ComboFix 10-08-10.06 - Administrator 19/08/2010 9:03.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.32.1043.18.3536.3015 [GMT 2:00] Gestart vanuit: c:\documents and settings\Administrator\Bureaublad\ComboFix.exe AV: Total Protection Service *On-access scanning disabled* (Updated) {8C354827-2F54-4E28-90DC-AD391E77808C} . - VERMINDERDE FUNCTIONALITEIT MODUS - . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\8cb6910.log c:\windows\system32\blat.exe c:\windows\system32\gotomon.log . (((((((((((((((((((( Bestanden Gemaakt van 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))) . 2010-08-12 09:34 . 2010-08-18 14:49 574 ----a-w- C:\cleanup.bat 2010-08-12 09:34 . 2010-08-18 14:49 135168 ----a-w- C:\zip.exe 2010-08-12 09:12 . 2010-08-18 15:13 -------- d--h--r- c:\documents and settings\Administrator\Onlangs geopend 2010-08-11 09:40 . 2010-08-11 09:40 -------- d-----w- c:\program files\Common Files\Java 2010-08-11 09:40 . 2010-08-11 09:40 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-178687a2-n\decora-sse.dll 2010-08-11 09:40 . 2010-08-11 09:40 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3d1eb36c-n\msvcp71.dll 2010-08-11 09:40 . 2010-08-11 09:40 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3d1eb36c-n\jmc.dll 2010-08-11 09:40 . 2010-08-11 09:40 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3d1eb36c-n\msvcr71.dll 2010-08-11 09:40 . 2010-08-11 09:40 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-178687a2-n\decora-d3d.dll 2010-08-11 09:39 . 2010-08-11 09:39 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-08-11 09:39 . 2010-08-11 09:39 -------- d-----w- c:\program files\Java 2010-08-11 07:53 . 2010-08-11 07:53 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-08-11 07:53 . 2010-08-11 07:53 -------- d-----w- c:\program files\Trend Micro . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-19 07:01 . 2009-04-01 16:15 89084 ----a-w- c:\windows\system32\perfc013.dat 2010-08-19 07:01 . 2009-04-01 16:15 505684 ----a-w- c:\windows\system32\perfh013.dat 2010-08-12 09:08 . 2009-07-10 14:11 -------- d-----w- c:\program files\CCleaner 2010-08-03 08:43 . 2009-10-13 11:09 -------- d-----w- c:\program files\ACDFREE12 2010-07-12 06:56 . 2010-07-12 06:56 -------- d-----w- c:\documents and settings\madhondt\Application Data\McAfee 2010-07-09 06:41 . 2010-07-09 06:41 -------- d-----w- c:\program files\Common Files\Adobe 2010-06-30 12:33 . 2009-04-01 16:14 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-24 12:19 . 2009-04-01 16:15 832512 ----a-w- c:\windows\system32\wininet.dll 2010-06-24 12:19 . 2009-04-01 16:12 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-06-24 12:19 . 2009-04-01 16:11 17408 ----a-w- c:\windows\system32\corpol.dll 2010-06-24 09:02 . 2009-04-01 16:15 1852032 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2009-04-01 16:14 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2010-06-17 14:03 . 2009-04-01 16:12 80384 ----a-w- c:\windows\system32\iccvid.dll 2010-06-14 14:31 . 2009-04-01 07:24 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe 2010-06-14 07:43 . 2009-04-01 16:13 1172480 ----a-w- c:\windows\system32\msxml3.dll . ------- Sigcheck ------- [-] 2010-05-04 . 8B0B6642296D8CDC4891F8BDF0F3660E . 580096 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll [-] 2010-05-04 . 8B0B6642296D8CDC4891F8BDF0F3660E . 580096 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-15 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-15 178712] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-15 150040] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-04-30 196608] "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-05-22 442467] "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-05-20 466944] "DynamicUSB"="c:\program files\DynamicUSB\DynamicUSB.exe" [2007-03-02 94208] "MVS Splash"="c:\program files\McAfee\Managed VirusScan\DesktopUI\XTray.exe" [2010-05-11 476480] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-20 140568] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe" [2009-01-21 1285688] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe" [2009-01-20 884952] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-10600\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-20840\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-32645\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-37618\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-43659\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-43943\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-45604\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-5999\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-6945\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-77506\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4030456262-320625612-449655040-78772\Scripts\Logon\0\0] "Script"=\\UGent.be\SysVol\UGent.be\DICT\scripts\logon.vbs [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\msiexec.