Hoi
Het voorbeeld gevolgd
hierbij het log
ik hoop dat dit zo goed is
gr mar
ComboFix 10-10-17.04 - hansenmarjo 18-10-2010 15:55:00.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1043.18.2047.915
Gestart vanuit: c:\users\hansenmarjo\Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\hansenmarjo\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
“c:\windows\system32\dloD562.dll”
“c:\windows\system32\dloD562.tmp”
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\dloD562.dll
c:\windows\system32\dloD562.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
——-\Service_jpcrvjjt
(((((((((((((((((((( Bestanden Gemaakt van 2010-09-18 to 2010-10-18 ))))))))))))))))))))))))))))))
.
2010-10-18 14:00 . 2010-10-18 14:03 ——– d—–w- c:\users\hansenmarjo\AppData\Local\temp
2010-10-18 14:00 . 2010-10-18 14:00 ——– d—–w- c:\users\Default\AppData\Local\temp
2010-10-13 05:21 . 2010-09-13 13:56 8147456 —-a-w- c:\windows\system32\wmploc.DLL
2010-10-13 05:21 . 2010-09-13 13:56 168960 —-a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-13 05:21 . 2010-09-06 16:20 125952 —-a-w- c:\windows\system32\srvsvc.dll
2010-10-13 05:21 . 2010-09-06 13:45 304128 —-a-w- c:\windows\system32\drivers\srv.sys
2010-10-13 05:21 . 2010-09-06 13:45 145408 —-a-w- c:\windows\system32\drivers\srv2.sys
2010-10-13 05:21 . 2010-09-06 13:45 102400 —-a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-13 05:21 . 2010-09-06 16:19 17920 —-a-w- c:\windows\system32\netevent.dll
2010-10-13 05:21 . 2010-08-10 15:53 274944 —-a-w- c:\windows\system32\schannel.dll
2010-10-13 05:21 . 2010-06-28 17:00 1316864 —-a-w- c:\windows\system32\ole32.dll
2010-10-13 05:21 . 2010-06-28 14:54 339968 —-a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-10-13 05:21 . 2010-08-26 16:37 157184 —-a-w- c:\windows\system32\t2embed.dll
2010-10-11 18:34 . 2010-10-18 14:03 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Dropbox
2010-10-11 16:17 . 2010-10-15 11:36 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\QuickScan
2010-10-10 17:30 . 2010-10-10 17:31 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\PeaceCraft2
2010-10-03 16:57 . 2010-10-03 16:57 ——– d—–w- c:\programdata\HPSSUPPLY
2010-10-03 11:23 . 2010-10-03 11:24 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\ThreeDays2
2010-10-03 09:38 . 2006-11-29 11:06 3426072 —-a-w- c:\windows\system32\d3dx9_32.dll
2010-10-03 09:37 . 2010-10-03 09:37 ——– d—–w- c:\program files\Microsoft SQL Server Compact Edition
2010-10-03 09:35 . 2008-06-17 14:13 74520 —-a-w- c:\program files\Common Files\Windows Live\.cache\4ec487b51cb62de\DSETUP.dll
2010-10-03 09:35 . 2008-06-17 14:13 484632 —-a-w- c:\program files\Common Files\Windows Live\.cache\4ec487b51cb62de\DXSETUP.exe
2010-10-03 09:35 . 2008-06-17 14:13 1670936 —-a-w- c:\program files\Common Files\Windows Live\.cache\4ec487b51cb62de\dsetup32.dll
2010-10-03 09:22 . 2009-04-20 10:23 315904 —-a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70w.dll
2010-10-03 09:17 . 2010-10-03 09:17 ——– d—–w- c:\programdata\HP Product Assistant
2010-10-03 09:10 . 2009-02-10 13:03 966656 —-a-w- c:\windows\system32\hpost_p02e.dll
2010-10-03 09:10 . 2009-02-10 13:03 315392 —-a-w- c:\windows\system32\hposc_p02a.dll
2010-10-03 09:10 . 2009-02-10 13:03 712704 —-a-w- c:\windows\system32\hposwia_p02e.dll
2010-10-03 09:10 . 2008-10-28 03:27 372736 —-a-w- c:\windows\system32\hppldcoi.dll
2010-10-03 09:10 . 2008-10-28 03:27 309760 —-a-w- c:\windows\system32\difxapi.dll
2010-10-03 09:10 . 2010-10-03 09:10 ——– d—–w- c:\users\hansenmarjo\{44d77c09-f5ba-441a-be33-08291b71fad0}
2010-10-03 09:10 . 2009-04-15 14:53 452408 —-a-w- c:\windows\system32\hpzids01.dll
2010-10-03 09:10 . 2009-04-20 10:23 123904 —-a-w- c:\windows\system32\hpf3l70w.dll
2010-09-29 05:09 . 2010-06-22 13:30 2048 —-a-w- c:\windows\system32\tzres.dll
2010-09-29 05:08 . 2010-08-26 04:23 13312 —-a-w- c:\program files\Internet Explorer\iecompat.dll
2010-09-27 09:00 . 2010-09-27 09:00 ——– d—–w- c:\users\hansenmarjo\.jordan
2010-09-23 11:04 . 2010-09-23 11:04 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Silverback Productions
2010-09-22 17:55 . 2010-09-22 17:55 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Enlightenus2_BFG
2010-09-22 16:10 . 2010-09-22 16:10 103864 —-a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-21 14:47 . 2010-09-21 14:47 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Floodlight Games
2010-09-21 14:47 . 2010-09-21 14:47 ——– d—–w- c:\programdata\Floodlight Games
2010-09-19 09:43 . 2010-09-19 09:43 ——– d—–w- c:\users\hansenmarjo\AppData\Roaming\Princess Isabella CE
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
2008-01-19 05:49 729600 —-a-w- c:\windows\System32\dlod562.dll
