ComboFix 09-03-03.01 - POEFIE 2009-03-04 17:06:31.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1043.18.511.247 [GMT 1:00] Gestart vanuit: c:\documents and settings\POEFIE\Bureaublad\ComboFix.exe AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) * Nieuw herstelpunt werd aangemaakt . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\IE4 Error Log.txt c:\windows\system32\Drivers\TDSSmxoe.sys c:\windows\system32\TDSSirxy.dll c:\windows\system32\TDSSktpa.dll c:\windows\system32\TDSSwghd.log c:\windows\system32\TDSSwupe.dat c:\windows\system32\TDSSyavu.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Service_TDSSserv.sys (((((((((((((((((((( Bestanden Gemaakt van 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))) . 2009-03-03 21:55 . 2009-03-03 21:55 0 --a------ c:\windows\nsreg.dat 2009-02-18 22:52 . 2009-02-18 23:11 d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2009-02-10 23:03 . 2009-02-10 23:03 d-------- c:\program files\Avira 2009-02-10 23:03 . 2009-02-10 23:03 d-------- c:\documents and settings\All Users\Application Data\Avira 2009-02-10 22:33 . 2009-02-10 22:33 410,984 --a------ c:\windows\system32\deploytk.dll 2009-02-08 14:39 . 2009-03-03 21:10 2,380 --a------ c:\windows\system32\TDSSqqcn.dll 2009-02-04 22:04 . 2009-02-04 22:04 121,080 --a------ c:\windows\system32\MSForms.TWD . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-01 10:56 122 ----a-w c:\documents and settings\POEFIE\Application Data\wklnhst.dat 2009-02-24 23:01 --------- d-----w c:\documents and settings\POEFIE\Application Data\LimeWire 2009-02-10 21:33 --------- d-----w c:\program files\Java 2009-02-02 22:08 --------- d-----w c:\program files\MPlayer for Windows 2009-01-31 13:32 --------- d-----w c:\documents and settings\POEFIE\Application Data\FrostWire 2009-01-28 22:39 --------- d-----w c:\documents and settings\POEFIE\Application Data\Winamp 2009-01-24 08:26 --------- d-----w c:\documents and settings\POEFIE\Application Data\EDrawings 2009-01-18 09:33 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf 2009-01-18 09:33 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf 2009-01-12 20:25 --------- d-----w c:\program files\Common Files\PCSuite 2009-01-12 20:25 --------- d-----w c:\program files\Common Files\Nokia 2009-01-12 20:23 --------- d-----w c:\program files\PC Connectivity Solution 2009-01-12 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\Installations 2009-01-05 23:34 --------- d-----w c:\program files\Winamp 2008-10-27 23:25 45,423 ----a-w c:\documents and settings\POEFIE\Application Data\mdbu.bin . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "PC Suite Tray"="d:\program files_nieuw\Nokia3\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-12-12 4730880] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-11-20 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-11-20 499712] "LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2003-05-12 32768] "HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2003-10-03 40960] "LMgrOSD"="c:\program files\Launch Manager\OSD.exe" [2003-06-25 204800] "Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2003-09-12 65536] "CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480] "PinnacleDriverCheck"="c:\windows\System32\PSDrvCheck.exe" [2003-11-10 406016] "CTRegRun"="c:\windows\CTRegRun.EXE" [1999-10-10 41984] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 50688] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-10 136600] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "nwiz"="nwiz.exe" [2003-12-12 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\POEFIE\Menu Start\Programma's\Opstarten\ Scheduler.lnk - d:\program files_nieuw\Common\Scheduler\wcomschd.exe [2009-02-08 464240] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-03-05 10872] BTTray.lnk - d:\program files_nieuw\Creative bluetooth\BTTray.exe [2005-07-07 577597] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.I420"= vdrcodec.dll "VIDC.PIM1"= pclepim1.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^POEFIE^Menu Start^Programma's^Opstarten^Microsoft Office Snelzoeken.lnk] backup=c:\windows\pss\Microsoft Office Snelzoeken.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^POEFIE^Menu Start^Programma's^Opstarten^Office Opstarten.lnk] backup=c:\windows\pss\Office Opstarten.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^POEFIE^Menu Start^Programma's^Opstarten^Registration-Studio 8.lnk] backup=c:\windows\pss\Registration-Studio 8.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares] --a------ 2008-05-20 15:09 2830848 d:\program files_nieuw\Ares Ultra\Ares Ultra.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask] --a------ 2003-12-12 18:55 53248 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-14 18:03 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] --a------ 2004-01-29 18:12 57344 c:\program files\Home Cinema\PowerCinema\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\powerman] --a------ 2003-12-23 20:48 126976 c:\windows\system32\powerman.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSTA.EXE] --a------ 2003-08-04 16:54 215552 c:\windows\system32\PRISMSTA.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2003-11-13 18:23 62464 c:\windows\SOUNDMAN.EXE [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "d:\\program files_nieuw\\LimeWire Plus\\LimeWire.exe"= "d:\\program files_nieuw\\Ares\\Ares.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "6346:TCP"= 6346:TCP:Ares ultra R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.sys [2003-12-29 9867] R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2002-09-20 53248] R2 MarxDev1;MarxDev1;c:\windows\system32\drivers\MARXDEV1.SYS [2009-01-11 8864] R2 MarxDev2;MarxDev2;c:\windows\system32\drivers\MARXDEV2.SYS [2009-01-11 8864] R2 MarxDev3;MarxDev3;c:\windows\system32\drivers\MARXDEV3.SYS [2009-01-11 8864] R3 PRISM_A00;PRISM 802.11g Driver;c:\windows\system32\drivers\PRISMA00.sys [2003-10-16 364320] S1 mailKmd;mailKmd; [x] S1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutton.sys --> c:\windows\system32\drivers\Wbutton.sys [?] S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [2002-09-20 77824] S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [2002-09-20 77824] . Inhoud van de 'Gedeelde Taken' map 2009-03-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.tele2.be/nl/allin/ IE: Verzenden naar &Bluetooth - d:\program files_nieuw\Creative bluetooth\btsendto_ie_ctx.htm Trusted Zone: centea.be Trusted Zone: dexia.be DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\POEFIE\Application Data\Mozilla\Firefox\Profiles\eux8lfc3.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.tele2.be/nl/allin/ . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-04 17:11:14 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CtrlVol = c:\program files\Launch Manager\CtrlVol.exe???????@?`??????w???w???????w???w;??w?r@????? ???????????????d???????????????????????4????????$?w???????????sI??s???s@????????????a?wx??st???????B-?s???????????????s???s?????n?w????Y??sL;??D??s??@??4@?X;????????? scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . ------------------------ Andere Aktieve Processen ------------------------ . c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe d:\program files_nieuw\Creative bluetooth\bin\btwdins.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\wscntfy.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclIrSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe . ************************************************************************** . Voltooingstijd: 2009-03-04 17:13:50 - machine werd herstart ComboFix-quarantined-files.txt 2009-03-04 16:13:47 Pre-Run: 6.858.448.896 bytes beschikbaar Post-Run: 7,170,686,976 bytes beschikbaar WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 187 --- E O F --- 2009-03-01 09:39:05