ComboFix 10-08-18.04 - Administrator 20-08-2010 9:28.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.1535.1217 [GMT 2:00] Gestart vanuit: F:\ComboFix.exe . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Application Data\329FC2086EEE44FCD998F43F950927A6 c:\documents and settings\Administrator\Application Data\329FC2086EEE44FCD998F43F950927A6\enemies-names.txt c:\documents and settings\Administrator\Application Data\329FC2086EEE44FCD998F43F950927A6\local.ini c:\documents and settings\Administrator\Application Data\329FC2086EEE44FCD998F43F950927A6\lsrslt.ini c:\documents and settings\Administrator\Application Data\329FC2086EEE44FCD998F43F950927A6\newsecureapp70700.exe c:\documents and settings\Administrator\Application Data\opwpocopk c:\documents and settings\Administrator\Application Data\opwpocopk\hnpxghbshdw.exe c:\documents and settings\Administrator\Local Settings\Application Data\opwpocopk c:\documents and settings\Administrator\Local Settings\Application Data\opwpocopk\hnpxghbshdw.exe c:\documents and settings\Administrator\Local Settings\Application Data\veinpxeml c:\documents and settings\Administrator\Local Settings\Application Data\veinpxeml\htxwfnvshdw.exe c:\documents and settings\Administrator\Local Settings\Application Data\viegwlbuv c:\documents and settings\Administrator\Local Settings\Application Data\viegwlbuv\glixyajshdw.exe c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\server.dat c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat Besmet exemplaar van c:\windows\system32\winlogon.exe werd aangetroffen en gedesinfecteerd Hersteld exemplaar van - c:\windows\ServicePackFiles\i386\winlogon.exe Besmet exemplaar van c:\windows\explorer.exe werd aangetroffen en gedesinfecteerd Hersteld exemplaar van - c:\windows\ServicePackFiles\i386\explorer.exe Besmet exemplaar van c:\windows\system32\drivers\ndis.sys werd aangetroffen en gedesinfecteerd Hersteld exemplaar van - c:\windows\ServicePackFiles\i386\ndis.sys . (((((((((((((((((((( Bestanden Gemaakt van 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))) . 2010-08-19 21:40 . 2010-08-19 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7 2010-08-19 18:22 . 2010-08-19 18:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-08-19 18:22 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-08-19 18:22 . 2010-08-19 18:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-19 18:22 . 2010-08-19 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-08-19 18:22 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-08-19 16:37 . 2010-08-19 16:52 -------- d-----w- c:\program files\Hitman Pro 2010-08-19 16:19 . 2010-08-19 16:19 499712 ----a-w- c:\windows\system32\msvcp71.dll 2010-08-19 16:19 . 2010-08-19 16:19 348160 ----a-w- c:\windows\system32\msvcr71.dll 2010-08-19 16:05 . 2010-08-19 16:05 210816 -c--a-w- c:\windows\system32\dllcache\ndis.sys 2010-08-19 16:02 . 2010-08-20 07:34 784896 ----a-w- c:\windows\system32\drivers\yzvmi.sys 2010-08-19 15:30 . 2010-08-19 15:30 -------- d-----w- c:\program files\BitTorrent 2010-08-19 15:30 . 2010-08-19 16:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent 2010-08-19 15:23 . 2010-08-19 15:23 -------- d-----w- c:\program files\Windows Live SkyDrive 2010-08-19 15:23 . 2010-08-19 15:23 -------- d-----w- c:\program files\Windows Live 2010-08-19 14:43 . 2010-08-19 15:19 -------- d-----w- c:\windows\SxsCaPendDel 2010-08-19 14:34 . 2004-08-03 20:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys 2010-08-19 14:34 . 2004-08-03 20:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys 2010-08-19 08:55 . 2008-03-13 01:10 445504 ----a-r- c:\windows\system32\vp6vfw.dll 2010-08-18 20:44 . 2010-08-18 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania 2010-08-18 20:40 . 2005-05-26 13:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll 2010-08-18 20:37 . 2010-08-18 20:39 -------- d-----w- c:\program files\TmNationsForever 2010-08-18 20:27 . 2010-08-18 20:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ATI 2010-08-18 20:27 . 2010-08-18 20:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI 2010-08-18 20:22 . 2006-05-03 09:57 520192 ------w- c:\windows\system32\ati2sgag.exe 2010-08-18 20:22 . 2010-08-18 20:23 -------- d-----w- c:\program files\ATI Technologies 2010-08-18 20:21 . 2010-08-18 20:21 -------- d-----w- C:\ATI 2010-08-18 18:19 . 2010-08-18 18:19 -------- d-----w- c:\windows\system32\LogFiles 2010-08-18 17:44 . 2001-09-06 17:04 12288 -c--a-w- c:\windows\system32\dllcache\mouhid.sys 2010-08-18 17:44 . 2001-09-06 17:04 12288 ----a-w- c:\windows\system32\drivers\mouhid.sys . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-08-19 15:19 . 2008-10-31 21:42 -------- d-----w- c:\program files\Windows Desktop Search 2010-08-19 14:45 . 2004-08-04 12:00 78210 ----a-w- c:\windows\system32\perfc013.dat 2010-08-19 14:45 . 2004-08-04 12:00 459216 ----a-w- c:\windows\system32\perfh013.dat 2010-08-18 20:23 . 2008-10-31 19:31 -------- d-----w- c:\program files\Common Files\InstallShield 2010-08-18 20:22 . 2008-10-31 19:37 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-08-18 19:52 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP4601.tmp 2010-08-18 19:51 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP6eb7.tmp 2010-08-18 19:49 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP468e.tmp 2010-08-18 19:48 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP6ea8.tmp 2010-08-18 19:13 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP418d.tmp 2010-08-18 19:09 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP43fe.tmp 2010-08-18 19:07 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP44aa.tmp 2010-08-18 19:06 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP44b9.tmp 2010-08-18 19:06 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP4381.tmp 2010-08-18 19:04 . 2008-10-31 03:08 90112 ----a-w- c:\windows\DUMP5da0.tmp . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Windows Search.lnk] path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] 2007-04-19 12:26 484904 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\TmNationsForever\\TmForever.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\BitTorrent\\BitTorrent.exe"= S2 vmzsmyns;SetPoint Mouse Filter Monitor;c:\windows\System32\svchost.exe -k netsvcs [4-8-2004 14:00 14336] S3 hitmanpro2;Hitman Pro 2 Driver;\??\c:\program files\Hitman Pro\hitmanpro2.sys --> c:\program files\Hitman Pro\hitmanpro2.sys [?] --- Andere Services/Drivers In Geheugen --- *Deregistered* - yzvmi [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2007-04-19 12:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ uInternet Settings,ProxyOverride = IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://84.85.164.21/activex/AMC.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-08-20 09:34 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yzvmi] . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'winlogon.exe'(536) c:\windows\system32\Ati2evxx.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\windows\system32\crypserv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\program files\Analog Devices\SoundMAX\SMAgent.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Voltooingstijd: 2010-08-20 09:37:28 - machine werd herstart ComboFix-quarantined-files.txt 2010-08-20 07:37 Pre-Run: 26.968.133.632 bytes beschikbaar Post-Run: 27.182.403.584 bytes beschikbaar WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - A0F9E294D9DAF3556DCE8C8C8892142E