Welcome to Omgili,
Omgili ( Oh My God I Love It ;) is a search engine for discussions. With Omgili you can find answers and solutions, debates, discussions, personal experiences, opinions and more... To learn more about Omgili click here.
This is a complete preview of the discussion as it was indexed by Omgili crawlers. Use this preview if the original discussion is unavailable.
Click here to view the original discussion.
[http://www.nucia.nl/forum/showthread.php?t=38368&mode=lin...]
Click here to search for discussions with Omgili discussions search engine.
 |
Avg 8 vindt Rootkit - Nucia / ASO forums
Beste Nucia,
Sinds vandaag heeft mijn Avg security suite 8 een rootkit gevonden,
als ik hem verwijder en mijn pc opnieuw opstart komt hij weer terug.
Ik heb verder geen last van virussen op mijn computer.
Kan het een valse melding zijn of?
Dit zegt avg:
Rootkits:
C:\WINDOWS\System32\Drivers\aafugblv.SYS
Infectie: Verborgen stuurprogramma
Resultaat: verwijderd
Na opnieuw opstarten deed ik weer een rootkit scan:
Rootkits:
C:\WINDOWS\System32\Drivers\a1qsqaxz.SYS
Infectie: Verborgen stuurprogramma
Resultaat: verwijderd
Hier is mijn HJT logje:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:38:24, on 26-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\C .
Mulder\Mijn documenten\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nl.msn.com//
//go.microsoft.com/fwlink/?LinkId=69157
//go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: iFinger plugin / Browser helper object - {A114D52B-870C-4F15-8021-B6D7F91A054B} - C:\PROGRA~1\iFinger\plugins\IE.ifp
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
(no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler...
- {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200590708421
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - c:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc.
- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc.
- C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o.
- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o.
- C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o.
- C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Bonjour-service (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: iPod-service (iPod Service) - Apple Inc.
- C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia.
- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
--
End of file - 9875 bytes
Alvast bedankt!
Robert
|
|
Je gebruikt een oude versie van HijackThis.
Best dat je deze versie gebruikt: http://www.trendsecure.com/portal/en...HJTInstall.exe
Download combofix.exe van deze site: http://www.bleepingcomputer.com/comb...uikt-te-worden
Volg de instructies die daar gegeven worden.
Is er iets niet duidelijk, dan vraag je het.
Als het tooltje klaar is, opent er een logfile (combofix.txt).
Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.
|
|
Hallo,
Bedankt voor de hulp alvast.
Ik heb ook zoals de uitleg van combofix zei, zo'n nieuwe herstelpunt gemaakt.
Hier is het combofix logje:
ComboFix 08-06-20.4 - C .
Mulder 2008-06-26 21:53:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.525 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\C .
Mulder\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\C .
Mulder\Bureaublad\WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
* Nieuw herstelpunt werd aangemaakt
* Resident AV is active
.
Andere Verwijderingen
.
C:\WINDOWS\dwatson.dll
.
Bestanden Gemaakt van 2008-05-26 to 2008-06-26
.
2008-06-26 21:47 .
2008-06-26 21:47 <DIR>
D C:\Program Files\Trend Micro
2008-06-26 20:31 .
2008-06-26 20:33 <DIR>
D C:\Program Files\World of Warcraft Trial
2008-06-26 20:31 .
2008-06-26 20:31 <DIR>
D C:\Program Files\Common Files\Blizzard Entertainment
2008-06-26 18:29 .
2008-06-26 18:29 <DIR>
Dr-h C:\Documents and Settings\C .
Mulder\Application Data\SecuROM
2008-06-26 18:29 .
2008-06-26 18:29 107,888 --a C:\WINDOWS\system32\CmdLineExt.dll
2008-06-26 18:22 .
2008-06-26 18:22 <DIR>
D C:\WINDOWS\LastGood
2008-06-26 18:22 .
2008-06-26 18:22 <DIR>
D C:\Program Files\Aspyr
2008-06-26 18:22 .
