Klaas56

21 oktober 2012

Bedankt voor de goede hulp.

21 oktober 2012

Avast geinstalleerd

Volledige systeemscan uitgevoerd: "Geen bedreiging gevonden"

Avast gedeinstalleerd

Herstart computer

Opnieuw scan gedaan met AVG

De Rootkit meldingen zijn nu op wonderbaarlijke wijze verdwenen.

Dus het lijkt mij ook dat het probleem nu inderdaad als opgelost kan worden beschouwd.

16 oktober 2012

Emsisoft Emergency Kit scan uitgevoerd.

Melding: Geen verdachte bestanden ontdekt tijdens de scan.

Logbestand bijgevoegd

Computer herstart

AVG scan uitgevoerd

Nog steeds rootkit meldingen.

Meldingen bijgevoegd

Ook uitgevoerd scan Emsisoft Emergency kit HiJackFree

Het op het scherm getoonde logbestand toont een aantal rood gemarkeerde regels

Deze regels hebben betrekking op AVG en betreft de volgende bestanden.

Alle zijn gemarkeerd als zichtbaar "Nee"

avgemcx.exe

avgidsagent.exe

avgnsx.exe

avgrsx.exe

avgtray.exe

avgui.exe

Logbestand bijgevoegd

Klaas Ridderikhoff

Logbestand Emsisoft Emergency Kit:

Emsisoft Emergency Kit - Versie 2.0

Laatste Update: 13-10-2012 18:49:07

Scaninstellingen:

Scantype: Diepe scan

Objecten: Rootkits, Geheugen, Sporen, C:\, D:\

Scan archieven: Aan

ADS Scan: Aan

Scan gestart: 16-10-2012 15:57:02

Gescand 706254

Gevonden 0

Scan geëindigd: 16-10-2012 17:35:15

Scantijd: 1:38:13

AVG Rootkit meldingen:

"";"C:\Windows\System32\Drivers\sppb.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortWritePortUchar -> sppb.sys +0x26D2";"Object is verborgen"

"";"C:\Windows\System32\Drivers\sppb.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortReadPortUchar -> sppb.sys +0x2040";"Object is verborgen"

"";"C:\Windows\System32\Drivers\sppb.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortWritePortBufferUshort -> sppb.sys +0x27FC";"Object is verborgen"

"";"C:\Windows\System32\Drivers\sppb.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortReadPortUshort -> sppb.sys +0x20BE";"Object is verborgen"

"";"C:\Windows\System32\Drivers\sppb.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortReadPortBufferUshort -> sppb.sys +0x213C";"Object is verborgen"

"";"C:\Windows\System32\Drivers\sppb.sys";"Inline koppelpunt ataport.SYS DllUnload -> sppb.sys +0x2F8AE";"Object is verborgen"

"";"C:\Windows\System32\Drivers\sppb.sys";"i8042prt.sys, koppelpunt import HAL.dll READ_PORT_UCHAR -> sppb.sys +0x12048";"Object is verborgen"

Emsisoft HiJackFree logbestand:

Logbestand van HiJackFree v4.5

Scan opgeslagen om 22:16:07, Datum 16-10-2012

Platform: Windows Vista32 Service Pack 2 (Windows NT 6.0.6002)

MSIE: Internet Explorer v 9.0 Service Pack 2 (9.0.8112.16421)

Lopende processen:

C:\Windows\System32\smss.exe

C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\Windows\System32\csrss.exe

C:\Windows\System32\wininit.exe

C:\Windows\System32\csrss.exe

C:\Windows\System32\services.exe

C:\Windows\System32\lsass.exe

C:\Windows\System32\lsm.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\SLsvc.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\winlogon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\wlanext.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Program Files\Fingerprint Reader Suite\upeksvr.exe

C:\Windows\System32\AEstSrv.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Windows\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Planisware\Planisware Application Server\basis\OPX2Connect\opx2connect.exe

C:\Program Files\Planisware\Planisware Application Server\basis\OPX2HTTPServer\bin\httpd.exe

