ComboFix 11-01-31.02 - Saskia 02-02-2011 15:30:02.2.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1043.18.2814.1807 [GMT 1:00] Gestart vanuit: c:\users\Saskia\Desktop\ComboFix.exe gebruikte Opdracht switches :: c:\users\Saskia\Desktop\CFScript.txt..txt FILE :: "c:\windows\msdownld.tmp" . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Fun4IM c:\program files\Fun4IM\INSTALL.LOG c:\program files\Fun4IM\license.rtf c:\program files\Fun4IM\Plugins\IE\Resources\HTML\blank.html c:\program files\Fun4IM\Plugins\IE\Resources\HTML\error.html c:\program files\Fun4IM\Plugins\MSN\Resources\HTML\blank.html c:\program files\Fun4IM\Plugins\MSN\Resources\HTML\error.html c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\BandooToolbar.xml c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1001.dat c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1002.dat c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1003.dat c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1004.dat c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1005.dat c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1006.dat c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1011.dat c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1012.dat c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1013.dat c:\program files\Fun4IM\Plugins\MSN\Resources\Toolbar\Images\1014.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\HTML\blank.html c:\program files\Fun4IM\Plugins\Yahoo\Resources\HTML\error.html c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\BandooToolbar.xml c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\BandooToolbarV9.xml c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1001.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1002.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1003.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1004.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1005.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1006.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1051.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1052.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1053.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1054.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1055.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1056.dat c:\program files\Fun4IM\Plugins\Yahoo\Resources\Toolbar\Images\1057.dat c:\program files\Fun4IM\Resources\BandooMessages.xml c:\program files\Fun4IM\Resources\downloading.gif c:\program files\Fun4IM\Resources\nudge0.wav c:\program files\Fun4IM\Resources\nudge1.wav c:\program files\Fun4IM\Resources\nudge2.wav c:\program files\Fun4IM\Resources\nudge3.wav c:\program files\Fun4IM\Resources\nudge4.wav c:\program files\Fun4IM\Resources\nudge5.wav c:\programdata\Fun4IM c:\programdata\Fun4IM\WPSubsystems.xml c:\programdata\Hitman Pro c:\programdata\Hitman Pro\Banner.bin c:\users\Saskia\Documents\cc_20110202_104343.reg . (((((((((((((((((((( Bestanden Gemaakt van 2011-01-02 to 2011-02-02 )))))))))))))))))))))))))))))) . 2011-02-02 14:59 . 2011-02-02 15:00 -------- d-----w- c:\users\Saskia\AppData\Local\temp 2011-02-02 14:59 . 2011-02-02 14:59 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-02-02 10:54 . 2011-02-02 10:54 -------- d-----w- c:\users\Saskia\AppData\Local\CrashDumps 2011-02-01 14:10 . 2011-02-01 14:10 -------- d-----w- c:\program files\CCleaner 2011-01-28 15:04 . 2011-01-28 15:04 -------- d-----w- c:\users\Saskia\AppData\Roaming\Malwarebytes 2011-01-28 15:04 . 2011-01-28 15:04 -------- d-----w- c:\programdata\Malwarebytes 2011-01-28 15:04 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-01-28 15:04 . 2011-01-28 15:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-01-28 15:04 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-01-28 14:59 . 2011-01-28 14:59 388096 ----a-r- c:\users\Saskia\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-01-28 14:59 . 2011-01-28 14:59 -------- d-----w- c:\program files\Trend Micro 2011-01-28 14:52 . 2011-01-28 14:52 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2011-01-28 14:52 . 2011-01-28 14:52 -------- d-----w- c:\program files\Hitman Pro 3.5 2011-01-28 13:31 . 2011-01-28 16:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2011-01-28 13:31 . 2011-01-28 15:39 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-01-24 17:26 . 2011-01-24 17:26 -------- d-----w- c:\users\Saskia\AppData\Local\Threat Expert 2011-01-24 17:26 . 2011-01-24 17:26 -------- d-----w- c:\program files\HyvesToolbar 2011-01-24 17:18 . 2011-01-28 15:28 -------- d--h--w- c:\windows\msdownld.tmp 2011-01-24 10:30 . 2011-01-24 10:30 -------- d-----w- c:\users\Saskia\AppData\Roaming\SurfSecret Privacy Suite 2011-01-24 10:30 . 2011-01-24 10:34 -------- d-----w- c:\users\Saskia\AppData\Local\panda2_0dn 2011-01-24 10:29 . 2011-01-24 10:29 -------- d-----w- c:\programdata\Panda Security 2011-01-15 17:02 . 2011-01-28 14:01 -------- d-----w- c:\programdata\Avira . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-02 17:26 . 2008-01-21 02:23 17976 ----a-w- c:\windows\system32\drivers\wmilib.sys 2011-02-02 17:24 . 2008-01-21 02:24 21504 ----a-w- c:\windows\system32\vga64k.dll 2011-02-02 17:24 . 2008-01-21 02:24 11776 ----a-w- c:\windows\system32\framebuf.dll 2011-02-02 17:24 . 2006-11-02 08:43 42496 ----a-w- c:\windows\system32\pstorec.dll 2011-02-02 17:23 . 2009-09-22 19:41 50664 ----a-w- c:\windows\system32\PSHED.DLL 2011-02-02 17:23 . 2006-11-02 07:10 4048 ----a-w- c:\windows\system32\TIMER.DRV 2011-02-02 17:17 . 