ComboFix 11-02-10.01 - Muriël Wijnia 11-02-2011 16:34:29.6.2 - x86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.502.308 [GMT 1:00] Gestart vanuit: c:\documents and settings\Muriël Wijnia\Bureaublad\ComboFix.exe gebruikte Opdracht switches :: c:\documents and settings\Muriël Wijnia\Bureaublad\CFScript.txt..txt AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\documents and settings\Default User\Menu Start\Programma's\Opstarten\" "c:\windows\system32\reboot.exe" . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Internet Explorer\dmlconf.dat c:\program files\pbsyoqye c:\program files\pbsyoqye\xhhocqiu.exe c:\windows\system32\reboot.exe c:\windows\system32\regdacl c:\windows\system32\regdacl\doc\RegAudit.GIF c:\windows\system32\regdacl\doc\RegAudit_e.htm c:\windows\system32\regdacl\doc\RegDACL.GIF c:\windows\system32\regdacl\doc\RegDACL_el.htm c:\windows\system32\regdacl\doc\RegDACL_er1.htm c:\windows\system32\regdacl\doc\RegDACL_er2.htm c:\windows\system32\regdacl\doc\RegDACL_er3.htm c:\windows\system32\regdacl\doc\RegDACLe.htm c:\windows\system32\regdacl\doc\RegLast_e.htm c:\windows\system32\regdacl\doc\RegOwner.GIF c:\windows\system32\regdacl\doc\RegOwner_e.htm c:\windows\system32\regdacl\doc\SMWNCV.cmd c:\windows\system32\regdacl\Orderinfo.htm c:\windows\system32\regdacl\RegToolsHelp.htm . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AVGIDSDRIVER -------\Legacy_AVGIDSEH -------\Legacy_AVGIDSFILTER -------\Legacy_AVGIDSSHIM -------\Legacy_AVGWD -------\Service_AVG Security Toolbar Service -------\Service_AVGIDSDriver -------\Service_AVGIDSEH -------\Service_AVGIDSFilter -------\Service_AVGIDSShim -------\Service_avgwd (((((((((((((((((((( Bestanden Gemaakt van 2011-01-11 to 2011-02-11 )))))))))))))))))))))))))))))) . 2011-02-11 15:42 . 2011-02-11 15:42 108544 ----a-w- c:\windows\system32\svchostmgr.exe 2011-02-11 15:39 . 2011-02-11 15:39 -------- d-----w- c:\program files\pbsyoqye 2011-02-11 12:35 . 2011-02-11 12:35 108544 ----a-w- c:\windows\Explorermgr.exe 2011-02-05 17:51 . 2011-02-09 15:47 90112 ----a-w- c:\windows\system32\regdacl.exe 2011-02-05 16:22 . 2011-02-11 12:32 -------- d--h--r- c:\documents and settings\Muriël Wijnia\Onlangs geopend 2011-02-05 10:45 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-02-05 10:45 . 2011-02-05 10:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-02-05 10:45 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-05 09:12 . 2011-02-05 10:38 29996 ---h--w- c:\documents and settings\Muriël Wijnia\Application Data\ntuser.dat 2011-02-04 20:46 . 2011-02-04 21:35 -------- d-----w- c:\program files\temp 2011-01-26 16:57 . 2011-01-26 16:57 -------- d-----w- c:\documents and settings\Muriël Wijnia\Application Data\AVS4YOU 2011-01-26 16:51 . 2011-01-26 17:20 -------- d-----w- c:\program files\AVS4YOU 2011-01-26 16:51 . 2011-01-26 17:18 -------- d-----w- c:\program files\Common Files\AVSMedia 2011-01-26 16:51 . 2011-01-26 16:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU 2011-01-26 16:51 . 2010-09-14 16:38 24576 ----a-w- c:\windows\system32\msxml3a.dll 2011-01-24 20:48 . 2010-03-15 10:31 165376 ----a-w- c:\windows\system32\unrar.dll 2011-01-21 19:57 . 2011-01-21 19:57 84718440 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc7.tmp . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-21 14:42 . 2008-04-15 12:00 441856 ----a-w- c:\windows\system32\shimgvw.dll 2011-01-07 14:09 . 2008-04-15 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll 2010-12-31 14:02 . 2009-08-17 09:34 1864192 ----a-w- c:\windows\system32\win32k.sys 2010-12-22 12:32 . 2009-08-17 09:34 301568 ----a-w- c:\windows\system32\kerberos.dll 2010-12-20 23:51 . 2009-08-17 09:36 919552 ----a-w- c:\windows\system32\wininet.dll 2010-12-20 23:51 . 2009-08-17 09:36 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-12-20 23:51 . 