ComboFix 10-05-08.03 - Carla 09-05-2010 22:58:09.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1014.621 [GMT 2:00] Gestart vanuit: c:\documents and settings\Carla\Bureaublad\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} * Nieuw herstelpunt werd aangemaakt . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Carla\Application Data\9A6B3284A0556937CA50B40E2C726909 c:\documents and settings\Carla\Application Data\9A6B3284A0556937CA50B40E2C726909\enemies-names.txt c:\documents and settings\Carla\Application Data\9A6B3284A0556937CA50B40E2C726909\gotnewupdate000.exe c:\documents and settings\Carla\Application Data\9A6B3284A0556937CA50B40E2C726909\hookdll.dll c:\documents and settings\Carla\Local Settings\Application Data\xgjaqbqlt c:\documents and settings\Carla\Local Settings\Application Data\xgjaqbqlt\xsrffdqtssd.exe c:\documents and settings\Carla\Menu Start\Programma's\Opstarten\OpenOffice.org 2.0 .lnk c:\windows\system32\driVERs\hsnsd.sys c:\windows\system32\pwdmon.dll Besmet exemplaar van c:\windows\system32\drivers\i8042prt.sys werd aangetroffen en gedesinfecteerd Hersteld exemplaar van - Kitty had a snack :p . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_hsnsd -------\Service_hsnsd (((((((((((((((((((( Bestanden Gemaakt van 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))) . 2010-05-09 20:41 . 2010-05-09 20:41 -------- d-----w- c:\documents and settings\Carla\Application Data\AVG9 2010-05-09 18:50 . 2010-05-09 18:50 -------- d-----w- c:\documents and settings\Carla\Application Data\Malwarebytes 2010-05-09 18:50 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-09 18:50 . 2010-05-09 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-09 18:50 . 2010-05-09 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-05-09 18:50 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-09 11:39 . 2010-05-09 11:39 388096 ----a-r- c:\documents and settings\Carla\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-05-09 11:39 . 2010-05-09 11:39 -------- d-----w- c:\program files\Trend Micro 2010-05-05 16:28 . 2010-05-05 16:28 50990 ----a-w- c:\windows\system32\gvifzgzugzbf.exe 2010-04-25 12:52 . 2010-04-25 12:52 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys 2010-04-25 12:50 . 2010-04-25 12:50 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll 2010-04-19 18:12 . 2010-04-19 18:12 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe 2010-04-19 18:12 . 2010-04-19 18:12 17134 ----a-w- c:\windows\system32\PCANDIS5.SYS 2010-04-18 09:39 . 2010-02-23 12:04 1664256 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2010-04-18 09:05 . 2010-04-18 09:05 -------- d-----w- C:\$AVG 2010-04-18 09:05 . 2010-05-05 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2010-04-18 09:01 . 2010-05-09 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-07 05:20 . 2006-01-12 21:18 -------- d-----w- c:\documents and settings\Carla\Application Data\Skype 2010-05-02 09:01 . 2006-09-08 18:49 54 ---h--w- c:\windows\system32\atcarla.sys 2010-04-25 12:51 . 2008-06-05 08:58 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-04-18 09:05 . 2007-01-04 11:46 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-04-18 09:05 . 2008-06-05 08:58 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-04-18 09:05 . 2008-07-03 18:13 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-03-28 06:26 . 1979-12-31 23:00 69812 ----a-w- c:\windows\system32\perfc013.dat 2010-03-28 06:26 . 1979-12-31 23:00 442556 ----a-w- c:\windows\system32\perfh013.dat 2010-03-22 19:01 . 2008-06-05 08:57 -------- d-----w- c:\program files\AVG 2010-03-10 06:17 . 1979-12-31 23:00 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-02-25 06:20 . 1979-12-31 23:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 1979-12-31 23:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-20 17:04 . 2006-02-06 15:49 42752 ----a-w- c:\documents and settings\Carla\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-17 12:09 . 1979-12-31 23:00 2194304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 19:09 . 2004-08-03 23:58 2071168 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 10:03 . 2010-03-11 18:04 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-12 04:35 . 1979-12-31 23:00 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 1979-12-31 23:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256] [HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}] 2008-02-14 12:54 1555480 ----a-w- c:\program files\myBabylon\tbmyBa.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2010-02-23 12:04 1664256 ----a-w- c:\program files\AVG\avg9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{34ea1c70-42cc-42c5-aa29-ec58b95a343e}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256] [HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{34EA1C70-42CC-42C5-AA29-EC58B95A343E}"= "c:\program files\myBabylon\tbmyBa.dll" [2008-02-14 1555480] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256] [HKEY_CLASSES_ROOT\clsid\{34ea1c70-42cc-42c5-aa29-ec58b95a343e}] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AdobeSupport"="c:\program files\adobe\adobe photoshop cs2\plug-ins\extensions\mmxcoremultiprocessor.exe" [2010-05-09 160768] "UninstPSViews"="c:\program files\adobe\photoshop 7.0\photoshoppsviews.exe" [2010-05-09 160768] "SupportFastCore"="c:\program files\adobe\adobe photoshop cs2\plug-ins\extensions\mmxcoremultiprocessor.exe" [2010-05-09 160768] "OrderPurchase"="c:\program files\adobe\adobe acrobat 7.0\designer 7.0\en\samples\purchase