2008-01-19 05:49 729600 —-a-w- c:\windows\System32\dlod562.dll
@=“{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}”
2009-12-09 01:19 94208 —-a-w- c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
@=“{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}”
2009-12-09 01:19 94208 —-a-w- c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
@=“{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}”
2009-12-09 01:19 94208 —-a-w- c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
@=“{E08C1620-4257-4C84-923B-6F6715EF278F}”
2008-01-19 05:49 729600 —-a-w- c:\windows\System32\dlod562.dll
“Sidebar”=“c:\program files\Windows Sidebar\sidebar.exe”
“swg”=“c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
“msnmsgr”=“c:\program files\Windows Live\Messenger\msnmsgr.exe”
“WMPNSCFG”=“c:\program files\Windows Media Player\WMPNSCFG.exe”
“Windows Defender”=“c:\program files\Windows Defender\MSASCui.exe”
“mcagent_exe”=“c:\program files\McAfee.com\Agent\mcagent.exe”
“hpqSRMon”=“c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe”
c:\users\hansenmarjo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe
“EnableLUA”= 0 (0x0)
“EnableUIADesktopToggle”= 0 (0x0)
@=“”
@=“”
@=“Service”
“Google Update”=“c:\users\hansenmarjo\AppData\Local\Google\Update\GoogleUpdate.exe” /c
“Adobe Reader Speed Launcher”=“e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
“Adobe ARM”=“c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
“SunJavaUpdateSched”=“c:\program files\Common Files\Java\Java Update\jusched.exe”
“HP Software Update”=c:\program files\HP\HP Software Update\HPWuSchd2.exe
“DisableMonitoring”=dword:00000001
R2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Belkin\F5D7000v8\jswpsapi.exe
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
S3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys
S3 RTL85n86;Belkin Wireless G Notebook Card Service v8;c:\windows\system32\DRIVERS\RTL85n86.sys
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhoud van de ‘Gedeelde Taken’ map
2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe
2010-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe
2010-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1071820252-2080101743-2187659691-1000Core.job
- c:\users\hansenmarjo\AppData\Local\Google\Update\GoogleUpdate.exe
2010-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1071820252-2080101743-2187659691-1000UA.job
- c:\users\hansenmarjo\AppData\Local\Google\Update\GoogleUpdate.exe
2010-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe
2010-02-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe
2010-10-18 c:\windows\Tasks\User_Feed_Synchronization-{DC93F4AA-3005-4D9D-8078-F8C80332659F}.job
- c:\windows\system32\msfeedssync.exe
.
.
——- Bijkomende Scan ——-
.
uStart Page = hxxp://www.google.nl/
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki… - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - prefs.js: keyword.URL -
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\hansenmarjo\AppData\Roaming\Mozilla\Firefox\Profiles\58qnie63.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
—- FIREFOX POLICIES —-
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.xn–mgbaam7a8h”, true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref(“network.IDN.whitelist.xn–mgberp4a5d4ar”, true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref(“dom.ipc.plugins.enabled”, false);
.
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN <<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8808ed24
\Driver\ACPI -> acpi.sys @ 0x87b79d68
\Driver\atapi -> 0x846201f8
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
“ImagePath”=“System32\DRIVERS\rasacd.sy@”
.
——————— VERGRENDELDE REGISTER SLEUTELS ———————
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
——————— DLLs Geladen Onder Lopende Processen ———————
- - - - - - - > ‘winlogon.exe’(756)
c:\windows\system32\dlod562.dll
c:\windows\system32\libssl32.dll
c:\windows\system32\LIBEAY32.dll
- - - - - - - > ‘Explorer.exe’(4116)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\users\hansenmarjo\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
———————— Andere Aktieve Processen ————————
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\conime.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\system32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
.
**************************************************************************
.
Voltooingstijd: 2010-10-18 16:08:11 - machine werd herstart
ComboFix-quarantined-files.txt 2010-10-18 14:08
ComboFix2.txt 2010-10-18 12:23
Pre-Run: 55.904.436.224 bytes beschikbaar
Post-Run: 55.522.893.824 bytes beschikbaar
- - End Of File - - 7799EFA5762AF84CEEA3C1CB516E973A