2008-06-26 18:22 <DIR>
D C:\315098e0a4f41a1f3700
2008-06-24 18:56 .
2008-06-24 18:59 <DIR>
D C:\Program Files\Winamp
2008-06-24 18:56 .
2008-06-24 18:59 <DIR>
D C:\Documents and Settings\C .
Mulder\Application Data\Winamp
2008-06-22 21:48 .
2008-06-22 21:48 262,144 --a C:\WINDOWS\system32\default_user_class.dat
2008-06-22 17:04 .
2008-06-22 17:04 <DIR>
D C:\Program Files\DAEMON Tools Lite
2008-06-21 18:24 .
2008-06-21 18:24 <DIR>
D C:\Program Files\Apple Software Update
2008-06-18 15:47 .
2008-06-18 15:47 239 --a C:\WINDOWS\PowerReg.dat
2008-06-13 19:06 .
2008-06-13 19:06 <DIR>
D C:\Program Files\iTunes
2008-06-13 19:06 .
2008-06-13 19:06 <DIR>
D C:\Program Files\iPod
2008-06-13 19:06 .
2008-06-26 08:55 <DIR>
D C:\Program Files\Bonjour
2008-06-13 19:06 .
2008-06-18 15:52 <DIR>
D C:\Documents and Settings\C .
Mulder\Application Data\Apple Computer
2008-06-13 19:05 .
2008-06-13 19:05 <DIR>
D C:\Program Files\QuickTime
2008-06-13 19:05 .
2008-06-13 19:06 <DIR>
D C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-13 19:04 .
2008-06-13 19:04 <DIR>
D C:\Program Files\Common Files\Apple
2008-06-13 19:04 .
2008-06-13 19:04 <DIR>
D C:\Documents and Settings\All Users\Application Data\Apple
2008-06-12 22:24 .
2008-06-20 22:36 1,374 --a C:\WINDOWS\imsins.BAK
2008-06-12 20:43 .
2008-06-12 20:43 <DIR>
D C:\Program Files\Microsoft Silverlight
2008-06-12 20:42 .
2008-06-12 20:43 <DIR>
D C:\temp\ext18866
2008-06-12 20:42 .
2008-06-12 20:42 <DIR>
D C:\temp
2008-06-12 18:52 .
2008-06-12 18:52 <DIR>
D C:\Program Files\Spybot - Search & Destroy
2008-06-12 18:52 .
2008-06-12 19:10 <DIR>
D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 14:26 .
2008-06-14 20:00 272,640 C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 14:26 .
2008-06-14 20:00 272,640 c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 14:03 .
2008-06-07 14:03 <DIR>
D C:\WINDOWS\system32\Kaspersky Lab
2008-06-07 14:03 .
2008-06-07 14:03 <DIR>
D C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 21:42 .
2008-06-26 21:44 <DIR>
D--hs---- C:\Documents and Settings\C .
Mulder\Onlangs geopend
2008-06-02 21:39 .
2008-06-02 21:39 <DIR>
D C:\Program Files\CCleaner
2008-06-02 21:11 .
2008-06-02 21:12 <DIR>
D C:\WINDOWS\.silabclient_store_32
2008-06-01 08:08 .
2008-06-01 08:08 <DIR>
D C:\Program Files\KeyScrambler
2008-06-01 08:08 .
2008-03-22 23:37 113,896 --a C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-05-29 18:54 .
2008-05-29 19:04 <DIR>
D C:\Documents and Settings\C .
Mulder\.SunDownloadManager
2008-05-29 17:19 .
2008-05-29 17:19 <DIR>
D C:\Documents and Settings\C .
Mulder\Application Data\Malwarebytes
2008-05-29 17:18 .
2008-06-25 12:52 <DIR>
D C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 17:18 .
2008-05-29 17:18 <DIR>
D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 17:18 .
2008-06-19 17:48 34,296 --a C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 17:18 .