C:\oraclexe\app\oracle\product\10.2.0\server\BIN\oracle.exe

C:\oraclexe\app\oracle\product\10.2.0\server\BIN\TNSLSNR.EXE

C:\Program Files\Planisware\Planisware Application Server\basis\OPX2HTTPServer\bin\httpd.exe

C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe

C:\Windows\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Windows\System32\stacsv.exe

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Program Files\AVG\AVG2012\avgemcx.exe

C:\Windows\System32\svchost.exe

C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

C:\Windows\System32\vmnat.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\SearchIndexer.exe

C:\Windows\System32\vmnetdhcp.exe

C:\Program Files\VMware\VMware Player\vmware-authd.exe

C:\Program Files\AVG\AVG2012\avgidsagent.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\System32\taskeng.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\Windows\System32\taskeng.exe

C:\Program Files\TeamViewer\Version6\TeamViewer.exe

C:\Windows\System32\dwm.exe

C:\Windows\explorer.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Windows\OEM02Mon.exe

C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files\Dell\MediaDirect\PCMService.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\VMware\VMware Player\hqtray.exe

C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\ApntEx.exe

C:\Program Files\DellTPad\hidfind.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Windows\System32\spool\drivers\w32x86\3\CNAP2LAK.EXE

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\Nuance\PaperPort\pptd40nt.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\spool\drivers\w32x86\3\CNAP2RPK.EXE

C:\Windows\System32\spool\drivers\w32x86\3\CNAC9SWK.EXE

C:\Windows\System32\rundll32.exe

C:\Program Files\Fingerprint Reader Suite\psqltray.exe

C:\Program Files\Nuance\PDF Viewer Plus\pdfPro5Hook.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\MyTomTom 3\MyTomTomSA.exe

C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\System32\wbem\WmiPrvSE.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe

C:\Windows\System32\svchost.exe

C:\Program Files\AVG\AVG2012\avgui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Users\Klaas\Desktop\EmsisoftEmergencyKit\start.exe

C:\Install\Capture

C:\Users\Klaas\Desktop\EmsisoftEmergencyKit\Run\a2HiJackFree.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Sign In

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Standaard) =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Links

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll

O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll

O2 - BHO: PlusIEEventHelper Class - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll

O2 - BHO: SimpleAdblock Class - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Common Files\Simple Adblock\SimpleAdblock.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe

O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Fingerprint Reader Suite\launcher.exe" /startup

O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start

O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe

O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"

O4 - HKLM\..\Run: [CNAP2 Launcher] C:\Windows\system32\spool\DRIVERS\W32X86\3\CNAP2LAK.EXE

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\Nuance\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\Nuance\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [PPort12reminder] "C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [PDFHook] C:\Program Files\Nuance\PDF Viewer Plus\pdfpro5hook.exe

O4 - HKLM\..\Run: [PDF5 Registry Controller] C:\Program Files\Nuance\PDF Viewer Plus\RegistryController.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"

O4 - HKLM\..\Run: [MyTomTomSA.exe] C:\Program Files\MyTomTom 3\MyTomTomSA.exe

O4 - HKLM\..\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler

O7 - Regedit - Ingeschakeld

O8 - Extra contextmenu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra contextmenu item: Openen in PDF Viewer Plus - res://C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm

O8 - Extra contextmenu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra contextmenu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFBAR.ICO

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\bt_cold_icon.ico

O9 - Extra "Tools" menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\bt_cold_icon.ico

O14 - IERESET.INF: SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

O14 - IERESET.INF: CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

O15 - Vertrouwde Zone: http://wiki.intus.nl

O16 - DPF: {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} (Cisco SSL VPN Relay Loader) - https://vpn1.prvlimburg.nl/+CSCOL+/csvrloader32.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E34F52FE-7769-46CE-8F8B-5E8ABAD2E9FC} (CSD ActiveX Installer) - https://vpn1.prvlimburg.nl/CACHE/sdesktop/install/binaries/instweb.cab

