ComboFix 09-10-25.01 - Guy Keustermans 25/10/2009 21:36.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.503.101 [GMT 1:00] Gestart vanuit: c:\documents and settings\guy keustermans\Bureaublad\ComboFix.exe gebruikte Opdracht switches :: c:\documents and settings\guy keustermans\Bureaublad\CFScript.txt FILE :: "c:\windows\system32\drivers\fixustor.sys" . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\fixustor.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_fixustor (((((((((((((((((((( Bestanden Gemaakt van 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))) . 2009-10-24 13:46 . 2009-10-25 20:33 -------- d--h--r- c:\documents and settings\guy keustermans\Onlangs geopend 2009-10-24 12:55 . 2009-10-24 12:55 -------- d-----w- c:\program files\CCleaner 2009-10-24 12:30 . 2009-10-24 12:52 -------- d-----w- C:\Downloads 2009-10-24 12:19 . 2009-10-24 12:19 0 ----a-w- c:\windows\nsreg.dat 2009-10-24 12:19 . 2009-10-24 12:19 -------- d-----w- c:\documents and settings\guy keustermans\Local Settings\Application Data\Mozilla 2009-10-10 09:51 . 2009-10-10 09:51 -------- d-----w- c:\documents and settings\guy keustermans\Application Data\Malwarebytes 2009-10-10 09:51 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-10 09:51 . 2009-10-10 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-10 09:51 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-10 09:51 . 2009-10-10 09:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-29 09:56 . 2009-09-29 09:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-25 16:43 . 2003-05-19 09:57 91632 ----a-w- c:\windows\system32\perfc013.dat 2009-10-25 16:43 . 2003-05-19 09:57 511866 ----a-w- c:\windows\system32\perfh013.dat 2009-10-24 13:30 . 2004-02-25 08:34 65768 ----a-w- c:\documents and settings\guy keustermans\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-24 12:36 . 2005-03-02 12:57 -------- d-----w- c:\program files\Google 2009-10-24 08:52 . 2008-07-17 06:01 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-10-24 08:30 . 2005-07-02 19:50 -------- d-----w- c:\program files\Mavvvzl 2009-10-10 10:34 . 2004-08-11 10:59 -------- d-----w- c:\documents and settings\guy keustermans\Application Data\Lavasoft 2009-09-17 08:43 . 2004-02-16 22:01 -------- d-----w- c:\program files\Java 2009-09-14 06:06 . 2007-12-28 08:11 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-11 14:20 . 2004-10-01 08:51 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:05 . 2004-10-01 08:52 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 07:32 . 2004-10-01 08:51 832512 ------w- c:\windows\system32\wininet.dll 2009-08-29 07:32 . 2004-10-05 12:08 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-29 07:32 . 2004-10-01 08:52 17408 ------w- c:\windows\system32\corpol.dll 2009-08-26 08:02 . 2004-10-01 08:51 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-06 17:24 . 2004-08-03 11:59 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-06 17:24 . 2004-08-03 11:58 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-06 17:24 . 2007-06-19 07:31 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-06 17:24 . 2004-08-03 12:01 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-06 17:24 . 2003-04-08 02:00 53472 ------w- c:\windows\system32\wuauclt.exe 2009-08-06 17:24 . 2003-04-08 02:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-06 17:23 . 2004-08-03 12:04 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-06 17:23 . 2007-06-19 07:32 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-06 17:23 . 2007-06-19 07:32 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-06 17:23 . 2003-04-08 02:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:01 . 2004-10-01 08:52 205312 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 17:52 . 2009-08-04 17:52 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-04 17:29 . 2004-10-01 08:51 2149888 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 17:29 . 2004-10-01 08:51 2028544 ------w- c:\windows\system32\ntkrnlpa.exe 2009-08-03 13:07 . 2009-08-03 13:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll 2009-08-03 13:07 . 2009-08-03 13:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll 2009-08-03 13:07 . 2009-08-03 13:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe . ((((((((((((((((((((((((((((( SnapShot@2009-10-25_18.11.38 ))))))))))))))))))))))))))))))))))))))))) . + 2009-10-25 20:43 . 2009-10-25 20:43 16384 c:\windows\Temp\Perflib_Perfdata_e4.dat + 2003-05-19 10:06 . 2009-10-25 20:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2003-05-19 10:06 . 2009-10-25 18:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2003-05-19 10:06 . 2009-10-25 20:43 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat - 2003-05-19 10:06 . 2009-10-25 18:10 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat + 2003-05-19 10:06 . 2009-10-25 20:43 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat - 2003-05-19 10:06 . 