2008-06-19 17:47 17,144 --a C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 17:47 .
2008-06-26 21:54 <DIR>
D--h C:\$AVG8.VAULT$
2008-05-28 15:46 .
2008-06-26 16:20 <DIR>
D C:\WINDOWS\system32\drivers\Avg
2008-05-28 15:46 .
2008-05-29 19:09 <DIR>
D C:\Documents and Settings\C .
Mulder\Application Data\AVGTOOLBAR
2008-05-28 15:46 .
2008-06-20 18:43 96,520 --a C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-28 15:46 .
2008-06-20 18:44 76,040 --a C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-28 15:46 .
2008-06-20 18:43 12,936 --a C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-28 15:46 .
2008-06-20 18:43 10,520 --a C:\WINDOWS\system32\avgrsstx.dll
2008-05-28 15:45 .
2008-05-28 15:45 <DIR>
D C:\Program Files\AVG
2008-05-28 15:45 .
2008-06-10 20:27 <DIR>
D C:\Documents and Settings\All Users\Application Data\avg8
2008-05-28 15:45 .
2008-06-20 18:44 45,568 --a C:\WINDOWS\system32\avgfwdx.dll
2008-05-28 15:45 .
2008-06-20 18:44 23,296 --a C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-05-27 10:50 .
2008-05-27 10:50 90,112 --a C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 .
2008-05-27 10:50 57,344 --a C:\WINDOWS\system32\QuickTime.qts
2008-05-26 17:24 .
2008-06-01 14:07 956,442 --a C:\Documents and Settings\GOEDNIEUW.SV6
2008-05-26 17:16 .
2008-05-26 17:16 359,371 --a C:\Documents and Settings\GOED.SV6
2008-05-26 15:22 .
2008-05-26 15:22 <DIR>
D C:\Program Files\Orban
.
Find3M Rapport
.
2008-06-26 16:29 d w C:\Documents and Settings\C .
Mulder\Application Data\uTorrent
2008-06-25 19:35 d w C:\Documents and Settings\C .
Mulder\Application Data\LimeWirePlus
2008-06-23 09:09 d w C:\Program Files\SwiftKit
2008-06-22 19:16 d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-22 19:15 d w C:\Program Files\SpywareBlaster
2008-06-22 15:06 d w C:\Program Files\Maxis
2008-06-13 17:26 d w C:\Program Files\SwiftSwitch
2008-06-05 14:38 d w C:\Program Files\Windows Live Safety Center
2008-05-28 13:25 d w C:\Program Files\Kaspersky Lab
2008-05-24 12:03 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-24 12:02 d w C:\Documents and Settings\C .
Mulder\Application Data\DAEMON Tools
2008-05-17 15:30 d w C:\Documents and Settings\C .
Mulder\Application Data\VoipBuster
2008-05-17 14:58 d w C:\Program Files\VoipBuster.com
2008-05-13 15:33 d w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-13 15:31 d w C:\Program Files\Messenger Plus!
Live
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 19:41 d w C:\Program Files\Red Kawa
2008-04-27 19:14 d w C:\Program Files\Windows Media Connect 2
2008-04-27 16:42 d w C:\Program Files\uTorrent
2008-04-23 04:22 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
Sigcheck
2007-06-13 15:24 979456 1b23f40acaed86b9f6db6833d22cfdb0 C:\WINDOWS\explorer.exe
2007-06-13 15:12 1036800 1d6245afbd3faabc16a885116be1874d C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 14:00 1035776 a1d7304a87fc3093150f5e3cc7b0f338 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 15:24 979456 1b23f40acaed86b9f6db6833d22cfdb0 C:\WINDOWS\system32\dllcache\explorer.exe
.
