ComboFix 10-11-12.01 - Lammert 11/13/2010 0:50.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1043.18.1535.930 [GMT 1:00] Running from: c:\documents and settings\Lammert\Bureaublad\ComboFix.exe Command switches used :: c:\documents and settings\Lammert\Bureaublad\CFScript.txt AV: AVG Anti-Virus Free Edition 2011 *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} FILE :: "c:\windows\005717_.tmp" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\005717_.tmp . ((((((((((((((((((((((((( Files Created from 2010-10-13 to 2010-11-13 ))))))))))))))))))))))))))))))) . 2010-11-12 11:10 . 2010-11-12 11:10 -------- d-----w- c:\program files\WarRock 2010-11-12 11:08 . 2010-11-12 11:08 -------- d-----w- c:\documents and settings\Lammert\Application Data\AVG10 2010-11-12 10:59 . 2010-11-12 10:59 -------- d-----w- c:\documents and settings\LocalService\Bureaublad 2010-11-12 10:59 . 2010-11-12 10:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2010-11-12 10:50 . 2010-11-12 10:50 -------- d-----w- C:\$AVG 2010-11-12 10:48 . 2010-11-12 10:48 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2010-11-11 18:10 . 2008-04-13 21:06 144384 ------w- c:\windows\system32\drivers\hdaudbus.sys 2010-11-11 18:10 . 2008-04-13 23:10 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys 2010-11-11 17:19 . 2010-11-11 17:19 -------- d-----w- c:\program files\Common Files\Java 2010-11-11 17:18 . 2010-11-11 17:18 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-11-11 17:18 . 2010-11-11 17:18 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-11-11 17:18 . 2010-11-11 17:18 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll 2010-11-11 05:49 . 2009-08-13 15:24 512000 -c----w- c:\windows\system32\dllcache\jscript.dll 2010-11-10 10:34 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll 2010-11-10 10:34 . 2010-06-08 16:10 790528 ----a-w- c:\windows\system32\xvidcore.dll 2010-11-10 10:34 . 2010-06-08 16:10 134144 ----a-w- c:\windows\system32\xvidvfw.dll 2010-11-10 10:34 . 2010-01-17 15:18 151552 ----a-w- c:\windows\system32\ac3acm.acm 2010-11-10 10:34 . 2008-09-24 18:41 839680 ----a-w- c:\windows\system32\lameACM.acm 2010-11-10 10:34 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll 2010-11-10 10:34 . 2010-10-18 08:00 108032 ----a-w- c:\windows\system32\ff_vfw.dll 2010-11-10 10:34 . 2010-11-10 10:35 -------- d-----w- c:\program files\K-Lite Codec Pack 2010-10-23 17:10 . 2010-10-23 17:10 -------- d-----w- c:\program files\PokerStove 2010-10-18 08:32 . 2010-11-09 23:57 -------- d-----w- C:\Poker 2010-10-15 21:29 . 2008-04-13 23:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-28 21:55 . 2010-09-28 21:55 388096 ----a-r- c:\documents and settings\Lammert\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-09-24 13:26 . 2010-09-24 13:26 377 ----a-w- c:\documents and settings\Lammert\Local Settings\Application Data\postgresinstall.bat 2010-09-08 17:55 . 2002-02-09 23:00 72748 ----a-w- c:\windows\unins000.exe 2007-12-19 19:48 . 2007-12-19 19:46 459188632 ----a-w- c:\program files\ADBEIDSNCS3_WWE.exe 2007-12-19 17:51 . 2007-12-19 17:50 423321216 ----a-w- c:\program files\ADBEFLPRCS3_WWE.exe 2007-12-16 11:09 . 2007-12-16 11:09 1131046 ----a-w- c:\program files\winrar.exe 2007-12-14 21:14 . 2007-12-14 19:05 795278976 ----a-w- c:\program files\ADBEILSTCS3_WWE.exe 2007-12-14 21:14 . 2007-12-14 21:13 486108144 ----a-w- c:\program files\Adobe photoshop extended.exe 2007-12-08 15:26 . 2007-12-08 15:26 21321008 ----a-w- c:\program files\QuickTimeInstaller.exe 2007-12-08 12:43 . 2007-12-08 12:43 3003113 ----a-w- c:\program files\Setup_MagicISO.exe 2007-12-05 16:37 . 2007-12-05 16:37 595664 ----a-w- c:\program files\BitTorrent-6.0.exe 2007-12-04 22:20 . 2007-12-04 22:20 2402832 ----a-w- c:\program files\WLinstaller.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "Auslogics BoostSpeed"="c:\program files\Auslogics\Auslogics BoostSpeed\boostspeed.exe" [2009-08-04 475760] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-16 68856] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2010-02-24 323392] "Google Update"="c:\documents and settings\Lammert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-15 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 1368064] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152] "wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2001-01-25 20480] "Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-16 185896] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2009-09-29 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-14 81920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-30 413696] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-09-29 61440] "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208] "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Uilke\Menu Start\Programma's\Opstarten\ OneNote 2007 Schermopname en Snel starten.