ComboFix 09-10-25.01 - Administrator 25-10-2009 22:40.10.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1015.456 [GMT 1:00] Gestart vanuit: c:\documents and settings\Administrator\Bureaublad\ComboFix.exe gebruikte Opdracht switches :: c:\documents and settings\Administrator\Bureaublad\CFScript.txt AV: Norman Security Suite *On-access scanning disabled* (Updated) {EB9EFB40-AE72-4C43-B204-0FCD0E92D5F1} FW: Norman Security Suite *enabled* {83B29CE9-9DE2-2CB5-9AB3-780D70FF12B0} FILE :: "c:\windows\system32\drivers\lvuvc.hs" . (((((((((((((((((((( Bestanden Gemaakt van 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))) . 2009-10-25 13:18 . 2009-10-25 13:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\mIRC 2009-10-25 13:18 . 2009-10-25 13:19 -------- d-----w- c:\program files\mIRC 2009-10-08 18:38 . 2009-10-08 18:38 -------- d-----w- c:\program files\iEvony . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-25 21:05 . 2008-10-11 17:05 -------- d-----w- c:\program files\Norman 2009-10-25 20:53 . 2009-03-27 12:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent 2009-10-25 17:25 . 2004-09-08 07:54 94448 ----a-w- c:\windows\system32\perfc013.dat 2009-10-25 17:25 . 2004-09-08 07:54 521242 ----a-w- c:\windows\system32\perfh013.dat 2009-10-25 16:08 . 2009-03-07 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-10-23 17:06 . 2008-10-17 02:07 36096 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-23 16:21 . 2009-02-24 11:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-22 01:07 . 2008-10-25 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-10-22 01:05 . 2008-10-25 17:15 -------- d-----w- c:\program files\Microsoft Works 2009-10-21 19:28 . 2009-09-11 11:54 -------- d-----w- c:\program files\Graboid 2009-10-21 19:26 . 2008-10-08 12:48 -------- d-----w- c:\program files\Google 2009-10-14 15:21 . 2008-11-18 01:21 -------- d-----w- c:\program files\Macromedia 2009-10-08 10:59 . 2009-02-24 11:38 21832 ----a-w- c:\windows\system32\drivers\nvcw32mf.sys 2009-10-07 12:22 . 2009-02-24 11:38 76944 ----a-w- c:\windows\system32\drivers\tdi_rd.sys 2009-10-07 12:20 . 2009-02-24 11:38 82072 ----a-w- c:\windows\system32\drivers\ndis_rd.sys 2009-10-07 12:20 . 2009-02-24 11:38 44872 ----a-w- c:\windows\system32\drivers\ale_nf.sys 2009-10-07 12:07 . 2009-02-24 11:38 214344 ----a-w- c:\windows\system32\nscrnsav.scr 2009-10-05 21:36 . 2008-10-30 16:01 4876 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-29 07:38 . 2008-10-11 17:35 -------- d-----w- c:\program files\Logitech 2009-09-28 06:08 . 2009-07-28 16:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM 2009-09-27 15:10 . 2009-07-28 16:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype 2009-09-25 19:15 . 2009-09-25 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2009-09-11 14:20 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-11 12:40 . 2008-10-17 02:09 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Apple Computer 2009-09-11 12:33 . 2009-02-17 21:33 -------- d-----w- c:\program files\QuickTime 2009-09-11 12:19 . 2009-09-11 12:17 -------- d-----w- c:\program files\iTunes 2009-09-11 12:19 . 2009-09-11 12:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-11 12:18 . 2009-09-11 12:18 -------- d-----w- c:\program files\iPod 2009-09-11 12:18 . 2009-02-17 21:36 -------- d-----w- c:\program files\Common Files\Apple 2009-09-11 12:16 . 2009-09-11 12:16 -------- d-----w- c:\program files\Bonjour 2009-09-11 12:08 . 2009-09-11 12:08 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12 2009-09-10 16:57 . 2009-03-07 22:32 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-10 12:54 . 2009-02-24 11:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 12:53 . 2009-02-24 11:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-04 21:05 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-02 13:25 . 2008-10-08 16:26 -------- d-----w- c:\program files\DivX 2009-09-02 13:25 . 2009-09-02 13:25 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-08-29 08:00 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll 2009-08-26 08:02 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-17 21:33 . 2009-08-17 21:33 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-06 17:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll 2009-08-06 17:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll 2009-08-06 17:24 . 