ComboFix 10-07-27.04 - Rudy 28/07/2010 14:57:07.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.32.1033.18.255.97 [GMT 2:00] Gestart vanuit: c:\documents and settings\Rudy\Desktop\ComboFix.exe . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users.\documents\settings c:\documents and settings\Rudy\Application Data\4DC08B9755EBB6534C2B4BFEDB707D31 c:\documents and settings\Rudy\Application Data\4DC08B9755EBB6534C2B4BFEDB707D31\enemies-names.txt c:\documents and settings\Rudy\Application Data\4DC08B9755EBB6534C2B4BFEDB707D31\local.ini c:\documents and settings\Rudy\Application Data\4DC08B9755EBB6534C2B4BFEDB707D31\lsrslt.ini c:\documents and settings\Rudy\Application Data\ohydy.exe C:\lsass.exe c:\windows\system\dwm.exe c:\windows\system32\drivers\givxknwy.sys c:\windows\system32\drivers\ndis.sys . . . is geïnfecteerd!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SSHNAS (((((((((((((((((((( Bestanden Gemaakt van 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))) . 2010-07-28 12:08 . 2010-07-28 12:08 54016 ----a-w- c:\windows\system32\drivers\knolur.sys 2010-07-28 11:28 . 2010-07-28 11:40 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\phtpkxvpm 2010-07-27 15:36 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-07-27 15:35 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-07-26 19:30 . 2010-07-26 21:01 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\anibaipbq 2010-07-26 18:52 . 2010-07-26 21:01 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\ksmhyjjkr 2010-07-26 15:17 . 2010-07-26 21:01 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\hveroltll 2010-07-26 14:11 . 2010-07-26 14:11 -------- d-----w- c:\documents and settings\Rudy\Application Data\Malwarebytes 2010-07-26 14:11 . 2010-07-27 15:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-07-26 14:11 . 2010-07-26 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-07-26 13:56 . 2010-07-26 21:01 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\iammcdugq 2010-07-25 18:03 . 2010-07-25 18:03 388096 ----a-r- c:\documents and settings\Rudy\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-07-25 18:03 . 2010-07-25 18:03 -------- d-----w- c:\program files\Trend Micro 2010-07-24 10:04 . 2010-07-26 21:01 -------- d-----w- c:\documents and settings\Rudy\Local Settings\Application Data\wxijbatmo 2010-07-23 22:10 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys 2010-07-23 22:06 . 2009-11-27 17:11 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll 2010-07-23 20:21 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe 2010-07-23 18:53 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll 2010-07-23 18:50 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys 2010-07-23 18:50 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys 2010-07-23 11:37 . 2010-02-16 14:08 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-07-23 11:37 . 2010-02-17 07:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-07-23 11:37 . 2010-02-16 13:25 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe 2010-07-16 14:05 . 2010-07-28 11:04 -------- d-----w- c:\documents and settings\Rudy\Application Data\LimeWire 2010-07-16 14:04 . 2010-07-16 14:04 -------- d-----w- c:\program files\LimeWire 2010-07-09 18:39 . 2010-07-09 18:39 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll 2010-07-09 18:37 . 2010-07-09 18:44 -------- d-----w- c:\program files\DivX 2010-07-09 18:36 . 2010-07-09 18:44 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe 2010-07-09 18:36 . 2010-07-09 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX 2010-07-08 17:10 . 2010-07-08 17:10 -------- d-----w- c:\windows\system32\LogFiles 2010-07-03 14:16 . 2010-07-27 21:19 -------- d-----w- c:\program files\PeerBlock . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-07-27 21:18 . 2010-03-25 19:00 -------- d-----w- c:\documents and settings\Rudy\Application Data\BitTorrent 2010-07-26 13:56 . 2008-04-14 12:00 210816 ----a-w- c:\windows\system32\drivers\ndis.sys 2010-07-18 11:16 . 2010-06-24 15:04 -------- d-----w- c:\documents and settings\Rudy\Application Data\vlc 2010-06-24 12:11 . 2010-06-24 12:11 -------- d-----w- c:\program files\VideoLAN 2010-06-14 14:31 . 2009-09-03 19:04 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-05-22 13:38 . 2010-05-22 13:38 503808 ----a-w- c:\documents and settings\Rudy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d09a6f5-n\msvcp71.dll 2010-05-22 13:38 . 2010-05-22 13:38 499712 ----a-w- c:\documents and settings\Rudy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d09a6f5-n\jmc.dll 2010-05-22 13:38 . 2010-05-22 13:38 348160 ----a-w- c:\documents and settings\Rudy\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6d09a6f5-n\msvcr71.dll 2010-05-04 17:20 . 2008-04-14 12:00 832512 ----a-w- c:\windows\system32\wininet.dll 2010-05-04 17:20 . 2008-04-14 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-05-04 17:20 . 2008-04-14 12:00 17408 ----a-w- c:\windows\system32\corpol.dll 2010-05-02 05:22 . 2008-04-14 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys . ------- Sigcheck ------- [-] 2010-07-26 13:56 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [------] . . c:\windows\system32\drivers\ndis.sys [-] 2010-07-26 13:56 . !HASH: COULD NOT OPEN FILE !!!!! . 210816 . . [------] . . c:\windows\system32\dllcache\ndis.sys . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [3/09/2009 21:29 36048] S0 tbgko;tbgko;c:\windows\system32\drivers\ggwom.sys --> c:\windows\system32\drivers\ggwom.sys [?] S2 ggxpfzwv;Mouse Class Monitor;c:\windows\System32\svchost.exe -k netsvcs [14/04/2008 14:00 14336] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [27/07/2010 17:36 38224] S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [3/07/2010 16:16 14424] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/09/2009 21:32 721904] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs ggxpfzwv . Inhoud van de 'Gedeelde Taken' map . . ------- Bijkomende Scan ------- . uInternet Settings,ProxyOverride = IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Rudy\Application Data\Mozilla\Firefox\Profiles\ur0l796d.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - hxxp://nl.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:nl:official FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll FF - plugin: c:\documents and settings\Rudy\Application Data\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-07-28 15:04 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe >>UNKNOWN [0x81B7C0E0]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf9a76f28 \Driver\ACPI -> ACPI.sys @ 0xf99e9cb8 \Driver\atapi -> atapi.sys @ 0xf997b852 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615 ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615 ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac NDIS: -> SendCompleteHandler -> 0x0 PacketIndicateHandler -> 0x0 SendHandler -> 0x0 user & kernel MBR OK ************************************************************************** . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(5980) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\wscntfy.exe . ************************************************************************** . Voltooingstijd: 2010-07-28 15:08:17 - machine werd herstart ComboFix-quarantined-files.txt 2010-07-28 13:08 Pre-Run: 15.992.573.952 bytes free Post-Run: 16.404.705.280 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn - - End Of File - - AFE48CEED51B526F9A7E65BF51ED2762