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2007-03-01 14:57 153136 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "Nero BackItUp Scheduler 3"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Omerta Script\\mirc.exe"= "c:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Nokia\\Devices\\Nokia_Mobile_Browser_Simulator\\nmb.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"= "c:\\Team17\\Worms World Party\\wwp.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "25999:TCP"= 25999:TCP:cs.xfire.com "5432:TCP"= 5432:TCP:postgres R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1-6-2009 9:57 691696] R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12-12-2003 16:49 77312] R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [18-7-2008 17:18 33824] R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [10-11-2008 18:38 160792] R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [1-2-2008 3:02 65536] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18-3-2010 12:16 130384] S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [27-11-2009 20:15 135664] S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [9-11-2009 18:12 25088] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18-3-2010 12:16 753504] . Contents of the 'Scheduled Tasks' folder 2010-11-08 c:\windows\Tasks\AdobeAAMUpdater-1.0-HOME-0IW8LPQDDC-Lammert.job - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-08-15 01:44] 2010-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] 2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-27 19:15] 2010-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-27 19:15] 2010-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1767777339-725345543-1003Core.job - c:\documents and settings\Lammert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-10 09:16] 2010-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1767777339-725345543-1003UA.job - c:\documents and settings\Lammert\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-10 09:16] 2010-11-12 c:\windows\Tasks\HPpromotions journeysoftware.job - c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 00:06] 2010-11-09 c:\windows\Tasks\WebReg Photosmart 2570 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-11 00:06] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ult.zurf.nl/ uInternet Settings,ProxyOverride = *.local IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll TCP: {DA222752-E084-46B4-BEC5-F58E9D4038B1} = 10.0.0.138 Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {19D6A3D5-EA50-4C3B-88F0-79627C325570} - hxxp://iloapp.perfectica.nl/gallery/executable/IlosoftMultipleImageUpload.dll FF - ProfilePath - c:\documents and settings\Lammert\Application Data\Mozilla\Firefox\Profiles\v2ha3sux.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/firefox?client=firefox-a&rls=org.mozilla:en-GB:official FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc68498&v=6.010.006.004&i=23&tp=ab&iy=&ychte=nl&lng=nl&q= FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-13 01:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-117609710-1767777339-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F1E3192E-377D-47D2-F384-61D7B6433763}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "abphepfnljipgmadefnkggngomkmncbmfc"=hex:61,61,00,00 "bbphepfnljipgmadefkkphjeibmialljeadc"=hex:61,61,00,00 [HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*] "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1072) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(1156) c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll . Completion time: 2010-11-13 01:08:06 ComboFix-quarantined-files.txt 2010-11-13 00:08 ComboFix2.txt 2010-11-12 18:14 Pre-Run: 23,140,356,096 bytes beschikbaar Post-Run: 23,165,980,672 bytes beschikbaar Current=2 Default=2 Failed=3 LastKnownGood=1 Sets=1,2,3,4 - - End Of File - - 50794E79A37A8D6BE795F757142BAFE3