O20 - Winlogon Notify: psfus - C:\Windows\system32\psqlpwd.dll

O21 - ShellServiceObjectDelayLoad: WebCheck -

O22 - SharedTaskScheduler: Component Categories cache daemon - C:\Windows\system32\browseui.dll

O23 - Service: Adobe Flash Player Update Service - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: Application Experience-service - C:\Windows\system32\svchost.exe

O23 - Service: Andrea ST Filters Service - C:\Windows\system32\aestsrv.exe

O23 - Service: Application Layer Gateway-service - C:\Windows\System32\alg.exe

O23 - Service: Application Information-service - C:\Windows\system32\svchost.exe

O23 - Service: Windows Audio-service - C:\Windows\System32\svchost.exe

O23 - Service: AVGIDSAgent - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

O23 - Service: AVG WatchDog - C:\Program Files\AVG\AVG2012\avgwdsvc.exe

O23 - Service: Background Intelligent Transfer Service - C:\Windows\System32\svchost.exe

O23 - Service: DLL-bestand voor Computer Browser-service - C:\Windows\system32\svchost.exe

O23 - Service: Bluetooth Support-service - C:\Windows\system32\svchost.exe

O23 - Service: Microsoft Smartcard Certificate Propagation-service - C:\Windows\system32\svchost.exe

O23 - Service: Microsoft .NET Framework NGEN v2.0.50727_X86 - C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

O23 - Service: COMSysApp - C:\Windows\system32\dllhost.exe

O23 - Service: Cryptografische services - C:\Windows\system32\svchost.exe

O23 - Service: DFSR - C:\Windows\system32\DFSR.exe

O23 - Service: DHCP Client-service - C:\Windows\system32\svchost.exe

O23 - Service: API DLL van DNS Client - C:\Windows\system32\svchost.exe

O23 - Service: Wired AutoConfig-service - C:\Windows\system32\svchost.exe

O23 - Service: Microsoft EAPHost-service - C:\Windows\System32\svchost.exe

O23 - Service: Windows Media Center Receiver-service - C:\Windows\ehome\ehRecvr.exe

O23 - Service: Windows Media Center Scheduler-service - C:\Windows\ehome\ehsched.exe

O23 - Service: Windows Media Center Service Launcher - C:\Windows\\system32\svchost.exe

O23 - Service: ReadyBoost-service - C:\Windows\system32\svchost.exe

O23 - Service: Event Logging-service - C:\Windows\System32\svchost.exe

O23 - Service: EventSystem - C:\Windows\system32\svchost.exe

O23 - Service: Intel® PROSet/Wireless Event Log - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: WS Discovery-service - C:\Windows\system32\svchost.exe

O23 - Service: Function Discovery Resource Publication-service - C:\Windows\system32\svchost.exe

O23 - Service: Windows Font Cache-service - C:\Windows\system32\svchost.exe

O23 - Service: Windows Presentation Foundation-host - C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

O23 - Service: Google Update Service (gupdate1c8f0be5291664b) - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update-service (gupdatem) - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HID-service - C:\Windows\system32\svchost.exe

O23 - Service: Sleutelbeheerservice - C:\Windows\System32\svchost.exe

O23 - Service: Intel® Matrix Storage Event Monitor - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Service Model Installer Resource Library - C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

O23 - Service: IKE-extensie - C:\Windows\system32\svchost.exe

O23 - Service: DLL voor PnP-X IP Bus Enumerator - C:\Windows\system32\svchost.exe

O23 - Service: Service die IPv6-connectiviteit via een IPv4-netwerk biedt. - C:\Windows\System32\svchost.exe

O23 - Service: KeyIso - C:\Windows\system32\lsass.exe

O23 - Service: KtmRm - C:\Windows\System32\svchost.exe

O23 - Service: DLL-bestand voor Server-service - C:\Windows\system32\svchost.exe

O23 - Service: DLL-bestand voor Workstation-service - C:\Windows\System32\svchost.exe

O23 - Service: Bronnen voor verkennen van Link-layer - C:\Windows\System32\svchost.exe