Reg Opstartpunten
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-03-12 15:43 6731312]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01 110592]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 18:44 1231128]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.GTCC"= GTCODEC.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire Plus\\LimeWire.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"C:\\Program Files\\Hasbro Interactive\\RollerCoaster Tycoon\\rct.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1200:TCP"= 1200:TCP:*:Disabled:Hotel
"1232:TCP"= 1232:TCP:Habbo1
"10822:TCP"= 10822:TCP:BitComet 10822 TCP
"10822:UDP"= 10822:UDP:BitComet 10822 UDP
"3804:UDP"= 3804:UDP:Windows Media Format SDK (wmplayer.exe)
"3805:UDP"= 3805:UDP:Windows Media Format SDK (wmplayer.exe)
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-06-20 18:43]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 18:43]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 18:44]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-06-20 18:44]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 18:44]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-06-20 18:44]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2008-03-22 23:37]
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-06-20 18:44]
S3 DCamUSBDXGTech;Trust 350FS PowerC@m Flash (Video Camera);C:\WINDOWS\system32\Drivers\GT891x1.SYS [2001-12-11 22:27]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;I:\Mark\EVEREST Home Edition\kerneld.wnt []
S3 GT890x;Trust 350FS PowerC@m Flash (Still Camera);C:\WINDOWS\system32\Drivers\GT890x.SYS [2001-07-05 12:13]
*Newly Created Service* - CATCHME
.
Inhoud van de 'Gedeelde Taken' map
"2008-06-23 17:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 21:55:55
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
|
|
Ps: Avg vindt rootkit nog steeds ( hopelijk valse melding?
)
|
|
|
Kan je een log maken met AVG rootkit en deze posten?
Staart AVG anti rootkit, laat het scannen.
Als er wat gevonden wordt, klik je op de knop "Save result to file".
Sla het bestand op als scan.txt op je bureaublad.
Post de inhoud van het bestandje.
|
|
Scan "Anti-Rootkitscan" is voltooid.
Infecties aangetroffen:;"0"
Geïnfecteerde objecten verwijderd of hersteld:;"0"
Niet verwijderd of hersteld:;"0"
Gevonden spyware:;"0"
Verwijderde spyware:;"0"
Niet verwijderd:;"0"
Aantal waarschuwingen:;"0"
Hoeveelheid informatie:;"0"
Scan is gestart:;"donderdag 26 juni 2008, 22:16:14"
Scan voltooid:;"donderdag 26 juni 2008, 22:17:26 (1 min.
11 seconde (n) )"
Totaal gescande objecten:;"7194"
Gebruiker die de scan heeft gestart:;"SYSTEM"
Rootkits
Bestand;"Infectie";"Resultaat"
C:\WINDOWS\System32\Drivers\a1qsqaxz.SYS;"Verborgen stuurprogramma";"Object is verborgen"
|
|
|
Scan opnieuw en selecteer na het scannen het volgende item (plaats een vinkje):
C:\WINDOWS\System32\Drivers\a1qsqaxz.SYS
Daarna klik je op "Remove selected items".
Laat de computer opnieuw starten.
Scan opnieuw AVG_AntiRootkit en meldt of er nog wat gevonden wordt.
|
|
Als ik dat doe, en de pc opnieuw opstart komt er een andere variant.
Een andere naam
|
|
Download sophos-anti-rootkit: http://www.sophos.com/products/free-...i-rootkit.html
Plaatst het op je bureaublad.
Dubbelklik op sarsfx.exe om de bestanden uit te pakken.
(aanvaard de standaardinstallatiemap C:\Program Files\Sophos\Sophos Anti-Rootkit)
Wanneer de installatie succesvol is verlopen krijg je hiervan een melding.
Klik op JA/YES om het programma te starten.
Zorg dat aangevinkt zijn:
- Running processes
- Windows Registry
- Local Hard Drives
Klik op de knop "Start Scan".
Wanneer je een melding krijgt dat de scan klaar is, klik je op de knop "OK" en sluit je het programma af.
Ga naar Start - Uitvoeren en tik in: %temp%\sarscan.log
Er opent een kladblokbestandje.
