ComboFix 09-04-04.01 - Gebruiker 2009-04-10 13:24:23.1 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.1023.621 [GMT 2:00] Gestart vanuit: d:\downloads\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090409-0] *On-access scanning disabled* (Updated) * Nieuw herstelpunt werd aangemaakt . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\jestertb.dll c:\windows\system32\_003895_.tmp.dll c:\windows\system32\_003896_.tmp.dll c:\windows\system32\_003897_.tmp.dll c:\windows\system32\_003898_.tmp.dll c:\windows\system32\_003905_.tmp.dll c:\windows\system32\_003906_.tmp.dll c:\windows\system32\_003907_.tmp.dll c:\windows\system32\_003909_.tmp.dll c:\windows\system32\_003910_.tmp.dll c:\windows\system32\_003913_.tmp.dll c:\windows\system32\_003914_.tmp.dll c:\windows\system32\_003916_.tmp.dll c:\windows\system32\_003917_.tmp.dll c:\windows\system32\_003918_.tmp.dll c:\windows\system32\_003920_.tmp.dll c:\windows\system32\_003921_.tmp.dll c:\windows\system32\_003923_.tmp.dll c:\windows\system32\_003924_.tmp.dll c:\windows\system32\_003928_.tmp.dll c:\windows\system32\_003929_.tmp.dll c:\windows\system32\_003931_.tmp.dll c:\windows\system32\_003934_.tmp.dll c:\windows\system32\_003936_.tmp.dll c:\windows\system32\_003937_.tmp.dll c:\windows\system32\_003938_.tmp.dll c:\windows\system32\_003939_.tmp.dll c:\windows\system32\_003942_.tmp.dll c:\windows\system32\_003943_.tmp.dll c:\windows\system32\_003944_.tmp.dll c:\windows\system32\_003945_.tmp.dll c:\windows\system32\_003946_.tmp.dll c:\windows\system32\_003951_.tmp.dll c:\windows\system32\_006355_.tmp.dll c:\windows\system32\_006356_.tmp.dll c:\windows\system32\_006357_.tmp.dll c:\windows\system32\_006358_.tmp.dll c:\windows\system32\_006365_.tmp.dll c:\windows\system32\_006366_.tmp.dll c:\windows\system32\_006367_.tmp.dll c:\windows\system32\_006368_.tmp.dll c:\windows\system32\_006370_.tmp.dll c:\windows\system32\_006371_.tmp.dll c:\windows\system32\_006374_.tmp.dll c:\windows\system32\_006375_.tmp.dll c:\windows\system32\_006377_.tmp.dll c:\windows\system32\_006378_.tmp.dll c:\windows\system32\_006379_.tmp.dll c:\windows\system32\_006381_.tmp.dll c:\windows\system32\_006384_.tmp.dll c:\windows\system32\_006385_.tmp.dll c:\windows\system32\_006389_.tmp.dll c:\windows\system32\_006390_.tmp.dll c:\windows\system32\_006392_.tmp.dll c:\windows\system32\_006395_.tmp.dll c:\windows\system32\_006397_.tmp.dll c:\windows\system32\_006398_.tmp.dll c:\windows\system32\_006399_.tmp.dll c:\windows\system32\_006400_.tmp.dll c:\windows\system32\_006401_.tmp.dll c:\windows\system32\_006404_.tmp.dll c:\windows\system32\_006405_.tmp.dll c:\windows\system32\_006406_.tmp.dll c:\windows\system32\_006407_.tmp.dll c:\windows\system32\_006408_.tmp.dll c:\windows\system32\_006413_.tmp.dll c:\windows\system32\nfr.assembly c:\windows\system32\nfr.gpref . (((((((((((((((((((( Bestanden Gemaakt van 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))) . 2009-04-09 16:50 . 2009-04-09 16:50 d-------- c:\documents and settings\Gebruiker\Application Data\Malwarebytes 2009-04-09 16:50 . 2009-04-09 16:50 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-09 16:50 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-09 16:50 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-04-08 10:45 . 2009-04-08 10:45 d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2009-04-07 15:52 . 2009-04-07 15:52 dr-h----- c:\documents and settings\Gebruiker\Onlangs geopend 2009-04-06 18:04 . 2009-04-06 18:04 355 --a------ c:\windows\system32\MRT.INI 2009-03-15 14:12 . 2009-03-15 14:12 d-------- c:\documents and settings\Gebruiker\Application Data\Red Kawa 2009-03-15 13:57 . 