O23 - Service: DLL-bestand voor TCPIP NetBios Transport Services - C:\Windows\system32\svchost.exe

O23 - Service: Media Center-bronnen - C:\Windows\system32\svchost.exe

O23 - Service: Multimedia Class Scheduler-service - C:\Windows\system32\svchost.exe

O23 - Service: Mozilla Maintenance Service - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: API van Windows Firewall - C:\Windows\system32\svchost.exe

O23 - Service: MSDTC - C:\Windows\System32\msdtc.exe

O23 - Service: API voor iSCSI-ontdekking - C:\Windows\system32\svchost.exe

O23 - Service: Internationale berichten van Windows® Installer - C:\Windows\system32\msiexec.exe

O23 - Service: Quarantine Agent Service Run-Time - C:\Windows\System32\svchost.exe

O23 - Service: Dll-bestand voor NetLogon-services - C:\Windows\system32\lsass.exe

O23 - Service: Netwerkverbindingsbeheer - C:\Windows\System32\svchost.exe

O23 - Service: Gebruikersinterface van beheer van netwerkprofiel - C:\Windows\System32\svchost.exe

O23 - Service: Service Model Installer Resource Library - C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

O23 - Service: Network Location Awareness 2 - C:\Windows\System32\svchost.exe

O23 - Service: Network Store Interface RPC-server - C:\Windows\system32\svchost.exe

O23 - Service: Microsoft Office Diagnostics Service - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE

O23 - Service: OPX2Connectbasis - C:\Program Files\Planisware\Planisware Application Server\basis\OPX2Connect\OPX2Connect.exe

O23 - Service: OPX2HTTPServerbasis - C:\Program Files\Planisware\Planisware Application Server\basis\OPX2HTTPServer\bin\httpd.exe

O23 - Service: OPX2IntranetServerdemo - C:\Program Files\Planisware\Planisware Application Server\demo\OPX2Modules\startintranet.exe

O23 - Service: OPX2IntranetServerMOBWEG5_218 - C:\Program Files\Planisware\Planisware Application Server\MOBWEG5_218\OPX2Modules\startintranet.exe

O23 - Service: OPX2IntranetServersp2_1 - C:\Program Files\Planisware\Planisware Application Server\sp2_1\OPX2Modules\startintranet.exe

O23 - Service: OracleJobSchedulerXE - c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe

O23 - Service: OracleMTSRecoveryService - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\omtsreco.exe

O23 - Service: OracleServiceXE - c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE

O23 - Service: OracleXETNSListener - C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe

O23 - Service: Office Source Engine - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

O23 - Service: Peer-to-Peer-services - C:\Windows\System32\svchost.exe

O23 - Service: Program Compatibility Assistant-service - C:\Windows\system32\svchost.exe

O23 - Service: PCDSRVC{E9D79540-57D5953E-06020200}_0 - PCDR Kernel Mode Service Helper Driver - c:\program files\dell support center\pcdsrvc.pkms

O23 - Service: PDFProFiltSrvPP - C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe

O23 - Service: Prestatielogboeken en signalen - C:\Windows\System32\svchost.exe

O23 - Service: Plug en Play-service in gebruikersmodus - C:\Windows\system32\svchost.exe

O23 - Service: Peer-to-Peer-services - C:\Windows\System32\svchost.exe

O23 - Service: DLL-beleidsarchiefbestand - C:\Windows\system32\svchost.exe

O23 - Service: Userenv - C:\Windows\system32\svchost.exe

O23 - Service: Standaardprovider van Beveiligde opslag - C:\Windows\system32\lsass.exe

O23 - Service: Windows NT - C:\Windows\\system32\svchost.exe

O23 - Service: Beheer van automatisch inbellen van Externe toegang - C:\Windows\system32\svchost.exe