2008-07-18 20:10 44768 ----a-w- c:\windows\system32\wups2.dll 2009-08-06 17:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll 2009-08-06 17:24 . 2004-08-04 08:00 53472 ------w- c:\windows\system32\wuauclt.exe 2009-08-06 17:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll 2009-08-06 17:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-08-06 17:23 . 2008-10-11 05:15 274288 ----a-w- c:\windows\system32\mucltui.dll 2009-08-06 17:23 . 2008-10-11 05:15 215920 ----a-w- c:\windows\system32\muweb.dll 2009-08-06 17:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-08-05 09:01 . 2004-08-04 08:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-04 17:29 . 2004-08-04 08:00 2149888 ------w- c:\windows\system32\ntoskrnl.exe 2009-08-04 17:29 . 2004-08-04 08:00 2028544 ------w- c:\windows\system32\ntkrnlpa.exe 2009-08-03 13:07 . 2009-08-03 13:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll 2009-08-03 13:07 . 2009-08-03 13:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll 2009-08-03 13:07 . 2009-08-03 13:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe 2009-07-28 16:52 . 2009-07-28 16:52 56 ---ha-w- c:\windows\system32\ezsidmv.dat 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll 2008-10-08 13:09 . 2008-10-08 13:09 22 -csha-w- c:\windows\SMINST\HPCD.sys . ((((((((((((((((((((((((((((( SnapShot@2009-10-23_17.22.34 ))))))))))))))))))))))))))))))))))))))))) . - 2004-09-08 07:54 . 2009-10-17 01:20 74352 c:\windows\system32\perfc009.dat + 2004-09-08 07:54 . 2009-10-25 17:25 74352 c:\windows\system32\perfc009.dat + 2004-09-08 07:54 . 2009-10-25 17:25 452178 c:\windows\system32\perfh009.dat - 2004-09-08 07:54 . 2009-10-17 01:20 452178 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-05 136600] "PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656] "CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928] "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320] "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "ScreenPrint32"="c:\program files\ScreenPrint32 v3\ScreenPrint32.exe" [2003-05-15 446464] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-20 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-20 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-20 137752] "Norman ZANDA"="c:\program files\Norman\Npm\Bin\ZLH.EXE" [2009-10-07 189824] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-22 63712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-04 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2008-04-14 177152] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Administrator\Menu Start\Programma's\Opstarten\ OneNote 2007 Schermopname en Snel starten.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-15 581693] DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2008-10-8 184320] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli AsWlnPkg [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\WINDOWS\\SMINST\\Scheduler.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"= "c:\\Program Files\\Common Files\\LogiShrd\\LVCOMSER\\LVComSer.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "63095:UDP"= 63095:UDP:Utorrent "63095:TCP"= 63095:TCP:Utorrent R0 NDIS_RD;Norman Firewall NDIS driver;c:\windows\system32\drivers\ndis_rd.sys [24-2-2009 12:38 82072] R1 NGS;Norman General Security Driver;c:\program files\Norman\Ngs\Bin\ngs.sys [5-3-2009 14:15 25032] R1 NPROSEC;Norman Security driver;c:\program files\Norman\Ngs\Bin\nprosec.sys [24-2-2009 12:38 56136] R1 TDI_RD;Norman Firewall TDI driver;c:\windows\system32\drivers\tdi_rd.sys [24-2-2009 12:38 76944] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [4-8-2004 9:00 14336] R2 Ndiskio;Ndiskio;c:\program files\Norman\Nse\Bin\Ndiskio.sys [16-10-2009 19:00 24168] R2 NPFSvc32;Norman Personal Firewall Service;c:\program files\Norman\npf\bin\npfsvc32.exe [24-2-2009 12:38 599424] R2 NPROSECSVC;Norman Security service;c:\program files\Norman\Ngs\Bin\nprosec.exe [24-2-2009 12:38 124232] R2 NVOY;Norman Resource Provider;c:\program files\Norman\Npm\Bin\nvoy.exe [24-2-2009 12:39 128328] R3 nsesvc;Norman Scanner Engine Service;c:\program files\Norman\Nse\Bin\Nsesvc.exe [16-10-2009 19:00 320840] R3 Scheduler;Norman Scheduler Service;c:\program files\Norman\Npm\Bin\scheduler.exe [12-5-2009 22:27 132424] S2 gupdate1c99f5bd8902d1c;Google Updateservice (gupdate1c99f5bd8902d1c);c:\program