Post de inhoud van dit bestand.
|
|
|
Sorry dat ik niet meer kon antwoorden, casema lag er weer is uit..
Sophos Anti-Rootkit Version 1.3.1 (data 1.08) (c) 2006 Sophos Plc
Started logging on 26-6-2008 at 22:40:03
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Classes\giffile\shell\open\ddeexec
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D511002
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D511002
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D511002
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlayNATHelp\DPNHUPnP\ActiveNATMappings\MsnMsgr (192.168.123.110:12279) 12692 UDP
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\c\IsUnicode
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Config.Msi\
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D511002
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs
Stopped logging on 26-6-2008 at 22:43:18
|
|
Herstart de computer.
Wacht tot de computer volledig gestart is, verbreek je connectie met het internet, start geen andere programma's op en maak dan een nieuw scan met sophos.
Post dat logje.
Tijdens de scan mag je niks anders doen op de computer.
|
|
Hallo,
Nu ik opnieuw heb opgestart + internet eruit getrokken, vindt Sophos niks meer, maar Avg wel..
Sophos vind ook niks als mijn internet erin zit.
Wat kan het zijn?
Een valse melding of?
Want ik heb de afgelopen tijd geen troep gedownload naar mijn weten, en het kwam pas na de AVG update.
|
|
|
Geen idee, ik zie niets in de logjes.
Ik kan je nog een andere scan laten doen?
|
|
|
Graag als het kan
|
|
Rootkitscanners kunnen nog al eens van mening verschillen.
Belangrijk is dat je niets doet tijdens het scannen, verbreek ook de connectie met het inet.
Download F-Secure Blacklight: https://europe.f-secure.com/blacklight/
Plaats het op je bureaublad.
Dubbelklik blbeta.exe.
Klik op "I accept the agreement".
Klik op "Next".
Klik op "Scan" en als het programma klaar is klik je daarna op "Next".
Indien Blacklight iets vindt, zal het een lijst van bestanden weergeven.
Laat nog niks hernoemen.
Op je bureaublad staat een bestand met de naam fsbl.
.log (de x-en staan voor getallen)
Dit is het logje dat blacklight gemaakt heeft.
Post het.
|
|
|
Niks gevonden.. hmm, wat kan het toch zijn
|
|
Herstart en maak een nieuwe log met ComboFix.
Post deze.
|
|
ComboFix 08-06-20.4 - C .
Mulder 2008-06-27 16:31:27.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.485 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\C .
Mulder\Bureaublad\ComboFix.exe
* Resident AV is active
.
Bestanden Gemaakt van 2008-05-27 to 2008-06-27
.
2008-06-27 13:39 .
2008-06-27 13:39 <DIR>
D C:\Program Files\SpeedFan
2008-06-27 13:39 .
2008-06-27 13:39 45 --a C:\WINDOWS\system32\initdebug.nfo
2008-06-27 10:45 .
2008-06-27 10:45 <DIR>
D C:\Program Files\VirusTotalUploader
2008-06-27 10:36 .
2008-06-27 10:36 <DIR>
D C:\Program Files\Frets on Fire
2008-06-27 10:36 .
2008-06-27 10:36 <DIR>
D C:\Documents and Settings\C .
Mulder\Application Data\fretsonfire
2008-06-26 22:39 .
2008-06-26 22:39 <DIR>
D C:\Program Files\Sophos
2008-06-26 21:47 .
2008-06-26 21:47 <DIR>
D C:\Program Files\Trend Micro
2008-06-26 20:31 .
2008-06-26 20:33 <DIR>
D C:\Program Files\World of Warcraft Trial
2008-06-26 20:31 .
2008-06-26 20:31 <DIR>
D C:\Program Files\Common Files\Blizzard Entertainment
2008-06-26 18:29 .
2008-06-26 18:29 <DIR>
Dr-h C:\Documents and Settings\C .
Mulder\Application Data\SecuROM
2008-06-26 18:29 .