O23 - Service: Verbindingsbeheer voor RAS - C:\Windows\system32\svchost.exe

O23 - Service: Dynamisch interfacebeheer - C:\Windows\system32\svchost.exe

O23 - Service: RemoteRegistry - C:\Windows\system32\svchost.exe

O23 - Service: Rpc Locator - C:\Windows\system32\locator.exe

O23 - Service: Smartcard-bronbeheerserver - C:\Windows\system32\svchost.exe

O23 - Service: Task Scheduler-service - C:\Windows\System32\svchost.exe

O23 - Service: Microsoft Smartcard Certificate Propagation-service - C:\Windows\system32\svchost.exe

O23 - Service: Microsoft® Windows Back-up-service - C:\Windows\system32\svchost.exe

O23 - Service: System Event Notification-service (SENS) - C:\Windows\system32\svchost.exe

O23 - Service: ServiceLayer - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Terminal Services Configuration-service - C:\Windows\System32\svchost.exe

O23 - Service: Helper-onderdelen voor Microsoft NAT - C:\Windows\System32\svchost.exe

O23 - Service: DLL-bestand voor Windows Shell Services - C:\Windows\System32\svchost.exe

O23 - Service: Skype Updater - C:\Program Files\Skype\Updater\Updater.exe

O23 - Service: Microsoft Software Licensing Service - C:\Windows\system32\SLsvc.exe

O23 - Service: Gebruikersinterface van kennisgevingsservice van softwarelicenties - C:\Windows\system32\svchost.exe

O23 - Service: SNMP Trap - C:\Windows\System32\snmptrap.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: DLL-bestand voor SSDP-service - C:\Windows\system32\svchost.exe

O23 - Service: Maakt het gebruik van SSTP (Secure Socket Tunneling Protocol) mogelijk om verbinding te maken met externe computers (via VPN). - C:\Windows\system32\svchost.exe

O23 - Service: SigmaTel Audio Service - C:\Windows\system32\STacSV.exe

O23 - Service: Still Image-apparatenservice - C:\Windows\system32\svchost.exe

O23 - Service: stllssvr - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Microsoft®-softwareleverancier voor Volume Shadow Copy-service - C:\Windows\System32\svchost.exe

O23 - Service: Host voor Superfetch-service - C:\Windows\system32\svchost.exe

O23 - Service: Microsoft Tablet PC Input Service - C:\Windows\System32\svchost.exe

O23 - Service: Microsoft® Windows Telefoonserver - C:\Windows\System32\svchost.exe

O23 - Service: TBS-service - C:\Windows\System32\svchost.exe

O23 - Service: TeamViewer 6 - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

O23 - Service: Beheer van externe verbindingen via Terminal Server - C:\Windows\System32\svchost.exe

O23 - Service: DLL-bestand voor Windows Shell Services - C:\Windows\System32\svchost.exe

O23 - Service: Multimedia Class Scheduler-service - C:\Windows\system32\svchost.exe

O23 - Service: TomTomHOMEService - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

O23 - Service: Detectie van interactieve services - C:\Windows\system32\UI0Detect.exe

O23 - Service: UPnP-apparaathost - C:\Windows\system32\svchost.exe

O23 - Service: Beheer van bureaubladvensters - C:\Windows\System32\svchost.exe

O23 - Service: Virtual Disk-service - C:\Windows\System32\vds.exe

O23 - Service: VMware Authorization Service - C:\Program Files\VMware\VMware Player\vmware-authd.exe

O23 - Service: VMware DHCP Service - C:\Windows\system32\vmnetdhcp.exe

O23 - Service: VMware Virtual Mount Manager Extended - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

O23 - Service: VMware NAT Service - C:\Windows\system32\vmnat.exe

O23 - Service: Microsoft® Volume Shadow Copy-service - C:\Windows\system32\vssvc.exe

O23 - Service: Windows Time-service - C:\Windows\system32\svchost.exe

O23 - Service: Windows Connect Now - Config Registrar-service - C:\Windows\System32\svchost.exe

O23 - Service: WcsPlugInService DLL - C:\Windows\system32\svchost.exe

O23 - Service: Dll-bestand voor Web DAV-service - C:\Windows\system32\svchost.exe

O23 - Service: Event Collector-service - C:\Windows\system32\svchost.exe

O23 - Service: Probleemrapporten en oplossingen - C:\Windows\System32\svchost.exe

