ComboFix 09-12-02.08 - Speedy Gonzalez 03/12/2009 17:24.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.32.1043.18.512.171 [GMT 1:00] Gestart vanuit: g:\documents and settings\Speedy Gonzalez\Bureaublad\ComboFix.exe . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . g:\documents and settings\All Users\Application Data\1doc2pdf.dll g:\windows\system32\_004556_.tmp.dll g:\windows\system32\_004557_.tmp.dll g:\windows\system32\_004558_.tmp.dll g:\windows\system32\_004559_.tmp.dll g:\windows\system32\_004566_.tmp.dll g:\windows\system32\_004567_.tmp.dll g:\windows\system32\_004568_.tmp.dll g:\windows\system32\_004569_.tmp.dll g:\windows\system32\_004570_.tmp.dll g:\windows\system32\_004571_.tmp.dll g:\windows\system32\_004572_.tmp.dll g:\windows\system32\_004573_.tmp.dll g:\windows\system32\_004574_.tmp.dll g:\windows\system32\_004575_.tmp.dll g:\windows\system32\_004576_.tmp.dll g:\windows\system32\_004577_.tmp.dll g:\windows\system32\_004578_.tmp.dll g:\windows\system32\_004579_.tmp.dll g:\windows\system32\_004580_.tmp.dll g:\windows\system32\_004582_.tmp.dll g:\windows\system32\_004583_.tmp.dll g:\windows\system32\_004585_.tmp.dll g:\windows\system32\_004586_.tmp.dll g:\windows\system32\_004590_.tmp.dll g:\windows\system32\_004591_.tmp.dll g:\windows\system32\_004593_.tmp.dll g:\windows\system32\_004594_.tmp.dll g:\windows\system32\_004595_.tmp.dll g:\windows\system32\_004596_.tmp.dll g:\windows\system32\_004597_.tmp.dll g:\windows\system32\_004598_.tmp.dll g:\windows\system32\_004599_.tmp.dll g:\windows\system32\_004600_.tmp.dll g:\windows\system32\_004601_.tmp.dll g:\windows\system32\_004602_.tmp.dll g:\windows\system32\_004603_.tmp.dll g:\windows\system32\_004605_.tmp.dll g:\windows\system32\_004606_.tmp.dll g:\windows\system32\_004607_.tmp.dll g:\windows\system32\_004608_.tmp.dll g:\windows\system32\_004609_.tmp.dll g:\windows\system32\_004610_.tmp.dll g:\windows\system32\_004611_.tmp.dll g:\windows\system32\_004614_.tmp.dll g:\windows\system32\_004615_.tmp.dll g:\windows\system32\_004616_.tmp.dll g:\windows\system32\_004617_.tmp.dll g:\windows\system32\_004619_.tmp.dll g:\windows\system32\_004620_.tmp.dll g:\windows\system32\_004621_.tmp.dll g:\windows\system32\_004623_.tmp.dll g:\windows\system32\_004626_.tmp.dll g:\windows\system32\_004627_.tmp.dll g:\windows\system32\_004629_.tmp.dll g:\windows\system32\_004631_.tmp.dll g:\windows\system32\_004632_.tmp.dll g:\windows\system32\_004634_.tmp.dll g:\windows\system32\_004636_.tmp.dll g:\windows\system32\_004637_.tmp.dll g:\windows\system32\_004639_.tmp.dll g:\windows\system32\_004640_.tmp.dll g:\windows\system32\_004641_.tmp.dll g:\windows\system32\_004642_.tmp.dll g:\windows\system32\_004645_.tmp.dll g:\windows\system32\_004646_.tmp.dll g:\windows\system32\_004647_.tmp.dll g:\windows\system32\_004648_.tmp.dll g:\windows\system32\_004649_.tmp.dll g:\windows\system32\_004654_.tmp.dll g:\windows\system32\_004656_.tmp.dll g:\windows\system32\drivers\npf.sys g:\windows\system32\Packet.dll g:\windows\system32\pthreadVC.dll g:\windows\system32\twain_32.dll g:\windows\system32\wpcap.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_NPF (((((((((((((((((((( Bestanden Gemaakt van 2009-11-03 to 2009-12-03 )))))))))))))))))))))))))))))) . 2009-11-25 10:29 . 2009-11-25 10:29 -------- d-----w- g:\documents and settings\All Users\Application Data\McAfee 2009-11-15 19:23 . 2009-11-15 20:27 -------- d-----w- g:\documents and settings\Speedy Gonzalez\Application Data\BitTorrent 2009-11-15 18:36 . 2009-11-15 18:37 -------- d-----w- g:\program files\Windows Live Safety Center 2009-11-15 18:32 . 