2009-08-17 09:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl 2010-12-20 17:24 . 2009-08-17 09:34 735232 ----a-w- c:\windows\system32\lsasrv.dll 2010-12-20 12:49 . 2009-08-17 09:36 385024 ----a-w- c:\windows\system32\html.iec 2010-12-09 15:15 . 2009-02-09 11:00 739328 ----a-w- c:\windows\system32\ntdll.dll 2010-12-09 15:14 . 2009-02-09 11:19 2031616 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-12-09 15:14 . 2009-08-17 09:34 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-12-09 14:30 . 2008-04-15 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2010-11-18 18:15 . 2009-08-27 17:16 86016 ----a-w- c:\windows\system32\isign32.dll 2009-11-18 14:55 . 2009-11-18 14:55 6666536 ------w- c:\program files\DivXWebPlayerInstaller.exe 2009-11-04 16:42 . 2009-11-04 16:42 90357136 ------w- c:\program files\HEMA_NL_Fotoservice.exe . ------- Sigcheck ------- [-] 2009-08-17 . 497BEF5C5FAD126CA16437C1682F64EA . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((( SnapShot@2011-02-11_12.29.07 ))))))))))))))))))))))))))))))))))))))))) . + 2011-02-11 15:42 . 2011-02-11 15:42 16384 c:\windows\temp\Perflib_Perfdata_6b0.dat . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 c:\documents and settings\Default User\Menu Start\Programma's\Opstarten\ xhhocqiu.exe [2011-2-11 108544] c:\documents and settings\Muri‰l Wijnia\Menu Start\Programma's\Opstarten\ xhhocqiu.exe [2011-2-11 108544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\pbsyoqye\xhhocqiu.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-20 22:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-09-23 03:47 35760 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-15 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-05-26 15:18 528912 ------w- c:\program files\QuickTime\QTTask.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Inhoud van de 'Gedeelde Taken' map 2011-02-08 c:\windows\Tasks\ParetoLogic Registration3.job - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19] 2009-12-16 c:\windows\Tasks\ParetoLogic Update Version3.job - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-04 18:19] 2011-02-09 c:\windows\Tasks\User_Feed_Synchronization-{C8CDEBEB-C8F4-4236-A3EA-32FA8E7D8D28}.job - c:\windows\system32\msfeedssync.exe [2009-08-17 09:36] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://google.nl/ uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch uInternet Settings,ProxyOverride = *.local IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.euro.dell.com/systemprofiler/DellSystemLite.CAB . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-11 16:43 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: SAMSUNG_HD160JJ/P rev.ZM100-34 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e device: opened successfully user: MBR read successfully kernel: MBR read successfully detected disk devices: detected hooks: \Driver\atapi DriverStartIo -> 0xF82DE864 user & kernel MBR OK ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,c7,ba,83,69,22,42,4f,8d,ee,76,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,c7,ba,83,69,22,42,4f,8d,ee,76,\ . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(7468) c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll c:\windows\system32\msi.dll c:\windows\system32\wpdshserviceobj.dll c:\windows\system32\webcheck.dll c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Internet Explorer\iexplore.exe c:\program files\Internet Explorer\iexplore.exe . ************************************************************************** . Voltooingstijd: 2011-02-11 16:47:14 - machine werd herstart ComboFix-quarantined-files.txt 2011-02-11 15:47 ComboFix2.txt 2011-02-11 12:31 ComboFix3.txt 2011-02-11 11:34 ComboFix4.txt 2010-11-13 17:19 Pre-Run: 13.575.589.888 bytes beschikbaar Post-Run: 13.341.822.976 bytes beschikbaar - - End Of File - - 8B6C98F78CB33E82C37A1393E4F977CC