trojan horse packed.protector.c

• 

  john

  13-12-2009 13:43

  heb hier hetzelfde “probleem” met die packed.protector.c …..

  heb combofix op laptop gezet en het scriptje erovergesleept (zie je eveneens in de logfile van combofix hieronder)

  daarna Hijackthis gedraaid. (logfile onder combofix logfile). Graag zou ik weten hoe het verder moet. AVG blijft packed.protector.c aangeven in file atapi.sys.

  alvast bedankt voor enig nuttig advies. cheerz !!

  ——————– combofix logfile ————————-

  “Sandra” - 2009-12-13 11:35:11 Service Pack 2

  ComboFix 07-05.27.BV - Running from: “C:\Documents and Settings\Sandra\”

  Command switches used :: “”C:\Documents and Settings\Sandra\Bureaublad\CFScript.txt“”

  (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

  “C:\DOCUME~1\Sandra\BUREAU~1.\internet explorer.lnk”

  ((((((((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 ))))))))))))))))))))))))))))))))))

  2009-12-13 12:21 95,360 –a—— C:\WINDOWS\system32\drivers\atapi.sys

  2009-12-13 11:21 d——– C:\WINDOWS\LastGood

  2009-12-06 13:07 d–h—– C:\$AVG8.VAULT$

  2009-12-02 12:11 27,708 –a—— C:\WINDOWS\system32\av_md.exe

  2009-12-02 12:11 12 –a—— C:\DOCUME~1\NETWOR~1\APPLIC~1\fvgqad.dat

  2009-12-02 12:10 4 –a—— C:\DOCUME~1\Sandra\APPLIC~1\avdrn.dat

  (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

  2009-10-26 09:21:55 53,850 —-a-w C:\WINDOWS\system32\perfc013.dat

  2009-10-26 09:21:55 364,882 —-a-w C:\WINDOWS\system32\perfh013.dat

  (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

  *Note* empty entries & legit default entries are not shown

  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

  {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}=C:\Program Files\AVG\AVG8\avgssie.dll

  {9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

  “ATIPTA”=“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”

  “SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe”

  “SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe”

  “AVG8_TRAY”=“C:\PROGRA~1\AVG\AVG8\avgtray.exe”

  “av_md”=“C:\WINDOWS\system32\av_md.exe”

  “MRT”=“C:\WINDOWS\system32\MRT.exe”

  “av_md”=“C:\Documents and Settings\Sandra\av_md.exe”

  avgrsstx.dll

  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Gamma Loader.exe.lnk

  backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk

  backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

  path=C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk

  backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

  carpserv.exe

  C:\WINDOWS\system32\ctfmon.exe

  C:\Cpqs\Scom\srmclean.exe

  C:\Program Files\Java\jre1.5.0\bin\jusched.exe

  “C:\Program Files\SMC\SWCM.exe” -nogui

  “WmdmPmSN”=3 (0x3)

  “TlntSvr”=3 (0x3)

  “TermService”=3 (0x3)

  “TapiSrv”=3 (0x3)

  “SCardSvr”=3 (0x3)

  “RemoteRegistry”=2 (0x2)

  “RDSessMgr”=3 (0x3)

  “RasAuto”=3 (0x3)

  “mnmsrvc”=3 (0x3)

  “LmHosts”=2 (0x2)

  “helpsvc”=2 (0x2)

  “FastUserSwitchingCompatibility”=3 (0x3)

  “ERSvc”=2 (0x2)

  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

  ********************************************************************

  catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

  Rootkit scan 2009-12-13 12:19:13

  Windows 5.1.2600 Service Pack 2 NTFS

  scanning hidden processes …

  scanning hidden autostart entries …

  scanning hidden files …

  scan completed successfully

  hidden files: 0

  ********************************************************************

  Completion time: 2009-12-13 12:33:21

  C:\ComboFix-quarantined-files.txt … 2009-12-13 12:32

  — E O F —

  ———————————————————————————————————————————–

  —————————————HijackThis log file————————————————————–

  Logfile of HijackThis v1.99.1

  Scan saved at 13:03:21, on 13/12/2009

  Platform: Windows XP SP2 (WinNT 5.01.2600)

  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

  Running processes:

  C:\WINDOWS\System32\smss.exe

  C:\WINDOWS\system32\winlogon.exe

  C:\WINDOWS\system32\services.exe

  C:\WINDOWS\system32\lsass.exe

  C:\WINDOWS\system32\svchost.exe

  C:\WINDOWS\System32\svchost.exe

  C:\WINDOWS\system32\spoolsv.exe

  C:\WINDOWS\system32\acs.exe

  C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

  C:\PROGRA~1\AVG\AVG8\avgrsx.exe

  C:\PROGRA~1\AVG\AVG8\avgnsx.exe

  C:\PROGRA~1\AVG\AVG8\avgemc.exe

  C:\Program Files\AVG\AVG8\avgcsrvx.exe

  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

  C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

  C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

  C:\PROGRA~1\AVG\AVG8\avgtray.exe

  C:\WINDOWS\system32\av_md.exe

  C:\WINDOWS\System32\svchost.exe

  C:\WINDOWS\system32\wuauclt.exe

  C:\Program Files\Mozilla Firefox\firefox.exe

  C:\WINDOWS\System32\svchost.exe

  C:\WINDOWS\system32\cmd.exe

  C:\WINDOWS\explorer.exe

  C:\WINDOWS\SoftwareDistribution\Download\d01de9ff8a084d59bdcd4776aab93109\update\update.exe

  C:\Documents and Settings\Sandra\Bureaublad\HijackThis.exe

  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/

  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

  O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

  O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

  O4 - HKLM\..\Run: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

  O4 - HKLM\..\Run: C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

  O4 - HKLM\..\Run: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

  O4 - HKLM\..\Run: C:\PROGRA~1\AVG\AVG8\avgtray.exe

  O4 - HKLM\..\Run: C:\WINDOWS\system32\av_md.exe

  O4 - HKLM\..\Run: “C:\WINDOWS\system32\MRT.exe” /R

  O4 - HKCU\..\Run: C:\Documents and Settings\Sandra\av_md.exe

  O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

  O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

  O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

  O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB

  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229535971147

  O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

  O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

  O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL

  O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

  O23 - Service: SMC Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe

  O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

  O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

  ik heb wel een aantal gegevens (bank gegevens uit deze logfile verwijdert) ze hebben NIETS terzake te verbeteren. En zo behouden we de “discretie” van de bankgegevens. (alles wat stond genoteerd onder sectie O15 “Trusted zone”).

  Rapporteren
• 

  Argus

  13-12-2009 14:54

  Elke Computer is niet gelijk aan een andere het zomaar overnemen van scripts kan lijden tot onherstelbare schade aan je PC

  Dit geld nog meer voor Combofix http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden

  Rapporteren