2009-03-15 13:57 d-------- c:\program files\AviSynth 2.5 2009-03-13 15:48 . 2009-03-13 15:48 d-------- c:\program files\websrvx 2009-03-13 15:47 . 2009-03-13 15:47 2 ---h----- c:\windows\t55ft3223f44.dat 2009-03-13 15:47 . 2009-03-13 15:47 2 ---h----- c:\windows\t55ft2631f44.dat . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-15 13:11 200 ----a-w C:\4443223454.bat 2009-02-09 13:19 1,846,400 ----a-w c:\windows\system32\win32k.sys 2009-02-09 13:19 1,846,400 ----a-w c:\windows\system32\dllcache\win32k.sys 2009-02-06 17:33 201,352 ----a-w c:\windows\system32\PnkBstrB.exe 2009-01-24 09:52 410,984 ----a-w c:\windows\system32\deploytk.dll 2008-12-06 11:45 31 ----a-w c:\documents and settings\Gebruiker\jagex_runescape_preferences.dat 2008-01-14 14:17 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320] "Rainlendar2"="j:\programma's\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088] "DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984] "MPS"="c:\acer\PSM.EXE" [2003-12-04 360448] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-08-28 155648] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-08-28 118784] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-24 136600] "avast!"="j:\avast\ashDisp.exe" [2009-02-05 81000] "nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] AlarmS4.lnk - c:\windows\system32\AlarmS4.exe [2004-04-29 241664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ivimp3en"= ivimp3en.acm "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\[u]0[/u]SsiEfr.e [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] --a------ 2008-07-22 20:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-07-30 10:47 289064 d:\itunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] --a------ 2007-10-25 16:37 2178832 c:\program files\Logitech\QuickCam\Quickcam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetLimiter] --a------ 2004-03-31 15:23 823296 c:\program files\NetLimiter\NetLimiter.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2005-01-12 03:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2002-04-11 04:19 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2003-10-31 11:45 32873 c:\program files\Java\j2re1.4.2_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2003-08-15 15:34 57344 c:\windows\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"= "c:\\Sierra\\Half-Life\\hl.exe"= "c:\\Westwood\\RA2\\game.exe"= "c:\\Program Files\\Messenger\\MSMSGS.EXE"= "c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"= "c:\\Westwood\\RA2\\mphmd.exe"= "c:\\Westwood\\RA2\\gamemd.exe"= "c:\\Program Files\\Xfire\\Xfire.exe"= "d:\\HLSW\\hlsw.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"= "c:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"= "c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"= "c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"= "c:\\WINDOWS\\System32\\dpvsetup.exe"= "c:\\Westwood\\RA2\\mph.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "d:\\Azureus\\Azureus.exe"= "c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "d:\\Unreal T2004\\System\\UT2004.exe"= "d:\\iTunes\\iTunes.exe"= "C:6\\Games\\Left 4 Dead\\left4dead.