2009-10-25 18:10 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 1204224] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-12-14 155648] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-12-14 118784] "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-01-31 98304] "DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-05-28 69632] "srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864] "CoolSwitch"="c:\windows\System32\taskswitch.exe" [2002-03-19 45632] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664] "FiadproMessageClient"="c:\program files\Dolmen\\FiAdPro\FiAdMessageClient.exe" [2005-04-11 258048] "UMonit"="c:\windows\system32\umonit.exe" [2005-08-06 53248] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\guy keustermans\Menu Start\Programma's\Opstarten\ FreeWheel.lnk - c:\program files\FreeWheel\FreeWheel.exe [1999-10-28 229376] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-4 110592] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-3-15 241664] Monitor.lnk - c:\program files\Hama\Hama Digital Software Suite\Media Card Companion\MCC Monitor.exe [2008-6-2 114688] Snelstart HP Image Zone.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-3-15 53248] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service S3 ACSET;ACS USB Smart Card Reader;c:\windows\system32\drivers\acrusbxp.sys [15/10/2004 15:52 25728] --- Andere Services/Drivers In Geheugen --- *Deregistered* - mbr . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.nieuwsblad.be/index.html uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms} mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0413/bl8.asp uInternet Connection Wizard,ShellNext = hxxp://go.compaq.com/1Q00CDT/0413/bl7.asp uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: daf.com Trusted Zone: daftrucks.com Trusted Zone: facebook.com\login DPF: {1D46BE0D-C314-4E20-A291-D1E66265725A} - hxxps://business.isabel.be/OfficeSignTestYourSignature/CAB-APP/CryptoActiveX.ocx DPF: {207D2A66-5DC0-478F-BA7E-A492146D7750} - hxxps://business.isabel.be/CardActivator/CAB-APP/CardActivator.cab DPF: {CDFBE499-AEED-4F62-AA82-03745AC78899} - hxxp://www.isabel.be/support/CAB-APP/IBS501G0123456.cab DPF: {DD170420-92CF-11D4-9304-005004043EB5} - hxxps://finance.fortisbusiness.com/isalogon/FortisIsaLite.cab FF - ProfilePath - c:\documents and settings\guy keustermans\Application Data\Mozilla\Firefox\Profiles\sjyrdh4m.default\ FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-25 21:47 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run UMonit = c:\windows\system32\umonit.exe?ixustor.sys??Pid_0050??????4?6&PID24D8???B\?O??????????????????????????9~????????????????l??????|p??|????m??|??<~??????????4?B$?|??:~??:~*?,???4???????????????????????????????:~????????????????????T???~?????????????????????? scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- [HKEY_USERS\S-1-5-21-1614895754-1292428093-839522115-1108\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\ActiveSync] "Name"="ActiveSync" "DisplayName"="Microsoft ActiveSync" "Param1"="ActiveSync" "Type"="wellknown" "Order"=dword:00000001 "State"=dword:0000000b [HKEY_USERS\S-1-5-21-1614895754-1292428093-839522115-1108\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\IESettings] "Name"="IESettings" "Type"="IESettings" "Order"=dword:00000004 "State"=dword:0000000b [HKEY_USERS\S-1-5-21-1614895754-1292428093-839522115-1108\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\MediaFiles] "Name"="MediaFiles" "Type"="MediaFiles" "Order"=dword:00000003 "State"=dword:0000000b [HKEY_USERS\S-1-5-21-1614895754-1292428093-839522115-1108\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\NPW] "Name"="NPW" "Param1"="NPW" "Type"="wellknown" "Order"=dword:00000002 "State"=dword:0000000b [HKEY_USERS\S-1-5-21-1614895754-1292428093-839522115-1108\Software\Microsoft\Windows Mobile Disc\W*i*n*d*o*w*s* *M*o*b*i*l*e*"!\CriticalAppInstall\Outlook] "Name"="Outlook" "DisplayName"="Microsoft Outlook" "Param1"="Outlook" "Type"="wellknown" "Order"=dword:00000000 "State"=dword:00000020 [HKEY_LOCAL_MACHINE\software\Broadcom\Broadcom Management Programs] @DACL=(02 0000) @SACL= [HKEY_LOCAL_MACHINE\software\Classes\DSP.DSP\CLSID] @DACL=(02 0000) @SACL= @="{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}" [HKEY_LOCAL_MACHINE\software\Classes\DSP.DSP\CurVer] @DACL=(02 0000) @SACL= @="DSP.DSP.1" [HKEY_LOCAL_MACHINE\software\Classes\DSP.DSPDMOProp_Chorus.1\CLSID] @DACL=(02 0000) @SACL= @="{6F63B172-5543-4593-91CE-EDBA65B9FACDB}" [HKEY_LOCAL_MACHINE\software\Classes\igfx.CUITestConfig.1\CLSID] @DACL=(02 0000) @SACL= @="c" [HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{E3C9CBB0-8C83-4089-BCAE-D03AA7F2AE41}\1.0] @DACL=(02 0000) @="VSIface 1.0 Type Library" [HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IE40.BrowseUI\RegBackup] @DACL=(02 0000) [HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup] @DACL=(02 0000) @SACL= [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*] "3140111900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(3040) c:\docume~1\GUYKEU~1\LOCALS~1\Temp\frw2.tmp c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\windows\system32\brss01a.exe c:\windows\system32\scardsvr.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\combofix\CF7956.exe c:\program files\Dolmen\FiAdPro\FiAdMessageClient.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\HP\Digital Imaging\bin\hpqgalry.exe c:\combofix\PEV.cfxxe . ************************************************************************** . Voltooingstijd: 2009-10-25 21:52 - machine werd herstart ComboFix-quarantined-files.txt 2009-10-25 20:52 ComboFix2.txt 2009-10-25 18:16 Pre-Run: 21.441.150.976 bytes beschikbaar Post-Run: 21.409.320.960 bytes beschikbaar - - End Of File - - D3A89299C89F7619C29C683307456655