMT 2:00] Gestart vanuit: c:\documents and settings\Gebruiker\Mijn documenten\Downloads\ComboFix.exe AV: Malwarebytes *Disabled/Updated* {D4AC7077-9720-47B0-8B38-DFAF3AA21DB6} . WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !! . . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\autorun.inf c:\documents and settings\Gebruiker\WINDOWS . c:\windows\system32\drivers\i8042prt.sys . . . is verdwenen! . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_AMSINT32 -------\Service_amsint32 -------\Service_Asapi . . (((((((((((((((((((( Bestanden Gemaakt van 2017-09-04 to 2017-10-04 )))))))))))))))))))))))))))))) . . 2017-10-03 16:30 . 2017-10-03 16:30 -------- d-----w- c:\documents and settings\Gebruiker\Local Settings\Application Data\F-Secure 2017-10-03 16:30 . 2017-10-03 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2017-10-03 15:04 . 2017-10-03 15:29 103140 ----a-w- C:\augrx.exe 2017-10-02 17:12 . 2017-10-04 15:47 147232 ----a-w- c:\windows\system32\drivers\MBAMChameleon.sys 2017-10-02 17:12 . 2017-10-04 15:47 40352 ----a-w- c:\windows\system32\drivers\mbam.sys 2017-10-02 17:12 . 2017-10-04 15:47 221600 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2017-10-02 17:11 . 2017-10-02 17:56 59936 ----a-w- c:\windows\system32\drivers\mbae.sys 2017-10-02 17:11 . 2017-10-02 17:11 -------- d-----w- c:\program files\Malwarebytes 2017-10-02 17:11 . 2017-10-02 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes . . . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2017-10-04 15:47 . 2017-10-04 15:47 103140 --sh--r- C:\ndgx.exe . . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040] "SoundMan"="SOUNDMAN.EXE" [2004-11-02 159744] "AlcWzrd"="ALCWZRD.EXE" [2004-11-29 2748928] "AlcFDMonitor"="c:\windows\ALCFDRTM.EXE" [2017-05-05 155648] "Malwarebytes TrayApp"="c:\program files\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe" [2017-05-09 3146704] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 "UacDisableNotify"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "AntiVirusDisableNotify"=dword:00000001 "FirewallDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "UacDisableNotify"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\TeamViewer\\TeamViewer.exe"= "c:\\Program Files\\TeamViewer\\TeamViewer_Service.exe"= "c:\\WINDOWS\\system32\\wscntfy.exe"= "c:\\Program Files\\I-Radio\\I-Radio.exe"= "c:\\WINDOWS\\SOUNDMAN.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"= "c:\\WINDOWS\\ALCMTR.EXE"= "c:\\WINDOWS\\ALCWZRD.EXE"= "c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"= "c:\\Program Files\\Steinberg\\WaveLab 6\\WaveLab.exe"= "c:\\Program Files\\I-Radio\\New Iradio\\I-Radio.exe"= "c:\\WINDOWS\\system32\\xp_eos.exe"= "c:\\WINDOWS\\ALCFDRTM.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= . S2 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe [2017-05-09 3398608] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2017-10-04 221600] S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys [2016-11-28 25088] . . --- Andere Services/Drivers In Geheugen --- . *NewlyCreated* - AMSINT32 *NewlyCreated* - ESPROTECTIONDRIVER *NewlyCreated* - MBAMPROTECTION *NewlyCreated* - MBAMSWISSARMY *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2017-05-13 07:14 1106072 ----a-w- c:\program files\Google\Chrome\Application\49.0.2623.112\Installer\chrmstp.exe . Inhoud van de 'Gedeelde Taken' map . 2017-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2017-05-13 07:14] . 2017-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2017-05-13 07:14] . 2017-10-04 c:\windows\Tasks\Microsoft Windows XP - aanmelding voor kennisgeving over einde van service.job - c:\windows\system32\xp_eos.exe [2017-05-03 23:28] . 2017-06-08 c:\windows\Tasks\Microsoft Windows XP - maandelijkse kennisgeving over einde van service.job - c:\windows\system32\xp_eos.exe [2017-05-03 23:28] . 2017-10-04 c:\windows\Tasks\User_Feed_Synchronization-{F700354C-B46F-4851-BFC3-144F6740CD8F}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 02:31] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.2.254 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2017-10-04 17:46 Windows 5.1.2600 Service Pack 3 NTFS . scannen van verborgen processen ... . scannen van verborgen autostart items ... . scannen van verborgen bestanden ... . Scan succesvol afgerond verborgen bestanden: 0 . ************************************************************************** . --------------------- DLLs Geladen Onder Lopende Processen --------------------- . - - - - - - - > 'winlogon.exe'(840) c:\windows\system32\CLBCATQ.DLL . - - - - - - - > 'explorer.exe'(3252) c:\windows\system32\webcheck.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\program files\TeamViewer\TeamViewer_Service.exe c:\windows\SOUNDMAN.EXE c:\windows\ALCWZRD.EXE c:\program files\TeamViewer\TeamViewer.exe c:\program files\TeamViewer\tv_w32.exe c:\windows\system32\dwwin.exe . ************************************************************************** . Voltooingstijd: 2017-10-04 17:53:20 - machine werd herstart ComboFix-quarantined-files.txt 2017-10-04 15:53 . Pre-Run: 94.842.511.360 bytes beschikbaar Post-Run: 94.788.038.656 bytes beschikbaar . - - End Of File - - 5325E4E08260FF6E641BC20C2C2F719D 3051207086651214E435112E51817DC5