ComboFix 11-04-14.01 - Chantal 15-04-2011 7:08.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.3070.2564 [GMT 2:00] Gestart vanuit: c:\documents and settings\Chantal & Duncan\Bureaublad\ComboFix.exe AV: VirusScan Enterprise + AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} * Nieuw herstelpunt werd aangemaakt . . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Chantal & Duncan\Application Data\982D4B4B7D5C842FBA47FAC79F7988F3 c:\documents and settings\Chantal & Duncan\Application Data\982D4B4B7D5C842FBA47FAC79F7988F3\enemies-names.txt c:\documents and settings\Chantal & Duncan\Application Data\982D4B4B7D5C842FBA47FAC79F7988F3\lsrslt.ini . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_SSHNAS . . (((((((((((((((((((( Bestanden Gemaakt van 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))) . . 2011-04-09 07:08 . 2011-04-09 07:08 -------- d-----r- c:\documents and settings\LocalService\Favorieten 2011-04-02 07:34 . 2011-04-02 07:34 -------- d-----w- c:\documents and settings\NetworkService\Mijn documenten 2011-04-01 05:44 . 2011-04-02 07:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-03-29 14:48 . 2011-03-29 14:48 -------- d-----w- c:\windows\system32\wbem\Repository 2011-03-29 04:51 . 2011-03-29 04:51 -------- d-----r- c:\documents and settings\NetworkService\Favorieten . . . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-09 13:54 . 2008-04-14 20:32 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:54 . 2008-04-14 20:32 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-02 07:58 . 2009-07-07 19:12 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2009-07-07 19:12 677888 ----a-w- c:\windows\system32\mstsc.exe 2011-01-21 14:44 . 2008-04-14 20:32 441344 ----a-w- c:\windows\system32\shimgvw.dll 2010-09-26 14:53 . 2010-09-26 14:53 1391616 ----a-w- c:\program files\iview427_setup.exe . . ------- Sigcheck ------- . [-] 2008-05-11 . D529680501329A3853D2BEE64F8E082B . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PC Suite Tray"="c:\mijn programma's\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144] "Steam"="c:\spellen\Call of Duty 2\Steam.exe" [2010-11-17 1242448] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-29 124240] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-25 98304] . c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Camera Monitor SD.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2010-8-28 541976] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Mijn Programma's\\BitLord\\BitLord.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"= "c:\\Program Files\\Soldier of Fortune II - Double Helix\\SoF2MP.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"= "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Spellen\\Battlefield - Bad Company 2\\BFBC2Updater.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2ServerLauncher.exe"= "d:\\eMule\\Files\\emule.exe"= "c:\\Spellen\\Call of Duty 2\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"= "c:\\Spellen\\Call of Duty 2\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Spellen\\Call of Duty 2\\SteamApps\\common\\call of duty black ops\\BlackOps.exe"= "c:\\Spellen\\Call of Duty 2\\SteamApps\\common\\call of duty black ops\\BlackOpsMP.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [29-4-2009 20:07 21256] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [7-7-2009 22:51 70216] R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [1-2-2008 5:02 65536] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18-3-2010 14:16 130384] S3 iMSPQMn;iMSPQMn;\??\c:\docume~1\CHANTA~1\LOCALS~1\Temp\iMSPQMn.sys --> c:\docume~1\CHANTA~1\LOCALS~1\Temp\iMSPQMn.sys [?] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [7-7-2009 22:51 65224] S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26-4-2010 16:33 137344] S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26-4-2010 16:33 8320] S3 PAC207;CamMaestro 3.75 HU PC Camera;c:\windows\system32\drivers\pfc027.sys [29-5-2007 13:30 162176] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14-4-2008 22:33 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18-3-2010 14:16 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM . Inhoud van de 'Gedeelde Taken' map . 2011-04-15 c:\windows\Tasks\User_Feed_Synchronization-{ADAEEB66-218D-4777-8368-4E28A3D8D8FF}.job - c:\windows\system32\msfeedssync.exe [2008-05-11 02:31] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: {63D6DD13-C913-466D-9444-9357561E4D94} - hxxp://www.mijnalbum.nl/v3/skinsrc/core/system/ma5.8.3/uploadtoepassing.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-15 07:21 Windows 5.1.2600 Service Pack 3 NTFS . scannen van verborgen processen ... . scannen van verborgen autostart items ... . scannen van verborgen bestanden ... . Scan succesvol afgerond verborgen bestanden: 0 . ************************************************************************** . Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: MAXTOR_STM31000333AS rev.MC1H -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3 . device: opened successfully user: MBR read successfully . Disk trace: called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AE39439]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ae3f7d0]; MOV EAX, [0x8ae3f84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AEC9AB8] 3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AE63CA0] \Driver\atapi[0x8AE4ACC0] -> IRP_MJ_CREATE -> 0x8AE39439 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; } detected disk devices: \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_STM31000333AS____________________MC1H____#5&7935f70&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x8AE3927F user & kernel MBR OK Warning: possible TDL3 rootkit infection ! . ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- . [HKEY_USERS\S-1-5-21-343818398-1715567821-1801674531-1004\Software\SecuROM\License information*] "datasecu"=hex:da,11,cc,e5,2f,ed,a6,ae,ff,b7,a7,ee,25,50,d2,0d,c3,f5,ea,5a,2d, 7e,95,fe,1a,58,f6,ae,a0,5f,75,40,c4,98,9d,51,95,b1,53,28,23,a1,cf,d9,a5,29,\ "rkeysecu"=hex:31,49,d7,e2,10,45,57,43,89,4a,3c,f3,9d,df,44,c6 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- . - - - - - - - > 'winlogon.exe'(808) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll . - - - - - - - > 'explorer.exe'(6940) c:\windows\TEMP\logishrd\LVPrcInj01.dll c:\windows\system32\webcheck.dll c:\windows\system32\wpdshserviceobj.dll c:\mijn programma's\Nokia PC Suite 7\PhoneBrowser.dll c:\mijn programma's\Nokia PC Suite 7\NGSCM.DLL c:\mijn programma's\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr c:\mijn programma's\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr c:\windows\system32\portabledevicetypes.dll c:\windows\system32\portabledeviceapi.dll . ------------------------ Andere Aktieve Processen ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe c:\program files\McAfee\Common Framework\FrameworkService.exe c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe c:\program files\McAfee\Common Framework\naPrdMgr.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe c:\windows\system32\PnkBstrA.exe c:\program files\PostgreSQL\8.3\bin\postgres.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\System32\PAStiSvc.exe c:\program files\PostgreSQL\8.3\bin\postgres.exe c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe c:\program files\McAfee\VirusScan Enterprise\mfeann.exe c:\windows\system32\SearchIndexer.exe c:\program files\PostgreSQL\8.3\bin\postgres.exe c:\program files\PostgreSQL\8.3\bin\postgres.exe c:\program files\PostgreSQL\8.3\bin\postgres.exe c:\program files\PostgreSQL\8.3\bin\postgres.exe c:\windows\system32\wscntfy.exe c:\program files\Microsoft ActiveSync\wcescomm.exe c:\program files\McAfee\Common Framework\McTray.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\program files\Common Files\Java\Java Update\jucheck.exe . ************************************************************************** . Voltooingstijd: 2011-04-15 07:27:13 - machine werd herstart ComboFix-quarantined-files.txt 2011-04-15 05:27 . Pre-Run: 125.783.224.320 bytes beschikbaar Post-Run: 126.453.366.784 bytes beschikbaar . WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 7C92B303AFF05145BCAC76DCF2546AE5