PSW.Agent.AUES

kape · 6 april 2012

Je mag het logje onmiddellijk posten, maar daarna moet je de PC wel opnieuw opstarten !

frouwipkus · 6 april 2012

Ik heb nog wel een vraag over het uitschakelen van AVG en Zonealarm, Als ik het logfile van Zonealarm bekijk dan heeft services.exe in een minuut wel 15 keer contact proberen te maken naar allemaal IP adressen, wat geblockt wordt door Zonealarm. Als ik Zonealarm uitschakel voor het installeren van ComboFix dan worden die verbindingen niet meer geblokkeerd wat ik erg eng vind. Kan dat geen kwaad in dit geval?

kape · 6 april 2012

Laat ZoneAlarm even aan ... enkel AVG verwijderen moet volstaan.

frouwipkus · 6 april 2012

Tijdens het uitvoeren van ComboFix wilde pev.3xe steeds contact, als eerste met de trusted zone en daarna met internet. Als ik geen toestemming gaf ging ComboFix niet verder. Op een gegeven moment schakelde AVG weer in en toen ComboFix bijna klaar was zei AVG "bedreiging gededecteerd" regt.3xe en vroeg wat ik wilde, de keus was in quarantaine plaatsen of doorgaan, waarbij ik voor het laatste heb gekozen.

Hieronder mijn logfile, al vast bedankt voor het nakijken!

Vr.groet,

Jeanne

-------------------------------------------------------------------------------------------------

ComboFix 12-04-06.02 - BenJ 06-04-2012 20:54:50.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.1023.438 [GMT 2:00]

Gestart vanuit: c:\documents and settings\BenJ\Bureaublad\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\BenJ\Application Data\isfree3_0.tmp

c:\documents and settings\BenJ\Application Data\isfree3_1.tmp

c:\documents and settings\BenJ\Onlangs geopend\Thumbs.db

c:\documents and settings\BenJ\WINDOWS

c:\windows\system32\drivers\nabplmwkuulj.sys

c:\windows\system32\ijl11.dll

.

Besmet exemplaar van c:\windows\system32\Drivers\atapi.sys werd aangetroffen en gedesinfecteerd

Hersteld exemplaar van - c:\windows\expand\atapi.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_RKHIT

-------\Service_RkHit

-------\Service_xcpip

-------\Legacy_nabplmwkuulj

-------\Service_nabplmwkuulj

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-03-06 to 2012-04-06 ))))))))))))))))))))))))))))))

.

2012-04-05 17:52 . 2012-04-06 10:47 -------- d-----w- c:\documents and settings\BenJ\Application Data\Dropbox

2012-04-05 14:04 . 2012-04-05 14:04 388096 ----a-r- c:\documents and settings\BenJ\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-04-04 14:56 . 2012-04-04 14:56 4125344 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-04-04 12:13 . 2012-04-04 14:56 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-04 09:29 . 2012-04-04 09:29 -------- d-----w- c:\windows\system32\LogFiles

2012-04-03 14:27 . 2003-08-26 09:16 344064 ----a-w- c:\windows\system32\msvcr70.dll

2012-04-03 14:12 . 2012-04-03 14:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\X10 Commander

2012-04-03 13:58 . 1999-06-25 07:56 127184 ----a-w- c:\windows\Unwise.exe

2012-04-03 13:58 . 2012-04-03 13:58 -------- d-----w- c:\program files\Common Files\X10

2012-04-02 19:13 . 2004-08-13 14:38 140544 ----a-w- c:\windows\system32\drivers\rt2500usb.sys

2012-04-02 17:44 . 2001-11-23 09:08 712704 ----a-r- c:\windows\system32\Audio3D.dll

2012-03-31 19:46 . 2012-03-31 19:46 -------- d-----w- c:\documents and settings\LocalService\Bureaublad

2012-03-31 19:11 . 2012-03-31 19:11 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2012-03-31 19:08 . 2012-04-06 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2012-03-31 13:00 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2012-03-31 13:00 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2012-03-31 13:00 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2012-03-31 13:00 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2012-03-31 13:00 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2012-03-31 13:00 . 2012-04-06 15:19 -------- d-----w- c:\program files\Trojan Remover

2012-03-31 13:00 . 2012-03-31 13:00 -------- d-----w- c:\documents and settings\BenJ\Application Data\Simply Super Software

2012-03-31 13:00 . 2012-03-31 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2012-03-31 12:49 . 2012-03-31 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Fighters

2012-03-30 16:34 . 2012-04-06 14:15 -------- d-----w- c:\program files\PCSafeDoctor

2012-03-30 16:34 . 2010-12-30 08:54 34736 ----a-w- c:\windows\system32\drivers\RKHit-oud.sys

2012-03-17 14:23 . 2012-03-17 14:23 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll

2012-03-17 14:23 . 2012-03-17 14:23 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-04 14:56 . 2011-05-18 17:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-03-31 22:01 . 2010-04-23 12:42 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-03-31 22:01 . 2008-04-09 19:09 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-03-17 14:23 . 2011-04-01 12:16 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2010-07-28 1267024]

.

