ComboFix 09-12-02.08 - Speedy Gonzalez 04/12/2009 10:51.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.32.1043.18.512.271 [GMT 1:00] Gestart vanuit: g:\documents and settings\Speedy Gonzalez\Bureaublad\ComboFix.exe gebruikte Opdracht switches :: g:\documents and settings\Speedy Gonzalez\Bureaublad\CFScript.txt FILE :: "g:\program files\mozilla firefox\components\rpff.dll" "g:\windows\system32\3e78.dll" . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . g:\program files\mozilla firefox\components\rpff.dll g:\windows\system32\3e78.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BFASTFAO -------\Service_bfastfao (((((((((((((((((((( Bestanden Gemaakt van 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))) . 2009-11-25 10:29 . 2009-11-25 10:29 -------- d-----w- g:\documents and settings\All Users\Application Data\McAfee 2009-11-15 19:23 . 2009-11-15 20:27 -------- d-----w- g:\documents and settings\Speedy Gonzalez\Application Data\BitTorrent 2009-11-15 18:36 . 2009-11-15 18:37 -------- d-----w- g:\program files\Windows Live Safety Center 2009-11-15 18:32 . 2009-11-15 18:32 -------- d-----w- g:\program files\Microsoft 2009-11-15 18:31 . 2009-11-15 18:31 -------- d-----w- g:\program files\Windows Live SkyDrive 2009-11-15 18:11 . 2008-11-19 08:41 16640 ----a-w- g:\windows\system32\drivers\WsAudioDevice_383.sys 2009-11-15 18:10 . 2009-11-15 18:10 -------- d-----w- g:\windows\SysWOW64 . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-26 08:49 . 2004-08-04 12:00 90846 ----a-w- g:\windows\system32\perfc013.dat 2009-10-26 08:49 . 2004-08-04 12:00 508900 ----a-w- g:\windows\system32\perfh013.dat 2009-10-24 10:35 . 2008-02-17 00:05 -------- d-----w- g:\program files\Common Files\Wise Installation Wizard 2009-10-24 10:18 . 2007-01-11 21:46 -------- d--h--w- g:\program files\InstallShield Installation Information 2009-10-19 08:47 . 2009-09-30 07:58 -------- d-----w- g:\documents and settings\Speedy Gonzalez\Application Data\DealAssistant 2009-09-30 07:59 . 2009-09-30 07:59 130560 ----a-w- g:\documents and settings\Speedy Gonzalez\Application Data\Microsoft\Windows\oulwsv.exe 2009-09-30 07:59 . 2009-09-30 07:59 269824 ----a-w- g:\documents and settings\Speedy Gonzalez\Application Data\DealAssistant\DAUninstall.exe 2009-09-11 14:20 . 2008-07-28 12:31 136192 ----a-w- g:\windows\system32\msv1_0.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{d71fe359-17ba-4e33-a163-ef41b00fd61d}"= "g:\program files\ST_Forum_tool\tbST_1.dll" [2009-11-20 2166296] [HKEY_CLASSES_ROOT\clsid\{d71fe359-17ba-4e33-a163-ef41b00fd61d}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d71fe359-17ba-4e33-a163-ef41b00fd61d}] 2009-11-20 12:10 2166296 ----a-w- g:\program files\ST_Forum_tool\tbST_1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{d71fe359-17ba-4e33-a163-ef41b00fd61d}"= "g:\program files\ST_Forum_tool\tbST_1.dll" [2009-11-20 2166296] [HKEY_CLASSES_ROOT\clsid\{d71fe359-17ba-4e33-a163-ef41b00fd61d}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{D71FE359-17BA-4E33-A163-EF41B00FD61D}"= "g:\program files\ST_Forum_tool\tbST_1.dll" [2009-11-20 2166296] [HKEY_CLASSES_ROOT\clsid\{d71fe359-17ba-4e33-a163-ef41b00fd61d}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="g:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "PHIME2002ASync"="g:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="g:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "HPDJ Taskbar Utility"="g:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 188416] "PrnSys Executable"="c:\program files\Hewlett-Packard\hp print screen utility\PrnSys.exe" [2002-01-24 36864] "NvCplDaemon"="g:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "QuickTime Task"="g:\program files\QuickTime\qttask.exe" [2008-06-03 155648] "SoundMan"="SOUNDMAN.EXE" - g:\windows\SOUNDMAN.EXE [2007-01-11 