2008-01-21 02:24 24120 ----a-w- c:\windows\system32\BOOTVID.DLL 2011-02-02 17:17 . 2009-09-22 19:41 17384 ----a-w- c:\windows\system32\kdcom.dll 2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr 2010-11-10 04:33 . 2010-11-30 09:19 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A2831668-C9DC-4282-8DA4-3F1A9CF80467}\mpengine.dll 2010-06-25 22:09 . 2010-02-09 08:40 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP] @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}" [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}] 2009-05-14 21:02 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-22 4240760] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-20 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-18 61440] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-03-11 6957600] "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-11 1833504] "PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-05 1410344] "BackupManagerTray"="c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-04-11 249600] "Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-04-03 698912] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Sitecom USB Wireless LAN Utility.lnk - c:\program files\Sitecom Europe BV\Sitecom WL-113 Utility\SiteComUSB.exe [2009-9-21 3477504] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders credssp.dll, mxqdabyb.dll [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup backupExtension=.CommonStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)] 2010-12-20 17:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-09-20 11:39 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe R2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-04-11 61184] R3 AVFSFilter;AVFSFilter;c:\windows\system32\DRIVERS\avfsfilter.sys [x] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712] R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-25 30192] R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424] S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280] S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-21 697328] S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2008-12-04 19504] S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2008-12-04 16432] S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2008-12-04 59952] S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-01-21 112592] S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-04-03 723488] S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2008-01-21 21504] S2 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-05-14 305448] S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632] S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-09-23 358600] S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-06-24 92008] S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-09-04 223232] S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [2008-05-28 22072] --- Andere Services/Drivers In Geheugen --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HsfXAudioService REG_MULTI_SZ HsfXAudioService bthsvcs REG_MULTI_SZ BthServ LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Inhoud van de 'Gedeelde Taken' map 2011-02-02 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-20 12:46] . . ------- Bijkomende Scan ------- . uStart Page = https://www.ziggo.nl/ uDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0413&s=2&o=vp32&d=0909&m=aspire_7535 uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\users\Saskia\AppData\Roaming\Mozilla\Firefox\Profiles\ruo8ko3z.default\ FF - prefs.js: browser.search.defaulturl - hxxp://fruttisearch.com/search.php?q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxps://www.ziggo.nl/ FF - prefs.js: keyword.URL - hxxp://fruttisearch.com/search.php?q= FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: DVDVideoSoft Menu: {ACAA314B-EEBA-48e4-AD47-84E31C44796C} - %profile%\extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C} FF - Ext: Messenger Plus Live Netherlands Toolbar: {d2ab2732-a124-4fb2-8da5-4a6a9e379331} - %profile%\extensions\{d2ab2732-a124-4fb2-8da5-4a6a9e379331} FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS VERWIJDERD - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-02 15:59 Windows 6.0.6002 Service Pack 2 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 6.0.6002 Disk: ST925031 rev.0001 -> Harddisk0\DR0 -> device: opened successfully user: MBR read successfully Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll >>UNKNOWN [0x87657446]<< c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8765d504]; MOV EAX, [0x8765d580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x82A89962] -> \Device\Harddisk0\DR0[0x870C3AC8] 3 CLASSPNP[0x8A9AA8B3] -> ntkrnlpa!IofCallDriver[0x82A89962] -> [0x866AC6C8] 5 PCTCore[0x830C888F] -> ntkrnlpa!IofCallDriver[0x82A89962] -> [0x86966A60] 7 acpi[0x8076B6BC] -> ntkrnlpa!IofCallDriver[0x82A89962] -> [0x865B86A0] \Driver\ahcix86s[0x874CF5D0] -> IRP_MJ_CREATE -> 0x87657446 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; } detected disk devices: \Device\00000060 -> \??\SCSI#Disk&Ven_ST925031&Prod_5AS__________#4&20664e7f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi -> 0x85f611f8 user & kernel MBR OK Warning: possible TDL3 rootkit infection ! ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . Voltooingstijd: 2011-02-02 16:08:07 ComboFix-quarantined-files.txt 2011-02-02 15:07 ComboFix2.txt 2011-02-02 09:17 Pre-Run: 181.232.422.912 bytes beschikbaar Post-Run: 181.248.602.112 bytes beschikbaar - - End Of File - - 8E0742C0804B167C19C8F86549F1A549