ComboFix 09-04-14.08 - Gebruiker 14/04/2009 15:12.3 - [color=red][b]FAT32[/b][/color]x86 Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.1023.504 [GMT 2:00] Gestart vanuit: d:\downloads\ComboFix.exe gebruikte Opdracht switches :: c:\documents and settings\Gebruiker\Bureaublad\CFScript.txt AV: avast! antivirus 4.8.1335 [VPS 090414-0] *On-access scanning disabled* (Updated) * Nieuw herstelpunt werd aangemaakt FILE :: C:\4443223454.bat c:\windows\t55ft2631f44.dat c:\windows\t55ft3223f44.dat . (((((((((((((((((((((((((((((((((( Andere Verwijderingen ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\4443223454.bat c:\program files\websrvx c:\windows\t55ft2631f44.dat c:\windows\t55ft3223f44.dat . (((((((((((((((((((( Bestanden Gemaakt van 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))) . 2009-04-09 14:50 . 2009-04-09 14:50 -------- d-----w c:\documents and settings\Gebruiker\Application Data\Malwarebytes 2009-04-09 14:50 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-09 14:50 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-09 14:50 . 2009-04-09 14:50 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-08 08:45 . 2009-04-08 08:45 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage 2009-04-07 13:52 . 2009-04-07 13:52 -------- d--h--r c:\documents and settings\Gebruiker\Onlangs geopend 2009-04-06 16:04 . 2009-04-06 16:04 355 ----a-w c:\windows\system32\MRT.INI . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-15 12:12 . 2009-03-15 12:12 -------- d-----w c:\documents and settings\Gebruiker\Application Data\Red Kawa 2009-03-15 11:57 . 2009-03-15 11:57 -------- d-----w c:\program files\AviSynth 2.5 2009-03-15 11:57 . 1979-12-31 22:00 82192 ----a-w c:\windows\system32\perfc013.dat 2009-03-15 11:57 . 1979-12-31 22:00 468568 ----a-w c:\windows\system32\perfh013.dat 2009-02-09 13:19 . 2008-12-20 13:04 1846400 ----a-w c:\windows\system32\win32k.sys 2009-02-09 13:19 . 2008-12-20 13:04 1846400 ----a-w c:\windows\system32\dllcache\win32k.sys 2009-02-06 17:33 . 2008-08-07 12:47 201352 ----a-w c:\windows\system32\PnkBstrB.exe 2009-01-24 09:52 . 2009-01-24 09:52 410984 ----a-w c:\windows\system32\deploytk.dll 2009-01-10 16:18 . 2004-09-26 12:37 46896 ----a-w c:\documents and settings\Gebruiker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-12-06 11:45 . 2008-08-13 15:49 31 ----a-w c:\documents and settings\Gebruiker\jagex_runescape_preferences.dat 2008-01-14 14:17 . 2008-01-14 14:17 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat 2006-12-07 13:16 . 2006-12-07 13:16 0 ----a-w c:\documents and settings\All Users\Application Data\ISxBFE.tmp 2006-11-26 14:30 . 2006-11-26 14:30 0 ----a-w c:\documents and settings\All Users\Application Data\ISx5D.tmp 2006-11-26 13:39 . 2006-11-26 13:39 0 ----a-w c:\documents and settings\All Users\Application Data\ISx37.tmp 2006-09-27 17:45 . 2006-09-27 17:45 0 ----a-w c:\documents and settings\All Users\Application Data\ISxAA.tmp 2006-09-27 17:45 . 2006-09-27 17:45 0 ----a-w c:\documents and settings\All Users\Application Data\ISxA9.tmp 2005-04-12 17:02 . 2005-04-12 17:02 132 ----a-w c:\documents and settings\Gebruiker\Local Settings\Application Data\fusioncache.dat . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten ))))))))))))))))))))))))))))))))))))))))))))))))))) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320] "Rainlendar2"="j:\programma's\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088] "DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984] "MPS"="c:\acer\PSM.EXE" [2003-12-04 360448] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-08-28 155648] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-08-28 118784] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-24 136600] "avast!"="j:\avast\ashDisp.exe" [2009-02-05 81000] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] AlarmS4.lnk - c:\windows\system32\AlarmS4.exe [2004-4-29 241664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ivimp3en"= ivimp3en.acm "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\[u]0[/u]SsiEfr.e [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2008-07-22 18:42 116040 ----a-w c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-07-30 08:47 289064 ----a-w d:\itunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon] 2007-10-25 14:37 2178832 ----a-w c:\program files\Logitech\QuickCam\Quickcam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetLimiter] 2004-03-31 13:23 823296 ----a-w c:\program files\NetLimiter\NetLimiter.