order\schema\outputs\orderpurchase.exe" [2010-05-09 160768] "ColoDecorativeClassic"="c:\program files\adobe\illustrator cs\presets\patterns\decorative\colodecorativeclassic.exe" [2010-05-09 160768] "ServicesWizard"="c:\program files\adobe\acrobat 7.0\reader\plug_ins\picturetasks\ols\onlineadobe.exe" [2010-05-09 160768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "SupportAdobe"="c:\program files\adobe\adobe photoshop cs2\plug-ins\extensions\mmxcoremultiprocessor.exe" [2010-05-09 160768] "Resourcealmuirsc"="c:\program files\adobe\adobe indesign cs2\activation\en_ie\adobealmuirsc.exe" [2010-05-09 160768] "OrderPurchase"="c:\program files\adobe\adobe acrobat 7.0\designer 7.0\en\samples\purchase order\dynamic interactive\forms\orderpurchase32625.exe" [2010-05-09 160768] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-1-18 25214] Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-17 110592] Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-9-17 110592] Adobe Reader Snelle start.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] BTTray.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2005-5-24 565309] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-16 24576] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-10-13 495432] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2005-04-12 15:39 110179 ----a-w- c:\program files\IBM fingerprint software\psfus.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina] 2005-03-18 02:07 262144 ----a-w- c:\windows\system32\QConGina.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2004-08-12 19:11 24576 ----a-w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe] 2007-03-14 14:52 3770024 ----a-w- c:\program files\TomTom HOME\TomTomHOME.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\WS_FTP\\WS_FTP95.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\AVG\\avg9\\avgupd.exe"= "c:\\Program Files\\AVG\\avg9\\avgnsx.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [16-12-2005 11:03 14208] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5-6-2008 10:58 216200] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5-6-2008 10:58 242896] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\avg9\avgwdsvc.exe [18-4-2010 11:03 308064] R2 SmiHlp;SMI helper driver;c:\program files\IBM fingerprint software\smihlp.sys [12-4-2005 17:31 3328] R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [16-12-2005 11:03 6016] R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1-1-1980 1:00 14336] S0 nxthrqb;nxthrqb; [x] S1 ztwshrkqtnt3;ztwshrkqtnt3;c:\windows\system32\drivers\ztwshrkqtnt3.sys --> c:\windows\system32\drivers\ztwshrkqtnt3.sys [?] S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\avg9\Toolbar\ToolbarBroker.exe [18-4-2010 11:05 369920] S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\DRIVERS\CSVirtA.sys --> c:\windows\system32\DRIVERS\CSVirtA.sys [?] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [17-9-2006 21:41 30192] S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [16-12-2005 12:31 12288] . Inhoud van de 'Gedeelde Taken' map 2010-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2010-05-05 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-12-16 00:01] 2010-05-09 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 20:18] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Verzenden naar &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\avg9\Toolbar\IEToolbar.dll DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://adc.mssl.routit.net/CACHE/webvpn/stc/1/binaries/vpnweb.cab . - - - - ORPHANS VERWIJDERD - - - - MSConfigStartUp-Babylon Client - c:\program files\Babylon\Babylon-Pro\Babylon.exe MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe AddRemove-Dell Photo AIO Printer 922 - c:\windows\system32\spool\drivers\w32x86\3\DLBTUNST.EXE ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-09 23:07 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'winlogon.exe'(968) c:\windows\system32\vrlogon.dll c:\program files\IBM fingerprint software\ExtVapi.dll c:\program files\Common Files\Virtual Token\psutil.dll c:\program files\Common Files\Virtual Token\resmgr.dll c:\program files\Common Files\Virtual Token\Remote.dll c:\program files\IBM fingerprint software\psfus.dll c:\windows\system32\tphklock.dll c:\program files\Common Files\Virtual Token\passport.dll c:\program files\Common Files\Virtual Token\config.dll c:\program files\Common Files\Virtual Token\LocPass.dll c:\program files\Common Files\Virtual Token\SBioPass.dll c:\program files\Common Files\Virtual Token\psdlg.dll - - - - - - - > 'Explorer.exe'(3704) c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\program files\Common Files\Virtual Token\vtserver.exe c:\windows\system32\ibmpmsvc.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe c:\program files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe c:\windows\System32\QCONSVC.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\program files\AVG\AVG9\avgnsx.exe c:\windows\System32\TPHDEXLG.EXE c:\windows\system32\TpKmpSVC.exe c:\windows\system32\wscntfy.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgcsrvx.exe . ************************************************************************** . Voltooingstijd: 2010-05-09 23:13:44 - machine werd herstart ComboFix-quarantined-files.txt 2010-05-09 21:13 Pre-Run: 9.733.632.000 bytes beschikbaar Post-Run: 9.871.659.008 bytes beschikbaar WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect - - End Of File - - DAA7C094452ECBBDAE9FF55AF8C93282