ComboFix 10-10-27.A3 - Wouter 28-10-2010 22:24:14.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.959.540 [GMT 2:00] Gestart vanuit: c:\documents and settings\Wouter\Bureaublad\ComboFix.exe AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Documenten\Server\admin.txt c:\documents and settings\All Users\Documenten\Server\server.dat c:\windows\system32\drivers\ubkzklj.sys c:\windows\system32\drivers\zzrealhlbtlo.sys c:\windows\system32\drivers\zzrealhlbtlo.sys . . . is geïnfecteerd!! . . . Failed to find a valid replacement. c:\windows\system32\drivers\ubkzklj.sys . . . is geïnfecteerd!! . . . Failed to find a valid replacement. c:\windows\system32\winlogon.exe . . . is geïnfecteerd!! c:\windows\explorer.exe . . . is geïnfecteerd!! . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_hvoticcrcmxsv -------\Service_uyjxpmuxznq (((((((((((((((((((( Bestanden Gemaakt van 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))) . 2010-10-28 12:49 . 2010-10-28 14:47 -------- d-----w- c:\documents and settings\Wouter\Application Data\AVG 2010-10-28 12:38 . 2010-10-28 12:38 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-10-28 12:34 . 2010-10-28 12:44 -------- d-----w- c:\windows\system32\drivers\AVG 2010-10-28 12:34 . 2010-10-28 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10 2010-10-28 12:22 . 2010-10-28 12:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2010-10-27 21:01 . 2010-10-27 21:01 -------- d-----w- c:\program files\The FilmMachine 2010-10-27 19:25 . 2010-10-27 19:25 -------- d-----w- c:\program files\Trend Micro 2010-10-27 14:40 . 2010-10-27 14:44 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX 2010-10-26 10:21 . 2010-10-26 10:21 -------- d-s---w- c:\documents and settings\LocalService\UserData 2010-10-24 12:31 . 2010-10-24 12:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-10-23 00:37 . 2010-10-23 00:37 -------- d-----w- c:\documents and settings\Wouter\Application Data\Malwarebytes 2010-10-23 00:37 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-10-23 00:37 . 2010-10-23 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-10-23 00:37 . 2010-10-23 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-10-23 00:37 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-10-23 00:27 . 2010-10-23 00:27 -------- d-s---w- c:\documents and settings\NetworkService\UserData 2010-10-23 00:26 . 2010-10-23 00:26 -------- d-----w- c:\program files\Enigma Software Group 2010-10-23 00:25 . 2010-10-23 00:34 -------- d-----w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP 2010-10-23 00:25 . 2010-10-23 00:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-13 14:27 . 2010-09-13 14:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys 2010-09-08 07:09 . 2010-04-19 17:23 108032 ----a-w- c:\windows\system32\ff_vfw.dll 2010-09-07 01:49 . 2010-09-07 01:49 298448 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-09-07 01:48 . 2010-09-07 01:48 34384 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-09-07 01:48 . 2010-09-07 01:48 249424 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-09-07 01:48 . 2010-09-07 01:48 26064 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2010-08-19 19:42 . 2010-08-19 19:42 30288 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys 2010-08-19 19:42 . 2010-08-19 19:42 123472 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys 2010-08-19 19:42 . 2010-08-19 19:42 26192 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys . ------- Sigcheck ------- [-] 2004-08-03 . C02C46938FC1DA6AC0F0710783256B1B . 504832 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe [-] 2004-08-03 . 0FBCB62EFB049382A94D4AB3ED6D925F . 1035776 . . [6.00.2900.2180] . . c:\windows\explorer.exe [-] 2009-08-29 . B5B48B139753F4B5BEB238697477F131 . 1548288 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "VTTimer"="VTTimer.exe" [2004-10-22 53248] "AudioDeck"="c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe" [2007-08-09 528384] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] "AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2010-09-15 2745696] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "_nltide_3"="advpack.dll" [2004-08-03 100864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\MsgPlusLoader.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager] 2008-08-14 05:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScanUtility] 2009-05-19 16:11 136544 ----a-w- c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2004-08-03 23:15 1667584 ------w- c:\program files\Messenger\msmsgs.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\ComicRack\\ComicRack.exe"= "c:\\Program Files\\Opera\\opera.exe"= "c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"= "c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"= "c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"= "c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:TCP"= 5353:TCP:Adobe CSI CS4 R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13-9-2010 16:27 25680] R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7-9-2010 3:48 26064] R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7-9-2010 3:48 249424] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7-9-2010 3:49 298448] R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [11-10-2010 12:58 6104656] R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [10-9-2010 1:45 265400] R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [8-5-2010 12:32 4497704] R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [8-5-2010 12:33 113448] R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19-8-2010 21:42 123472] R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19-8-2010 21:42 30288] R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19-8-2010 21:42 26192] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18-3-2010 13:16 130384] S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [21-5-2008 13:42 64000] S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [8-5-2010 12:32 16168] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18-3-2010 13:16 753504] . Inhoud van de 'Gedeelde Taken' map 2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/webhp?rls=ig IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Wouter\Application Data\Mozilla\Firefox\Profiles\hxy4792y.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/ig?hl=nl FF - component: c:\program files\AVG\AVG10\Firefox\components\avgssff.dll FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\TabletPlugins\npwacom.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS VERWIJDERD - - - - MSConfigStartUp-reform70700isoload - c:\documents and settings\Wouter\Application Data\15CF8947F8C20484237C9443884F35A3\reform70700isoload.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-10-28 22:35 Windows 5.1.2600 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run AudioDeck = c:\program files\VIA\VIAudioi\SBADeck\ADeck.exe 1???????????????????????????????????????????????? scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85750446]<< kernel: MBR read successfully user & kernel MBR OK ************************************************************************** . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(1164) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\progra~1\AVG\AVG10\avgchsvx.exe c:\progra~1\AVG\AVG10\avgrsx.exe c:\windows\system32\VTTimer.exe c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Creative\Shared Files\CTDevSrv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\system32\WTablet\Pen_TabletUser.exe c:\program files\AVG\AVG10\avgnsx.exe c:\program files\AVG\AVG10\avgemcx.exe c:\program files\WTouch\WTouchUser.exe . ************************************************************************** . Voltooingstijd: 2010-10-28 22:40:05 - machine werd herstart ComboFix-quarantined-files.txt 2010-10-28 20:40 Pre-Run: 76.311.281.664 bytes beschikbaar Post-Run: 76.215.320.576 bytes beschikbaar WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - F5F43062099169AAD8D727CD5127505D