2008-06-26 18:29 107,888 --a C:\WINDOWS\system32\CmdLineExt.dll
2008-06-26 18:22 .
2008-06-26 18:22 <DIR>
D C:\Program Files\Aspyr
2008-06-24 18:56 .
2008-06-24 18:59 <DIR>
D C:\Program Files\Winamp
2008-06-24 18:56 .
2008-06-24 18:59 <DIR>
D C:\Documents and Settings\C .
Mulder\Application Data\Winamp
2008-06-22 21:48 .
2008-06-22 21:48 262,144 --a C:\WINDOWS\system32\default_user_class.dat
2008-06-22 17:04 .
2008-06-22 17:04 <DIR>
D C:\Program Files\DAEMON Tools Lite
2008-06-21 18:24 .
2008-06-21 18:24 <DIR>
D C:\Program Files\Apple Software Update
2008-06-18 15:47 .
2008-06-18 15:47 239 --a C:\WINDOWS\PowerReg.dat
2008-06-13 19:06 .
2008-06-13 19:06 <DIR>
D C:\Program Files\iTunes
2008-06-13 19:06 .
2008-06-13 19:06 <DIR>
D C:\Program Files\iPod
2008-06-13 19:06 .
2008-06-26 08:55 <DIR>
D C:\Program Files\Bonjour
2008-06-13 19:06 .
2008-06-18 15:52 <DIR>
D C:\Documents and Settings\C .
Mulder\Application Data\Apple Computer
2008-06-13 19:05 .
2008-06-13 19:05 <DIR>
D C:\Program Files\QuickTime
2008-06-13 19:05 .
2008-06-13 19:06 <DIR>
D C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-13 19:04 .
2008-06-13 19:04 <DIR>
D C:\Program Files\Common Files\Apple
2008-06-13 19:04 .
2008-06-13 19:04 <DIR>
D C:\Documents and Settings\All Users\Application Data\Apple
2008-06-12 22:24 .
2008-06-20 22:36 1,374 --a C:\WINDOWS\imsins.BAK
2008-06-12 20:43 .
2008-06-12 20:43 <DIR>
D C:\Program Files\Microsoft Silverlight
2008-06-12 20:42 .
2008-06-12 20:43 <DIR>
D C:\temp\ext18866
2008-06-12 20:42 .
2008-06-12 20:42 <DIR>
D C:\temp
2008-06-12 18:52 .
2008-06-12 18:52 <DIR>
D C:\Program Files\Spybot - Search & Destroy
2008-06-12 18:52 .
2008-06-12 19:10 <DIR>
D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-12 14:26 .
2008-06-14 20:00 272,640 C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 14:26 .
2008-06-14 20:00 272,640 c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 14:03 .
2008-06-07 14:03 <DIR>
D C:\WINDOWS\system32\Kaspersky Lab
2008-06-07 14:03 .
2008-06-07 14:03 <DIR>
D C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-02 21:42 .
2008-06-27 16:30 <DIR>
D--hs---- C:\Documents and Settings\C .
Mulder\Onlangs geopend
2008-06-02 21:39 .
2008-06-02 21:39 <DIR>
D C:\Program Files\CCleaner
2008-06-02 21:11 .
2008-06-02 21:12 <DIR>
D C:\WINDOWS\.silabclient_store_32
2008-06-01 08:08 .
2008-06-01 08:08 <DIR>
D C:\Program Files\KeyScrambler
2008-06-01 08:08 .
2008-03-22 23:37 113,896 --a C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-05-29 18:54 .
2008-05-29 19:04 <DIR>
D C:\Documents and Settings\C .
Mulder\.SunDownloadManager
2008-05-29 17:19 .
2008-05-29 17:19 <DIR>
D C:\Documents and Settings\C .
Mulder\Application Data\Malwarebytes
2008-05-29 17:18 .
2008-06-25 12:52 <DIR>
D C:\Program Files\Malwarebytes' Anti-Malware
2008-05-29 17:18 .