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 08:50 413696 ----a-w c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2005-01-12 01:01 32768 ----a-w c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-11 02:19 69632 ----a-w c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2003-10-31 09:45 32873 ----a-w c:\program files\Java\j2re1.4.2_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] 2003-08-15 13:34 57344 ----a-w c:\windows\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"= "c:\\Sierra\\Half-Life\\hl.exe"= "c:\\Westwood\\RA2\\game.exe"= "c:\\Program Files\\Messenger\\MSMSGS.EXE"= "c:\\Program Files\\Activision\\Rome - Total War\\RomeTW.exe"= "c:\\Westwood\\RA2\\mphmd.exe"= "c:\\Westwood\\RA2\\gamemd.exe"= "c:\\Program Files\\Xfire\\Xfire.exe"= "d:\\HLSW\\hlsw.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Mozilla Firefox\\FIREFOX.EXE"= "c:\\Program Files\\Softnyx\\Rakion\\Bin\\rakion.bin"= "c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"= "c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"= "c:\\WINDOWS\\System32\\dpvsetup.exe"= "c:\\Westwood\\RA2\\mph.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "d:\\Azureus\\Azureus.exe"= "c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "d:\\Unreal T2004\\System\\UT2004.exe"= "d:\\iTunes\\iTunes.exe"= "C:6\\Games\\Left 4 Dead\\left4dead.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "7070:TCP"= 7070:TCP:nfr R2 ISPMonitorSrv;ISP Monitor; [x] R2 NFRAgent;NFRAgent;c:\windows\system32\svchost.exe [2004-08-04 14336] R2 osaio;osaio; [x] R3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\DRIVERS\LV532AV.SYS [2003-09-16 152576] S1 aswSP;avast! Self Protection; [x] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560] S3 PortRW;PortRW;c:\windows\system32\Drivers\PortRW.sys [2003-08-15 3456] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] nfrsvc REG_MULTI_SZ NFRAgent [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\LaunchU3.exe . Inhoud van de 'Gedeelde Taken' map 2009-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34] 2009-04-14 c:\windows\Tasks\OGALogon.job - c:\windows\system32\OGAVerify.exe [2008-12-31 15:04] 2009-04-07 c:\windows\Tasks\OGADaily.job - c:\windows\system32\OGAVerify.exe [2008-12-31 15:04] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.nieuwsblad.be/index.html?ref=0817 uInternet Settings,ProxyOverride = *.local; uInternet Settings,ProxyServer = http=localhost:7171 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 LSP: c:\program files\NetLimiter\nl_lsp.dll TCP: {136FE7B5-4C12-49B1-BCFD-A645E3C6B1CD} = 83.143.245.36,83.143.245.37 FF - ProfilePath - c:\documents and settings\Gebruiker\Application Data\Mozilla\Firefox\Profiles\omusn9ru.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/ FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-14 15:15 Windows 5.1.2600 Service Pack 2 FAT NTAPI scannen van verborgen processen ... scannen van verborgen autostart items ... scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************************************** . --------------------- VERGRENDELDE REGISTER SLEUTELS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{114866E9-7C82-20F7-16C3063A4CAB25A4}\{3FC78BFC-C5A7-A764-C3D11931F655D68A}\{CA848313-C322-9D26-10260A1412DD57C5}*] "J6LUTEVR24DWS6LBRK5JBJYX6E1"=hex:01,00,01,00,00,00,00,00,64,ee,da,6f,cf,9a,c5, 9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{61E02159-A14A-FC32-018FB6A6B5E128FA}\{BE08726F-5794-26E4-FF65539D238093C7}\{FD6EFD08-28CD-2519-DC89D4AD1DA3D3A5}*] "J6LUTEVR24DWS6LBRK5JBJYX6E1"=hex:01,00,01,00,00,00,00,00,64,ee,da,6f,cf,9a,c5, 9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A72C365C-2B28-0978-52A59749C0ABC09D}\{2A6BE869-A5EF-247E-F6A7B01E97A485BF}\{3251E462-487B-7BE8-3B3E094BA2D6C7C9}*] "J6LUTEVR24DWS6LBRK5JBJYX6E1"=hex:01,00,01,00,00,00,00,00,64,ee,da,6f,cf,9a,c5, 9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*] "3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'lsass.exe'(800) c:\program files\NetLimiter\nl_lsp.dll c:\windows\system32\nl_msgc.dll . Voltooingstijd: ~,10time:~,-3 ComboFix-quarantined-files.txt 2009-04-14 13:16 ComboFix2.txt 2009-04-10 12:09 ComboFix3.txt 2009-04-10 11:31 Pre-Run: 821,788,672 bytes beschikbaar Post-Run: 810,516,480 bytes beschikbaar 202 --- E O F --- 2009-04-07 13:55