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "7070:TCP"= 7070:TCP:nfr R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-15 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-15 20560] R3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [2004-04-29 3456] S2 ISPMonitorSrv;ISP Monitor;c:\program files\ISP Monitor\ISPMonitorSrv.exe --> c:\program files\ISP Monitor\ISPMonitorSrv.exe [?] S2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe -k nfrsvc [1980-01-01 14336] S2 osaio;osaio;c:\windows\system32\drivers\osaio.sys --> c:\windows\system32\drivers\osaio.sys [?] S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [2006-08-24 152576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nfrsvc REG_MULTI_SZ NFRAgent [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G] \Shell\AutoRun\command - G:\CDStart.Exe \Shell\Install\Command - G:\navsetup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2dc5fb2-aa7e-11dc-bae1-0011091b1d98}] \Shell\AutoRun\command - I:\ClickMe.exe . Inhoud van de 'Gedeelde Taken' map 2006-03-10 c:\windows\Tasks\XoftSpy.job - c:\program files\XoftSpy\XoftSpy.exe [] 2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-04-10 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAVerify.exe [2008-12-31 17:04] 2009-04-07 c:\windows\Tasks\OGADaily.job - c:\windows\system32\OGAVerify.exe [2008-12-31 17:04] . - - - - ORPHANS VERWIJDERD - - - - WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) Notify-dimsntfy - (no file) MSConfigStartUp-LogitechCameraAssistant - c:\program files\Logitech\Video\CameraAssistant.exe MSConfigStartUp-LogitechVideo[inspector] - c:\program files\Logitech\Video\InstallHelper.exe . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.nieuwsblad.be/index.html?ref=0817 uInternet Settings,ProxyOverride = *.local; uInternet Settings,ProxyServer = http=localhost:7171 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\NetLimiter\nl_lsp.dll TCP: {136FE7B5-4C12-49B1-BCFD-A645E3C6B1CD} = 83.143.245.36,83.143.245.37 FF - ProfilePath - c:\documents and settings\Gebruiker\Application Data\Mozilla\Firefox\Profiles\omusn9ru.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/ FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-10 13:28:40 Windows 5.1.2600 Service Pack 2 FAT NTAPI scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{114866E9-7C82-20F7-16C3063A4CAB25A4}\{3FC78BFC-C5A7-A764-C3D11931F655D68A}\{CA848313-C322-9D26-10260A1412DD57C5}*] "J6LUTEVR24DWS6LBRK5JBJYX6E1"=hex:01,00,01,00,00,00,00,00,64,ee,da,6f,cf,9a,c5, 9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{61E02159-A14A-FC32-018FB6A6B5E128FA}\{BE08726F-5794-26E4-FF65539D238093C7}\{FD6EFD08-28CD-2519-DC89D4AD1DA3D3A5}*] "J6LUTEVR24DWS6LBRK5JBJYX6E1"=hex:01,00,01,00,00,00,00,00,64,ee,da,6f,cf,9a,c5, 9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A72C365C-2B28-0978-52A59749C0ABC09D}\{2A6BE869-A5EF-247E-F6A7B01E97A485BF}\{3251E462-487B-7BE8-3B3E094BA2D6C7C9}*] "J6LUTEVR24DWS6LBRK5JBJYX6E1"=hex:01,00,01,00,00,00,00,00,64,ee,da,6f,cf,9a,c5, 9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*] "3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'lsass.exe'(800) c:\program files\NetLimiter\nl_lsp.dll c:\windows\system32\nl_msgc.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\program files\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE j:\avast\aswUpdSv.exe j:\avast\ashServ.exe c:\program files\COMMON FILES\LOGISHRD\LVMVFM\LVPRCSRV.EXE c:\windows\SYSTEM32\WGATRAY.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\windows\system32\rundll32.exe j:\avast\ashMaiSv.exe j:\avast\ashWebSv.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Skype\Plugin Manager\skypePM.exe . ************************************************************************** . Voltooingstijd: 2009-04-10 13:30:56 - machine werd herstart [Gebruiker] ComboFix-quarantined-files.txt 2009-04-10 11:30:54 Pre-Run: 943,882,240 bytes beschikbaar Post-Run: 894,795,776 bytes beschikbaar WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 297 --- E O F --- 2009-04-07 13:55:31