[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]

[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]

[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 94208 ----a-w- c:\documents and settings\BenJ\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 94208 ----a-w- c:\documents and settings\BenJ\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 94208 ----a-w- c:\documents and settings\BenJ\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-02-14 22:58 94208 ----a-w- c:\documents and settings\BenJ\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-08-27 434960]

"EasyNoterLite352C328535FB488E0EFD1CE8CBB50357F8C6692A0F"="c:\program files\Art Plus\EasyNoter37LE\enlite.exe" [2006-03-26 1901568]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]

"Snelkoppeling naar eigenschappenvenster voor High Definition Audio"="HDAudPropShortcut.exe" [2004-03-17 61952]

"PCMService"="c:\program files\Home Cinema\PowerCinema\PCMService.exe" [2004-10-06 81920]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]

"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-17 2339168]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"sdCoreService"=2 (0x2)

"sdAuxService"=2 (0x2)

"SolutoService"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\RM.exe"=

"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\Studio.exe"=

"c:\\Program Files\\Pinnacle\\Studio 14\\Programs\\umi.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

"c:\\Documents and Settings\\BenJ\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:Remote Desktop

"65533:TCP"= 65533:TCP:Services

"52344:TCP"= 52344:TCP:Services

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13-9-2010 16:27 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7-9-2010 3:48 32592]

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [30-9-2010 8:21 56208]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7-9-2010 3:48 248656]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7-9-2010 3:49 297168]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [31-1-2012 16:02 7391072]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [8-2-2011 5:33 269520]

R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [9-4-2008 14:21 698368]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19-8-2010 21:42 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19-8-2010 21:42 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19-8-2010 21:42 27216]

R3 cmudax;C-Media High Definition Audio Interface;c:\windows\system32\drivers\cmudax.sys [9-4-2008 16:47 1272000]

R3 wbscr;Winbond Smartcard Reader for I/O;c:\windows\system32\drivers\wbscr.sys [9-4-2008 14:06 19928]

R3 xpsec;IPSEC-stuurprogramma;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4-4-2012 14:13 253600]

S3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [9-4-2008 14:16 17408]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]

S4 !SASCORE;SAS Core Service;"l:\super anti spyware portable\SASCORE.EXE" --> l:\super anti spyware portable\SASCORE.EXE [?]

S4 ba0a9i.sys;ba0a9i.sys;\??\c:\windows\system32\drivers\ba0a9i.sys --> c:\windows\system32\drivers\ba0a9i.sys [?]

S4 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\68.tmp --> c:\windows\system32\68.tmp [?]

S4 msuswesd;Music Media Services;c:\windows\system32\msuswe.exe --> c:\windows\system32\msuswe.exe [?]

S4 RHDISK;RHDISK;\??\m:\rohos mini drive\Rohos\RHDISK.SYS --> m:\rohos mini drive\Rohos\RHDISK.SYS [?]

S4 SASDIFSV;SASDIFSV;\??\l:\super anti spyware portable\SASDIFSV.SYS --> l:\super anti spyware portable\SASDIFSV.SYS [?]

S4 SAS***IL;SAS***IL;\??\l:\super anti spyware portable\SAS***IL.SYS --> l:\super anti spyware portable\SAS***IL.SYS [?]

S4 VAD_DEV;Virtual Audio Service;c:\windows\system32\drivers\vad.sys --> c:\windows\system32\drivers\vad.sys [?]

S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]

.

Inhoud van de 'Gedeelde Taken' map

.

2012-04-06 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 14:56]

.

2012-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1123561945-725345543-1003UA.job

- c:\documents and settings\BenJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-13 21:46]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.nl/

mStart Page = hxxp://dutch.toggle.com/nl/index.php?rvs=google

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

LSP: c:\program files\SpeedBit Video Accelerator\SBLSP.dll

Trusted Zone: musicmatch.com

TCP: DhcpNameServer = 192.168.1.1

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://77.61.1.225/activex/AMC.cab

FF - ProfilePath - c:\documents and settings\BenJ\Application Data\Mozilla\Firefox\Profiles\4iaigd6o.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - about:home

.

- - - - ORPHANS VERWIJDERD - - - -

.