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"= "c:\\Program Files\\Acronis\\TrueImageConsole\\TrueImageRemoteConsole.exe"= "c:\\Program Files\\Common Files\\Acronis\\Agent\\agent.exe"= "c:\\Program Files\\Acronis\\GroupServer\\GroupServer.exe"= "c:\\WINDOWS\\explorer.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "59152:UDP"= 59152:UDP:SonicWALL Anti-Virus Compliance Port 59152 "59153:UDP"= 59153:UDP:SonicWALL Anti-Virus Compliance Port 59153 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R2 AcronisBackupServerService;Acronis Backup Server Service;c:\program files\Acronis\BackupServer\backupserver.exe [21/01/2009 13:42 8492112] R2 EngineServer;EngineServer;c:\program files\McAfee\Managed VirusScan\VScan\EngineServer.exe [2/04/2009 10:16 14144] R2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe [2/04/2009 10:13 282824] R2 SWAGENT;SonicWALL Agent Service;c:\program files\McAfee\Managed VirusScan\Agent\swAgent.exe [2/04/2009 10:17 202048] R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [1/04/2009 18:09 108160] R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [1/04/2009 18:09 32808] R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [1/04/2009 18:09 244368] R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [1/04/2009 18:09 110080] S0 gobszh;gobszh; [x] S1 zxacwllx3;zxacwllx3.sys;c:\windows\system32\drivers\zxacwllx3.sys --> c:\windows\system32\drivers\zxacwllx3.sys [?] S2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [21/01/2009 8:17 517848] S2 GroupServer;Acronis Group Server;c:\program files\Acronis\GroupServer\GroupServer.exe [21/01/2009 13:55 5207320] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55c5c318-647b-11de-9723-00216a351926}] \Shell\AutoRun\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe \Shell\open\command - SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\Perfume.exe . Inhoud van de 'Gedeelde Taken' map . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.be/ IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: ugent.be\athena Trusted Zone: ugent.be\athenax Trusted Zone: //about.htm/ Trusted Zone: //Exclude.htm/ Trusted Zone: //LanguageSelection.htm/ Trusted Zone: //Message.htm/ Trusted Zone: //MyAgttryCmd.htm/ Trusted Zone: //MyAgttryNag.htm/ Trusted Zone: //MyNotification.htm/ Trusted Zone: //NOCLessUpdate.htm/ Trusted Zone: //quarantine.htm/ Trusted Zone: //ScanNow.htm/ Trusted Zone: //strings.vbs/ Trusted Zone: //Template.htm/ Trusted Zone: //Update.htm/ Trusted Zone: //VirFound.htm/ Trusted Zone: mcafee.com\* Trusted Zone: mcafeeasap.com\betavscan Trusted Zone: mcafeeasap.com\vs Trusted Zone: mcafeeasap.com\www DPF: {89869334-AA13-489A-9A07-2BA062714A29} - hxxp://img.lnm.eu/be.lnm.eu/client/en/MessengerInstaller.cab DPF: {958FCAB0-616B-11D3-A63F-00001B322780} - hxxp://www.timeticker.com/Timeset/TcpServer.CAB DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\90unminr.default\ FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS VERWIJDERD - - - - AddRemove-MVS - c:\progra~1\McAfee\MANAGE~1\Agent\myinx ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-19 09:07 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: error reading MBR called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A6D6EE4]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28 \Driver\ACPI -> ACPI.sys @ 0xb9f7ecb8 \Driver\atapi -> atapi.sys @ 0xb9ef2852 \Driver\iaStor -> iaStor.sys @ 0xb9e588dc IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel(R) WiFi Link 5300 AGN -> SendCompleteHandler -> NDIS.sys @ 0xb9d2ebb0 PacketIndicateHandler -> NDIS.sys @ 0xb9d1da0d SendHandler -> NDIS.sys @ 0xb9d31b40 ************************************************************************** . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'lsass.exe'(1028) c:\windows\system32\relog_ap.dll . Voltooingstijd: 2010-08-19 09:11:17 ComboFix-quarantined-files.txt 2010-08-19 07:11 Pre-Run: 112.031.674.368 bytes beschikbaar Post-Run: 112.319.311.872 bytes beschikbaar - - End Of File - - 7A337E0B615B018C27782F48750D18FA