files\Google\Update\GoogleUpdate.exe [7-3-2009 20:35 133104] S3 NvcMFlt;NvcMFlt;c:\windows\system32\drivers\nvcw32mf.sys [24-2-2009 12:38 21832] S3 nvcoas;Norman Virus Control on-access component;c:\program files\Norman\nvc\bin\Nvcoas.exe [24-2-2009 12:38 197960] S3 NVCScheduler;Norman Virus Control Scheduler;"c:\program files\Norman\Npm\Bin\Nvcsched.exe" --> c:\program files\Norman\Npm\Bin\Nvcsched.exe [?] S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [20-4-2009 11:45 90408] S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [20-4-2009 11:45 15016] S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [20-4-2009 11:45 122024] S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [20-4-2009 11:45 115368] S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [20-4-2009 11:45 25768] S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [20-4-2009 11:45 111784] S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [20-4-2009 11:45 117544] --- Andere Services/Drivers In Geheugen --- *Deregistered* - mbr *Deregistered* - mchInjDrv [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASChannel . Inhoud van de 'Gedeelde Taken' map 2009-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] 2009-10-25 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-07 16:26] 2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 19:35] 2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 19:35] 2009-10-25 c:\windows\Tasks\User_Feed_Synchronization-{EA63F620-F611-42DD-A5B6-46ECFB9CE72D}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 02:31] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Verzenden naar &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game07.zylom.com/activex/zylomgamesplayer.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ptx8i4a9.default\ FF - prefs.js: browser.search.selectedEngine - DAEMON Search FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-25 22:46 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???HZ??????(?@???????@ scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys spsz.sys >>UNKNOWN [0x86787938]<< kernel: MBR read successfully user & kernel MBR OK malicious code @ sector 0xba50a90 size 0x1b4 ! copy of MBR has been found in sector 62 ! PE file found in sector at 0x0BA50A90 ! Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net error reading "catchme.sys" driver IRP handlers Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net ACPI.sys @ 0xF72B1000 0x2E080 bytes \Driver\ACPI IRP hooks not detected Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net error reading "hal.sys" driver IRP handlers Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net iaStor.sys @ 0x0 0x0 bytes \Driver\iaStor [ IRP_MJ_CREATE ] 0xF186 != 0xF71907B0 iaStor.sys \Driver\iaStor [ IRP_MJ_CLOSE ] 0xF186 != 0xF71907B0 iaStor.sys \Driver\iaStor [ IRP_MJ_DEVICE_CONTROL ] 0x12896 != 0xF71907B0 iaStor.sys \Driver\iaStor [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x12B58 != 0xF71907B0 iaStor.sys \Driver\iaStor [ IRP_MJ_POWER ] 0x17E66 != 0xF71907B0 iaStor.sys \Driver\iaStor [ IRP_MJ_SYSTEM_CONTROL ] 0x17FC6 != 0xF71907B0 iaStor.sys \Driver\iaStor IRP hooks detected ! Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net error reading "spsz.sys" driver IRP handlers ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- [HKEY_USERS\S-1-5-21-2880723128-196248389-2616108540-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6c,7d,a6,3a,cb,ec,43,46,8b,60,c6,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6c,7d,a6,3a,cb,ec,43,46,8b,60,c6,\ . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'winlogon.exe'(1000) c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll c:\program files\HPQ\IAM\Bin\ASChnl.dll c:\program files\HPQ\IAM\Bin\ItMsg.dll - - - - - - - > 'lsass.exe'(1056) c:\program files\HPQ\IAM\bin\AsWlnPkg.dll - - - - - - - > 'explorer.exe'(5900) c:\program files\Norman\nvc\bin\Niphk.dll c:\program files\HPQ\IAM\Bin\SFSShell.dll c:\program files\HPQ\IAM\bin\ItMsg.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Voltooingstijd: 2009-10-25 22:48 ComboFix-quarantined-files.txt 2009-10-25 21:48 ComboFix2.txt 2009-10-25 21:17 ComboFix3.txt 2009-10-25 17:54 ComboFix4.txt 2009-10-23 17:27 ComboFix5.txt 2009-10-25 21:40 Pre-Run: 11.823.943.680 bytes beschikbaar Post-Run: 11.805.253.632 bytes beschikbaar - - End Of File - - 9D9BF709ACB6E09F2E439699CBB0C264