ComboFix 11-04-13.03 - Chantal 16-04-2011 23:37:05.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.3070.2563 [GMT 2:00] Gestart vanuit: c:\documents and settings\Chantal & Duncan\Bureaublad\ComboFix.exe AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0} . . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . . . \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected . (((((((((((((((((((( Bestanden Gemaakt van 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))) . . 2011-04-09 07:08 . 2011-04-09 07:08 -------- d-----r- c:\documents and settings\LocalService\Favorieten 2011-04-02 07:34 . 2011-04-02 07:34 -------- d-----w- c:\documents and settings\NetworkService\Mijn documenten 2011-04-01 05:44 . 2011-04-02 07:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-03-29 14:48 . 2011-03-29 14:48 -------- d-----w- c:\windows\system32\wbem\Repository 2011-03-29 04:51 . 2011-03-29 04:51 -------- d-----r- c:\documents and settings\NetworkService\Favorieten . . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-02-09 13:54 . 2008-04-14 20:32 270848 ----a-w- c:\windows\system32\sbe.dll 2011-02-09 13:54 . 2008-04-14 20:32 186880 ----a-w- c:\windows\system32\encdec.dll 2011-02-02 19:40 . 2010-05-18 04:06 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-02-02 17:19 . 2009-07-25 17:02 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-02-02 07:58 . 2009-07-07 19:12 2067456 ----a-w- c:\windows\system32\mstscax.dll 2011-01-27 11:57 . 2009-07-07 19:12 677888 ----a-w- c:\windows\system32\mstsc.exe 2011-01-21 14:44 . 2008-04-14 20:32 441344 ----a-w- c:\windows\system32\shimgvw.dll 2010-09-26 14:53 . 2010-09-26 14:53 1391616 ----a-w- c:\program files\iview427_setup.exe . . ------- Sigcheck ------- . [-] 2008-05-11 . D529680501329A3853D2BEE64F8E082B . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PC Suite Tray"="c:\mijn programma's\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144] "Steam"="c:\spellen\Call of Duty 2\Steam.exe" [2010-11-17 1242448] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512] "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-29 124240] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008] "LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-25 98304] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] . c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Camera Monitor SD.lnk - c:\program files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2010-8-28 541976] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Mijn Programma's\\BitLord\\BitLord.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"= "c:\\Program Files\\Soldier of Fortune II - Double Helix\\SoF2MP.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"= "c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Spellen\\Battlefield - Bad Company 2\\BFBC2Updater.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"= "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2ServerLauncher.exe"= "d:\\eMule\\Files\\emule.exe"= "c:\\Spellen\\Call of Duty 2\\SteamApps\\common\\call of duty modern warfare 2\\iw4mp.exe"= "c:\\Spellen\\Call of Duty 2\\SteamApps\\common\\call of duty modern warfare 2\\iw4sp.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Spellen\\Call of Duty 2\\SteamApps\\common\\call of duty black ops\\BlackOps.exe"= "c:\\Spellen\\Call of Duty 2\\SteamApps\\common\\call of duty black ops\\BlackOpsMP.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management . R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [29-4-2009 20:07 21256] R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [7-7-2009 22:51 70216] R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [1-2-2008 5:02 65536] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18-3-2010 14:16 130384] S3 iMSPQMn;iMSPQMn;\??\c:\docume~1\CHANTA~1\LOCALS~1\Temp\iMSPQMn.sys --> c:\docume~1\CHANTA~1\LOCALS~1\Temp\iMSPQMn.sys [?] S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [7-7-2009 22:51 65224] S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26-4-2010 16:33 137344] S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26-4-2010 16:33 8320] S3 PAC207;CamMaestro 3.75 HU PC Camera;c:\windows\system32\drivers\pfc027.sys [29-5-2007 13:30 162176] S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14-4-2008 22:33 14336] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18-3-2010 14:16 753504] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] WINRM REG_MULTI_SZ WINRM . Inhoud van de 'Gedeelde Taken' map . 2011-04-16 c:\windows\Tasks\User_Feed_Synchronization-{ADAEEB66-218D-4777-8368-4E28A3D8D8FF}.job - c:\windows\system32\msfeedssync.exe [2008-05-11 02:31] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.google.nl/ IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: {63D6DD13-C913-466D-9444-9357561E4D94} - hxxp://www.mijnalbum.nl/v3/skinsrc/core/system/ma5.8.3/uploadtoepassing.cab . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-04-16 23:43 Windows 5.1.2600 Service Pack 3 NTFS . scannen van verborgen processen ... . scannen van verborgen autostart items ... . scannen van verborgen bestanden ... . Scan succesvol afgerond verborgen bestanden: 0 . ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- . [HKEY_USERS\S-1-5-21-343818398-1715567821-1801674531-1004\Software\SecuROM\License information*] "datasecu"=hex:da,11,cc,e5,2f,ed,a6,ae,ff,b7,a7,ee,25,50,d2,0d,c3,f5,ea,5a,2d, 7e,95,fe,1a,58,f6,ae,a0,5f,75,40,c4,98,9d,51,95,b1,53,28,23,a1,cf,d9,a5,29,\ "rkeysecu"=hex:31,49,d7,e2,10,45,57,43,89,4a,3c,f3,9d,df,44,c6 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- . - - - - - - - > 'winlogon.exe'(820) c:\windows\system32\Ati2evxx.dll c:\windows\system32\atiadlxx.dll . Voltooingstijd: 2011-04-16 23:45:24 ComboFix-quarantined-files.txt 2011-04-16 21:45 ComboFix2.txt 2011-04-15 05:27 . Pre-Run: 133.006.508.032 bytes beschikbaar Post-Run: 133.061.074.944 bytes beschikbaar . - - End Of File - - AA98FC061DF2558D791556B9CF35C340