2008-05-29 17:18 <DIR>
D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-29 17:18 .
2008-06-19 17:48 34,296 --a C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-29 17:18 .
2008-06-19 17:47 17,144 --a C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 17:47 .
2008-06-27 14:48 <DIR>
D--h C:\$AVG8.VAULT$
2008-05-28 15:46 .
2008-06-26 16:20 <DIR>
D C:\WINDOWS\system32\drivers\Avg
2008-05-28 15:46 .
2008-05-29 19:09 <DIR>
D C:\Documents and Settings\C .
Mulder\Application Data\AVGTOOLBAR
2008-05-28 15:46 .
2008-06-20 18:43 96,520 --a C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-28 15:46 .
2008-06-20 18:44 76,040 --a C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-28 15:46 .
2008-06-20 18:43 12,936 --a C:\WINDOWS\system32\drivers\avgrkx86.sys
2008-05-28 15:46 .
2008-06-20 18:43 10,520 --a C:\WINDOWS\system32\avgrsstx.dll
2008-05-28 15:45 .
2008-05-28 15:45 <DIR>
D C:\Program Files\AVG
2008-05-28 15:45 .
2008-06-10 20:27 <DIR>
D C:\Documents and Settings\All Users\Application Data\avg8
2008-05-28 15:45 .
2008-06-20 18:44 45,568 --a C:\WINDOWS\system32\avgfwdx.dll
2008-05-28 15:45 .
2008-06-20 18:44 23,296 --a C:\WINDOWS\system32\drivers\avgfwdx.sys
2008-05-27 10:50 .
2008-05-27 10:50 90,112 --a C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 .
2008-05-27 10:50 57,344 --a C:\WINDOWS\system32\QuickTime.qts
.
Find3M Rapport
.
2008-06-27 10:30 d w C:\Documents and Settings\C .
Mulder\Application Data\LimeWirePlus
2008-06-26 16:29 d w C:\Documents and Settings\C .
Mulder\Application Data\uTorrent
2008-06-23 09:09 d w C:\Program Files\SwiftKit
2008-06-22 19:16 d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-22 19:15 d w C:\Program Files\SpywareBlaster
2008-06-22 15:06 d w C:\Program Files\Maxis
2008-06-13 17:26 d w C:\Program Files\SwiftSwitch
2008-06-05 14:38 d w C:\Program Files\Windows Live Safety Center
2008-05-28 13:25 d w C:\Program Files\Kaspersky Lab
2008-05-26 13:22 d w C:\Program Files\Orban
2008-05-24 12:03 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-24 12:02 d w C:\Documents and Settings\C .
Mulder\Application Data\DAEMON Tools
2008-05-17 15:30 d w C:\Documents and Settings\C .
Mulder\Application Data\VoipBuster
2008-05-17 14:58 d w C:\Program Files\VoipBuster.com
2008-05-13 15:33 d w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-05-13 15:31 d w C:\Program Files\Messenger Plus!
Live
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-03 19:41 d w C:\Program Files\Red Kawa
2008-04-27 19:14 d w C:\Program Files\Windows Media Connect 2
2008-04-27 16:42 d w C:\Program Files\uTorrent
2008-04-23 04:22 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
Sigcheck
2007-06-13 15:24 979456 1b23f40acaed86b9f6db6833d22cfdb0 C:\WINDOWS\explorer.exe
2007-06-13 15:12 1036800 1d6245afbd3faabc16a885116be1874d C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 14:00 1035776 a1d7304a87fc3093150f5e3cc7b0f338 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 15:24 979456 1b23f40acaed86b9f6db6833d22cfdb0 C:\WINDOWS\system32\dllcache\explorer.exe
.
snapshot@2008-06-26_21.56.22,73
.
- 2008-06-26 14:30:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-27 10:51:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 1996-04-03 19:33:26 5,248 ----a-w C:\WINDOWS\system32\giveio.sys
+ 2006-09-24 13:28:46 5,248 ----a-w C:\WINDOWS\system32\speedfan.sys
.