2009-11-15 18:32 -------- d-----w- g:\program files\Microsoft 2009-11-15 18:31 . 2009-11-15 18:31 -------- d-----w- g:\program files\Windows Live SkyDrive 2009-11-15 18:11 . 2008-11-19 08:41 16640 ----a-w- g:\windows\system32\drivers\WsAudioDevice_383.sys 2009-11-15 18:10 . 2009-11-15 18:10 -------- d-----w- g:\windows\SysWOW64 . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-26 08:49 . 2004-08-04 12:00 90846 ----a-w- g:\windows\system32\perfc013.dat 2009-10-26 08:49 . 2004-08-04 12:00 508900 ----a-w- g:\windows\system32\perfh013.dat 2009-10-24 10:35 . 2008-02-17 00:05 -------- d-----w- g:\program files\Common Files\Wise Installation Wizard 2009-10-24 10:18 . 2007-01-11 21:46 -------- d--h--w- g:\program files\InstallShield Installation Information 2009-10-19 08:47 . 2009-09-30 07:58 -------- d-----w- g:\documents and settings\Speedy Gonzalez\Application Data\DealAssistant 2009-09-30 07:59 . 2009-09-30 07:59 130560 ----a-w- g:\documents and settings\Speedy Gonzalez\Application Data\Microsoft\Windows\oulwsv.exe 2009-09-30 07:59 . 2009-09-30 07:59 269824 ----a-w- g:\documents and settings\Speedy Gonzalez\Application Data\DealAssistant\DAUninstall.exe 2009-09-30 07:58 . 2009-09-30 07:58 729088 ----a-w- g:\windows\system32\3e78.dll 2009-09-11 14:20 . 2008-07-28 12:31 136192 ----a-w- g:\windows\system32\msv1_0.dll 2009-09-04 21:05 . 2004-08-04 12:00 58880 ----a-w- g:\windows\system32\msasn1.dll 2009-09-30 07:59 . 2009-09-30 07:59 210944 ----a-w- g:\program files\mozilla firefox\components\rpff.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{d71fe359-17ba-4e33-a163-ef41b00fd61d}"= "g:\program files\ST_Forum_tool\tbST_1.dll" [2009-11-20 2166296] [HKEY_CLASSES_ROOT\clsid\{d71fe359-17ba-4e33-a163-ef41b00fd61d}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d71fe359-17ba-4e33-a163-ef41b00fd61d}] 2009-11-20 12:10 2166296 ----a-w- g:\program files\ST_Forum_tool\tbST_1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{d71fe359-17ba-4e33-a163-ef41b00fd61d}"= "g:\program files\ST_Forum_tool\tbST_1.dll" [2009-11-20 2166296] [HKEY_CLASSES_ROOT\clsid\{d71fe359-17ba-4e33-a163-ef41b00fd61d}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D71FE359-17BA-4E33-A163-EF41B00FD61D}"= "g:\program files\ST_Forum_tool\tbST_1.dll" [2009-11-20 2166296] [HKEY_CLASSES_ROOT\clsid\{d71fe359-17ba-4e33-a163-ef41b00fd61d}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="g:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "PHIME2002ASync"="g:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="g:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "HPDJ Taskbar Utility"="g:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416] "PrnSys Executable"="c:\program files\Hewlett-Packard\hp print screen utility\PrnSys.exe" [2002-01-24 36864] "NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "QuickTime Task"="g:\program files\QuickTime\qttask.exe" [2008-06-03 155648] "SoundMan"="SOUNDMAN.EXE" - g:\windows\SOUNDMAN.EXE [2007-01-11 65536] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e [HKLM\~\startupfolder\G:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk] path=g:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk backup=g:\windows\pss\Adobe Reader Snelle start.lnkCommon Startup [HKLM\~\startupfolder\G:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk] path=g:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk backup=g:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "usnjsvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "svcWRSSSDK"=2 (0x2) "ose"=3 (0x3) "Maxtor Sync