HKLM-Run-Cmaudio - cmicnfg.cpl

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - l:\super anti spyware portable\SASSEH.DLL

SafeBoot-SolutoService

AddRemove-Rohos_Rohos22_is1 - m:\rohos mini drive\Rohos\unins000.exe

AddRemove-{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA} - l:\super anti spyware portable\Uninstall.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2012-04-06 21:16

Windows 5.1.2600 Service Pack 2 NTFS

.

scannen van verborgen processen ...

.

scannen van verborgen autostart items ...

.

scannen van verborgen bestanden ...

.

Scan succesvol afgerond

verborgen bestanden: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\68.tmp"

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

.

- - - - - - - > 'lsass.exe'(1072)

c:\program files\SpeedBit Video Accelerator\SBLSP.dll

c:\program files\SpeedBit Video Accelerator\ConfigDB.dll

.

- - - - - - - > 'explorer.exe'(5064)

c:\windows\system32\tabhook.dll

c:\documents and settings\BenJ\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\program files\CyberLink\Shared Files\CLRCEngine.dll

c:\windows\system32\shdoclc.dll

c:\windows\system32\msi.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\progra~1\AVG\AVG10\avgchsvx.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Sandboxie\SbieSvc.exe

c:\windows\System32\SCardSvr.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\system32\RunDll32.exe

c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Photodex\ProShowGold\ScsiAccess.exe

c:\windows\system32\Tablet.exe

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG10\avgnsx.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\COMMON~1\X10\Common\x10nets.exe

c:\progra~1\AVG\AVG10\avgrsx.exe

c:\program files\AVG\AVG10\avgcsrvx.exe

.

**************************************************************************

.

Voltooingstijd: 2012-04-06 21:22:08 - machine werd herstart

ComboFix-quarantined-files.txt 2012-04-06 19:22

.

Pre-Run: 39.358.251.008 bytes beschikbaar

Post-Run: 39.250.776.064 bytes beschikbaar

.

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /bootlog

.

- - End Of File - - C6EF4944488D59A2D9B6F0361B2081B1

6 april 2012 aangepast door frouwipkus

frouwipkus · 6 april 2012

AVG gaf nu een melding dat C:\Combofix\CF3306.3xe een infectie had, heb hem in quarantaine laten plaatsen waarop AVG opnieuw ging starten, daarna kwam de melding dat 680 processen waren beeindigd, 31 bestanden waren verwijderd en 1 registersleutel. Ik ben benieuwd wat ik straks niet meer kan gebruiken...

Services.exe probeert nog steeds contact te maken. Ik heb nog niet verder virus gescand, ik stop nu eerst maar, ben erg moe geworden hier van.

kape · 6 april 2012

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\windows\system32\drivers\ba0a9i.sys

c:\windows\system32\68.tmp

Driver::

ba0a9i.sys

MEMSWEEP2

Sla dit bestand op je bureaublad op als CFScript.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht.

Download TDSSKiller en plaats het op je bureaublad.

Pak de bestanden in tdsskiller.zip uit.

Open de map tdsskiller en dubbelklik op TDSSKiller.exe om de tool te starten.

Windows 7 en Windows Vista gebruikers:

Rechtsklik op TDSSKiller.exe -> Uitvoeren als Administrator om de tool te starten.

Als TDSSKiller bericht geeft van een beschikbare update, dan voer je deze eerst uit.

Klik op de knop "Start Scan" en volg de instructies.

Wanneer de scan klaar is klik je op de knop "Report".

Er opent een kladblokbestand. Post de inhoud van dit bestand.

Herstart de pc als TDSSKiller die optie geeft. (Reboot now)

Wanneer er een herstart nodig was, vind je de logfile in C:\TDSSKiller.[Version]_[Date]_[Time]_log.txt

frouwipkus · 7 april 2012

Na het uitvoeren van ComboFix en herstarten liep de PC vast en na een half uur wachten heb ik hem zelf maar uit en weer aan gedaan. Hierbij het logfile van ComboFix van vanmorgen.

=========================================

ComboFix 12-04-06.02 - BenJ 07-04-2012 10:05:26.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.1023.316 [GMT 2:00]

Gestart vanuit: c:\documents and settings\BenJ\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: c:\documents and settings\BenJ\Bureaublad\CFScript.txt

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

FILE ::

"c:\windows\system32\68.tmp"

"c:\windows\system32\drivers\ba0a9i.sys"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

Besmet exemplaar van c:\windows\system32\drivers\ntfs.sys werd aangetroffen en gedesinfecteerd

Hersteld exemplaar van - c:\windows\ERDNT\cache\ntfs.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_BA0A9I.SYS

-------\Legacy_MEMSWEEP2

-------\Service_ba0a9i.sys

-------\Service_MEMSWEEP2

-------\Service_xcpip

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-03-07 to 2012-04-07 ))))))))))))))))))))))))))))))