O23 - Service: Windows Error Reporting-service - C:\Windows\System32\svchost.exe

O23 - Service: Windows Defender - C:\Windows\System32\svchost.exe

O23 - Service: Windows HTTP-services - C:\Windows\system32\svchost.exe

O23 - Service: WMI - C:\Windows\system32\svchost.exe

O23 - Service: WSMan Service - C:\Windows\System32\svchost.exe

O23 - Service: DLL-bestand van Windows WLAN AutoConfig-service - C:\Windows\system32\svchost.exe

O23 - Service: WMI Performance Reverse Adapter - C:\Windows\system32\wbem\WmiApSrv.exe

O23 - Service: Windows Media Player Network Sharing-service - C:\Program Files\Windows Media Player\wmpnetwk.exe

O23 - Service: WPC Filtering-service - C:\Windows\system32\svchost.exe

O23 - Service: Inventarisatie van draagbare apparaat - C:\Windows\system32\svchost.exe

O23 - Service: Windows Security Center-service - C:\Windows\System32\svchost.exe

O23 - Service: Indexeerfunctie van Microsoft Windows Search - C:\Windows\system32\SearchIndexer.exe

O23 - Service: Windows Update-agent - C:\Windows\system32\svchost.exe

O23 - Service: Windows Driver Foundation - User-mode Driver Framework-service - C:\Windows\system32\svchost.exe

15 oktober 2012

Het bestand spop.sys, zoals gemeld in de AVG scan komt niet voor in de map C:\Windows\System32\Drivers\

Ik zie dat de bestandsnamen in de AVG log steeds veranderen.

Wanneer ik de AVG scans in deze correspondentie naloop dan zie ik achtereenvolgens genoemd, de bestanden:

spjj.sys

spjz.sys

spop.sys

Nu zie alleen de volgende, vergelijkbare bestanden (beginnend met "sp"):

spsys.sys

sptd.sys

spldr.sys

Scan met Jotti op deze bestanden geeft de volgende resultaten:

spsys.sys: geen problemen gevonden

sptd.sys: is in gebruik; kan niet worden gescand (ik zie alleen niet in welk programma het dan wordt gebruikt, er staat verder niets open

spldr.sys: geen problemen gevonden.

Klaas Ridderikhoff

15 oktober 2012

Ja, de rootkit meldingen zijn nog steeds aanwezxig in AVG

Zie hieronder

Klaas Ridderikhoff

AVG-meldingen:

"";"C:\Windows\System32\Drivers\spop.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortWritePortUchar -> spop.sys +0x26D2";"Object is verborgen"

"";"C:\Windows\System32\Drivers\spop.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortReadPortUchar -> spop.sys +0x2040";"Object is verborgen"

"";"C:\Windows\System32\Drivers\spop.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortWritePortBufferUshort -> spop.sys +0x27FC";"Object is verborgen"

"";"C:\Windows\System32\Drivers\spop.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortReadPortUshort -> spop.sys +0x20BE";"Object is verborgen"

"";"C:\Windows\System32\Drivers\spop.sys";"atapi.sys, koppelpunt import ataport.SYS AtaPortReadPortBufferUshort -> spop.sys +0x213C";"Object is verborgen"

"";"C:\Windows\System32\Drivers\spop.sys";"Inline koppelpunt ataport.SYS DllUnload -> spop.sys +0x2F8AE";"Object is verborgen"

"";"C:\Windows\System32\Drivers\spop.sys";"i8042prt.sys, koppelpunt import HAL.dll READ_PORT_UCHAR -> spop.sys +0x12048";"Object is verborgen"

14 oktober 2012

Bijgevoegd het logbestand van Combofix.