65536] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e [HKLM\~\startupfolder\G:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Snelle start.lnk] path=g:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk backup=g:\windows\pss\Adobe Reader Snelle start.lnkCommon Startup [HKLM\~\startupfolder\G:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Microsoft Office.lnk] path=g:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Microsoft Office.lnk backup=g:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "usnjsvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "svcWRSSSDK"=2 (0x2) "ose"=3 (0x3) "Maxtor Sync Service"=2 (0x2) "InCDsrv"=2 (0x2) "gusvc"=2 (0x2) "Creative Service for CDROM Access"=2 (0x2) "HP Status Server"=3 (0x3) "Pml Driver HPZ12"=2 (0x2) "NVSvc"=2 (0x2) "NMIndexingService"=3 (0x3) "NBService"=3 (0x3) "IDriverT"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) "Bonjour Service"=2 (0x2) "Nero BackItUp Scheduler 3"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "g:\\Program Files\\Messenger\\msmsgs.exe"= "g:\\Program Files\\NetMeeting\\conf.exe"= "h:\\Maple 11\\Programma\\jre\\bin\\maple.exe"= "g:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Need For Speed Carbon\\NFSC.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "g:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "g:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\SOF\\Programma\\Soldier of Fortune II - Double Helix MP TEST\\Soldier of Fortune II - Double Helix MP TEST\\SoF2MP-Test.exe"= "h:\\Gunz\\GunzLauncher.exe"= "g:\\WINDOWS\\system32\\dplaysvr.exe"= "c:\\Age Of Empires\\Empires.exe"= "c:\\Age Of Empires\\EMPIRESX.EXE"= "g:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "h:\\River past audio converter\\Audio Converter\\AudioConverter.exe"= "g:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "h:\\Bit Torrent\\BitTorrent\\bittorrent.exe"= R0 d347bus;d347bus;g:\windows\system32\drivers\d347bus.sys [7/06/2007 9:49 155136] R0 d347prt;d347prt;g:\windows\system32\drivers\d347prt.sys [7/06/2007 9:49 5248] R1 hwinterface;hwinterface;g:\windows\system32\drivers\hwinterface.sys [14/01/2007 11:07 3026] R3 WsAudioDevice_383;WsAudioDevice_383;g:\windows\system32\drivers\WsAudioDevice_383.sys [15/11/2009 19:11 16640] S3 zlportio;ZLPORTIO - Allow user access to I/O ports;g:\windows\system32\zlportio.sys [11/01/2007 20:21 4016] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://sporza.be/cm/sporza uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Settings,ProxyOverride = *.local IE: E&xporteren naar Microsoft Excel - h:\office~1\Office10\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-04 11:02 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82BE3008]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf8770f28 \Driver\ACPI -> ACPI.sys @ 0xf86bccb8 \Driver\atapi -> 0x82be3008 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15 NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 Warning: possible MBR rootkit infection ! user & kernel MBR OK ************************************************************************** . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(3016) g:\windows\system32\webcheck.dll g:\windows\system32\WPDShServiceObj.dll g:\windows\system32\PortableDeviceTypes.dll g:\windows\system32\PortableDeviceApi.dll . ------------------------ Andere Aktieve Processen ------------------------ . g:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe g:\windows\system32\IoctlSvc.exe g:\windows\system32\wscntfy.exe . ************************************************************************** . Voltooingstijd: 2009-12-04 11:07 - machine werd herstart ComboFix-quarantined-files.txt 2009-12-04 10:07 ComboFix2.txt 2009-12-03 16:43 Pre-Run: 7.080.034.304 bytes beschikbaar Post-Run: 7.180.128.256 bytes beschikbaar - - End Of File - - 65A3387D3A9FF552A42704B1A7140729