Service"=2 (0x2) "InCDsrv"=2 (0x2) "gusvc"=2 (0x2) "Creative Service for CDROM Access"=2 (0x2) "HP Status Server"=3 (0x3) "Pml Driver HPZ12"=2 (0x2) "NVSvc"=2 (0x2) "NMIndexingService"=3 (0x3) "NBService"=3 (0x3) "IDriverT"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) "Bonjour Service"=2 (0x2) "Nero BackItUp Scheduler 3"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "g:\\Program Files\\Messenger\\msmsgs.exe"= "g:\\Program Files\\NetMeeting\\conf.exe"= "h:\\Maple 11\\Programma\\jre\\bin\\maple.exe"= "g:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Need For Speed Carbon\\NFSC.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\SOF\\Programma\\Soldier of Fortune II - Double Helix MP TEST\\Soldier of Fortune II - Double Helix MP TEST\\SoF2MP-Test.exe"= "h:\\Gunz\\GunzLauncher.exe"= "g:\\WINDOWS\\system32\\dplaysvr.exe"= "c:\\Age Of Empires\\Empires.exe"= "c:\\Age Of Empires\\EMPIRESX.EXE"= "g:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "h:\\River past audio converter\\Audio Converter\\AudioConverter.exe"= "g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "h:\\Bit Torrent\\BitTorrent\\bittorrent.exe"= R0 d347bus;d347bus;g:\windows\system32\drivers\d347bus.sys [7/06/2007 9:49 155136] R0 d347prt;d347prt;g:\windows\system32\drivers\d347prt.sys [7/06/2007 9:49 5248] R1 hwinterface;hwinterface;g:\windows\system32\drivers\hwinterface.sys [14/01/2007 11:07 3026] R3 WsAudioDevice_383;WsAudioDevice_383;g:\windows\system32\drivers\WsAudioDevice_383.sys [15/11/2009 19:11 16640] S3 bfastfao;bfastfao;\??\g:\docume~1\SPEEDY~1\LOCALS~1\Temp\bfastfao.sys --> g:\docume~1\SPEEDY~1\LOCALS~1\Temp\bfastfao.sys [?] S3 zlportio;ZLPORTIO - Allow user access to I/O ports;g:\windows\system32\zlportio.sys [11/01/2007 20:21 4016] . Inhoud van de 'Gedeelde Taken' map . . ------- Bijkomende Scan ------- . uStart Page = hxxp://sporza.be/cm/sporza uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local IE: E&xporteren naar Microsoft Excel - h:\office~1\Office10\EXCEL.EXE/3000 . - - - - ORPHANS VERWIJDERD - - - - URLSearchHooks-{3ad798d0-4642-4c55-bc14-cfe7dd19e0d1} - (no file) WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) AddRemove-LimeWire Download Accelerator - f:\daan\LimeWire Download Accelerator\Uninstall.exe AddRemove-NVIDIA Drivers - g:\windows\system32\nvudisp.exe UninstallGUI ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-03 17:39 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82C48AB0]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf8770f28 \Driver\ACPI -> ACPI.sys @ 0xf86bccb8 \Driver\atapi -> 0x82c48ab0 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 Warning: possible MBR rootkit infection ! user & kernel MBR OK ************************************************************************** . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(2228) g:\windows\system32\webcheck.dll g:\windows\system32\WPDShServiceObj.dll g:\windows\system32\PortableDeviceTypes.dll g:\windows\system32\PortableDeviceApi.dll . ------------------------ Andere Aktieve Processen ------------------------ . g:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe g:\windows\system32\IoctlSvc.exe g:\windows\system32\wscntfy.exe . ************************************************************************** . Voltooingstijd: 2009-12-03 17:43 - machine werd herstart ComboFix-quarantined-files.txt 2009-12-03 16:43 Pre-Run: 559.931.392 bytes beschikbaar Post-Run: 7.198.760.960 bytes beschikbaar WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /noguiboot - - End Of File - - 1868F9BCD72383FD4420D5D9F262B34E