Klaas Ridderikhoff

Logbestand Combofix:

ComboFix 12-10-14.03 - Klaas 14-10-2012 23:31:13.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1043.18.3581.2011 [GMT 2:00]

Gestart vanuit: c:\users\Klaas\Desktop\ComboFix.exe

AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Klaas\AppData\Local\Microsoft\Windows\Temporary Internet Files\ab_1D5F.tmp

c:\users\Klaas\AppData\Local\Microsoft\Windows\Temporary Internet Files\simpleadblock.msi

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-09-14 to 2012-10-14 ))))))))))))))))))))))))))))))

.

2012-10-14 22:01 . 2012-10-14 22:14 -------- d-----w- c:\users\Klaas\AppData\Local\temp

2012-10-14 22:01 . 2012-10-14 22:01 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-10-14 11:22 . 2012-10-14 11:22 -------- d-----w- c:\users\Klaas\AppData\Roaming\Malwarebytes

2012-10-14 11:21 . 2012-10-14 11:21 -------- d-----w- c:\programdata\Malwarebytes

2012-10-14 11:21 . 2012-10-14 11:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-10-14 11:21 . 2012-09-07 15:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-10-14 10:46 . 2012-10-14 21:27 -------- d-----w- C:\Virusbestrijding

2012-10-13 20:19 . 2012-10-13 20:19 388096 ----a-r- c:\users\Klaas\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-10-13 20:19 . 2012-10-13 20:19 -------- d-----w- c:\program files\Trend Micro

2012-10-10 07:09 . 2012-06-02 00:02 985088 ----a-w- c:\windows\system32\crypt32.dll

2012-10-10 07:09 . 2012-06-02 00:02 98304 ----a-w- c:\windows\system32\cryptnet.dll

2012-10-10 07:09 . 2012-06-02 00:02 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2012-10-10 07:09 . 2012-08-24 15:53 172544 ----a-w- c:\windows\system32\wintrust.dll

2012-10-10 07:09 . 2012-09-13 13:28 2048 ----a-w- c:\windows\system32\tzres.dll

2012-10-10 07:09 . 2012-08-29 11:27 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-10-10 07:09 . 2012-08-29 11:27 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-10-08 09:03 . 2012-10-08 09:04 -------- d-----w- C:\PW5_EXPLORER

2012-09-29 11:30 . 2012-09-29 11:30 -------- d-----w- c:\program files\Common Files\Simple Adblock

2012-09-22 15:27 . 2012-08-24 06:51 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-09-22 15:27 . 2012-08-24 06:53 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll

2012-09-22 15:15 . 2012-08-24 06:43 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-09-22 13:10 . 2012-08-24 06:48 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll

2012-09-22 13:10 . 2012-08-24 06:47 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-09-22 13:10 . 2012-08-24 06:49 194560 ----a-w- c:\program files\Internet Explorer\ieproxy.dll

2012-09-22 13:10 . 2012-08-24 06:51 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-09-22 12:57 . 2012-08-24 07:34 140936 ----a-w- c:\program files\Internet Explorer\sqmapi.dll

2012-09-22 12:57 . 2012-08-24 06:47 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-09-22 12:57 . 2012-08-24 07:34 748680 ----a-w- c:\program files\Internet Explorer\iexplore.exe

2012-09-22 12:57 . 2012-08-24 06:59 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-09-22 12:57 . 2012-08-24 06:52 387584 ----a-w- c:\program files\Internet Explorer\jsdbgui.dll

2012-09-19 07:14 . 2012-09-19 07:14 -------- d-----w- c:\users\Klaas\AppData\Local\Macromedia

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-11 09:30 . 2012-10-11 09:30 2869301 ----a-w- C:\Intus_5.2.4.94_Updates.zip

2012-10-11 08:53 . 2012-10-11 08:53 247800 ----a-w- C:\intranet-2012-10-11-16400.zip

2012-10-09 12:27 . 2012-03-30 12:34 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-10-09 12:27 . 2011-05-18 20:11 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-24 13:43 . 2012-08-24 13:43 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2012-07-26 01:21 . 2012-07-26 01:21 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2008-12-17 09:58 . 2008-06-30 07:28 454656 ----a-w- c:\program files\putty.exe

2012-09-13 11:31 . 2011-04-01 07:53 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]