Reg Opstartpunten
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2008-03-12 15:43 6731312]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01 110592]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 18:44 1231128]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.GTCC"= GTCODEC.DLL
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire Plus\\LimeWire.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"C:\\Program Files\\SwiftSwitch\\SwiftSwitch.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"C:\\Program Files\\Hasbro Interactive\\RollerCoaster Tycoon\\rct.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1200:TCP"= 1200:TCP:*isabled:Hotel
"1232:TCP"= 1232:TCP:Habbo1
"10822:TCP"= 10822:TCP:BitComet 10822 TCP
"10822:UDP"= 10822:UDP:BitComet 10822 UDP
"3804:UDP"= 3804:UDP:Windows Media Format SDK (wmplayer.exe)
"3805:UDP"= 3805:UDP:Windows Media Format SDK (wmplayer.exe)
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-06-20 18:43]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-20 18:43]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 18:44]
R2 avgfws8;AVG8 Firewall;C:\PROGRA~1\AVG\AVG8\avgfws8.exe [2008-06-20 18:44]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-20 18:44]
R3 Avgfwdx;Avgfwdx;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-06-20 18:44]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2008-03-22 23:37]
R3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\2.tmp
S3 Avgfwfd;AVG network filter service;C:\WINDOWS\system32\DRIVERS\avgfwdx.sys [2008-06-20 18:44]
S3 DCamUSBDXGTech;Trust 350FS PowerC@m Flash (Video Camera);C:\WINDOWS\system32\Drivers\GT891x1.SYS [2001-12-11 22:27]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;I:\Mark\EVEREST Home Edition\kerneld.wnt
S3 GT890x;Trust 350FS PowerC@m Flash (Still Camera);C:\WINDOWS\system32\Drivers\GT890x.SYS [2001-07-05 12:13]
*Newly Created Service* - GIVEIO
*Newly Created Service* - SPEEDFAN
.
Inhoud van de 'Gedeelde Taken' map
"2008-06-23 17:36:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-27 16:32:22
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
|
|
|
Ga naar deze website: http://www.virustotal.com/en/indexf.html
Laat volgend bestandje scannen: C:\WINDOWS\explorer.exe
Post het resultaat van de scan.
|
|
Helaas,
Bestand explorer.exe ontvangen op 2008.06.27 18:55:50 (CET)
Huidig status: Laden ...
In wachtrij Wachtende Aan het scannen Einde NIET GEVONDEN GESTOPT
Resultaat: 0/32 (0%)
Niks gevonden..
|
|
Misschien kan het aan keyscrambler liggen?
Want, dat start niet op bij het opstarten van windows.
Alleen met internet explorer, misschien ziet AVG dat als een rootkit?
|
|
|
Dan lijkt me alles ok.
Ik zie / vind geen problemen in je logjes.
Probleem is er nog steeds?
|
|
|
Het is weg!
Hij vindt niks meer * magie * :P
Raar zeg, heb niks speciaals gedaan.
Alsnog heel erg bedankt voor al je moeite die je erin hebt gestoken
|
|
Graag gedaan hoor.
Ga naar Start - Uitvoeren en tik in: ComboFix /u
Druk op Enter.
Meer info over hoe je een nieuwe infectie kan voorkomen vind je hier en hier.
De status van deze thread zet ik op opgelost.
Indien er niet meer gereageerd wordt, zal binnen een 3-tal dagen deze thread automatisch verplaatst worden naar de sectie Opgeloste hijackthislogs en is een reactie niet meer mogelijk.
Dit om het forum netjes en overzichtelijk te houden.
Blijkt dat er toch nog problemen zijn, en je wil weer reageren in dit topic, dan stuur je me een privé bericht met verzoek om heropening.
Happy surfing again.
|
|
Ps: Hij vind weer rootkit, ik denk dat dit een bug is..
Ik heb verder nergens last van
|
|
|
|