ComboFix 10-09-17.04 - Louis 09/19/2010  14:47:13.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.31.1043.18.2047.1473 [GMT 2:00]
Gestart vanuit: d:\documenten en settings\Louis\Bureaublad\ComboFix.exe
AV: McAfee Antivirus en antispyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
 * Aanwezig AV is actief

.

((((((((((((((((((((((((((((((((((   Andere Verwijderingen   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data
c:\windows\system32\dlo497.dll
c:\windows\system32\dlo497.tmp
c:\windows\system32\drivers\ahzlorig.sys
c:\windows\system32\drivers\tgavhwdn.sys
c:\windows\system32\vgubhz.dll
d:\documenten en settings\All Users\Documenten\Settings
d:\documenten en settings\Louis\Application Data\4337348F3A05C1E4C1BFDC958755CDD3
d:\documenten en settings\Louis\Application Data\4337348F3A05C1E4C1BFDC958755CDD3\enemies-names.txt
d:\documenten en settings\Louis\Application Data\4337348F3A05C1E4C1BFDC958755CDD3\local.ini
d:\documenten en settings\Louis\Application Data\4337348F3A05C1E4C1BFDC958755CDD3\lsrslt.ini

Besmet exemplaar van c:\windows\system32\drivers\ipsec.sys werd aangetroffen en gedesinfecteerd  
Hersteld exemplaar van - Kitty had a snack :p 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TGAVHWDN
-------\Legacy_WSMEKHBE
-------\Service_tgavhwdn
-------\Service_wsmekhbe


((((((((((((((((((((   Bestanden Gemaakt van 2010-08-19 to 2010-09-19  ))))))))))))))))))))))))))))))
.

2010-09-18 12:47 . 2010-09-18 12:47	664	----a-w-	c:\windows\system32\d3d9caps.dat
2010-09-18 12:17 . 2001-09-06 19:26	144384	-c--a-w-	c:\windows\system32\dllcache\avmenum.dll
2010-09-18 12:16 . 2001-08-17 18:19	553984	-c--a-w-	c:\windows\system32\dllcache\adm8820.sys
2010-09-18 08:37 . 2010-09-18 08:37	--------	d-----w-	d:\documenten en settings\Tum\Application Data\ArcSoft
2010-09-17 17:49 . 2010-09-17 17:49	503808	----a-w-	d:\documenten en settings\Tum\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-232cb9f5-n\msvcp71.dll
2010-09-17 17:49 . 2010-09-17 17:49	499712	----a-w-	d:\documenten en settings\Tum\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-232cb9f5-n\jmc.dll
2010-09-17 17:49 . 2010-09-17 17:49	61440	----a-w-	d:\documenten en settings\Tum\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-520146cc-n\decora-sse.dll
2010-09-17 17:49 . 2010-09-17 17:49	348160	----a-w-	d:\documenten en settings\Tum\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-232cb9f5-n\msvcr71.dll
2010-09-17 17:49 . 2010-09-17 17:49	12800	----a-w-	d:\documenten en settings\Tum\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-520146cc-n\decora-d3d.dll
2010-09-17 17:49 . 2010-09-17 17:49	--------	d-----w-	c:\program files\Common Files\Java
2010-09-17 17:49 . 2010-07-17 03:00	423656	----a-w-	c:\windows\system32\deployJava1.dll
2010-09-17 17:26 . 2010-09-17 17:26	--------	d-----w-	d:\documenten en settings\Tum\Application Data\Hewlett-Packard
2010-09-16 06:34 . 2010-09-16 06:34	--------	d-s---w-	d:\documenten en settings\Tineke\UserData
2010-09-14 17:34 . 2010-09-14 17:34	--------	d-s---w-	d:\documenten en settings\LocalService\UserData
2010-09-14 02:09 . 2010-09-14 02:10	--------	d-----w-	d:\documenten en settings\Tum\Local Settings\Application Data\CutePDF Writer
2010-09-07 18:48 . 2010-09-07 18:48	--------	d-----w-	d:\documenten en settings\Janine\Local Settings\Application Data\Mozilla
2010-09-07 18:48 . 2010-09-07 18:48	--------	d-----w-	d:\documenten en settings\Janine\Application Data\Share-to-Web Upload Folder
2010-09-01 23:00 . 2010-09-01 23:00	--------	d-s---w-	d:\documenten en settings\Tum\UserData
2010-08-24 00:09 . 2010-08-24 00:09	--------	d-----w-	d:\documenten en settings\All Users\Application Data\SSScanAppDataDir
2010-08-24 00:08 . 2010-08-24 00:08	--------	d-----w-	d:\documenten en settings\All Users\Application Data\MSScanAppDataDir

.
(((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-19 13:05 . 2010-08-10 05:59	782336	----a-w-	c:\windows\system32\drivers\qgjwzqq.sys
2010-09-18 12:47 . 2010-01-06 14:25	--------	d-----w-	d:\documenten en settings\Louis\Application Data\HPAppData
2010-09-17 17:48 . 2010-01-11 17:44	--------	d-----w-	c:\program files\Java
2010-09-10 22:14 . 2010-01-07 20:31	--------	d-----w-	d:\documenten en settings\Louis\Application Data\uTorrent
2010-08-23 23:59 . 2010-01-06 13:55	169360	----a-w-	c:\windows\hpoins38.dat
2010-08-18 00:48 . 2010-08-18 00:48	--------	d-----w-	d:\documenten en settings\Tineke\Application Data\Share-to-Web Upload Folder
2010-08-14 07:34 . 2010-01-10 22:04	--------	d-----w-	d:\documenten en settings\Louis\Application Data\Audacity
2010-08-12 20:09 . 2010-01-07 20:41	--------	d-----w-	d:\documenten en settings\Louis\Application Data\Media Player Classic
2010-08-12 06:18 . 2010-01-06 10:34	88000	----a-w-	c:\windows\system32\perfc013.dat
2010-08-12 06:18 . 2010-01-06 10:34	503386	----a-w-	c:\windows\system32\perfh013.dat
2010-08-11 06:12 . 2010-08-11 06:12	--------	d-----w-	d:\documenten en settings\Louis\Application Data\Malwarebytes
2010-08-11 06:11 . 2010-08-11 06:11	--------	d-----w-	d:\documenten en settings\All Users\Application Data\Malwarebytes
2010-08-11 00:41 . 2010-08-11 00:41	--------	d-----w-	d:\documenten en settings\LocalService\Application Data\HPAppData
2010-08-10 05:59 . 2010-08-10 05:59	--------	d-----w-	d:\documenten en settings\Louis\Application Data\etxaqjblq
2010-08-09 18:41 . 2010-08-09 18:40	--------	d-----w-	c:\program files\Common Files\Adobe
2010-07-31 08:53 . 2010-07-31 08:53	--------	d-----w-	d:\documenten en settings\All Users\Application Data\hps
2010-07-31 08:51 . 2010-07-31 08:51	--------	d-----w-	c:\program files\TNT Post Fotoservice
2010-07-20 00:02 . 2010-07-20 00:02	536	---ha-w-	C:\hpothb07.dat
2010-07-19 23:47 . 2010-07-19 23:47	82380	----a-w-	c:\windows\system32\drivers\AFS2K.SYS
.

(((((((((((((((((((((((((((((((((((((   Reg Opstartpunten   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="d:\documenten en settings\Louis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-06 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-24 1193848]
"SetIcon"="c:\program files\Icons\SetIcon.exe" [2002-08-22 39936]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

d:\documenten en settings\All Users\Menu Start\Programma's\Opstarten\
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/28/2010 2:40 AM 82952]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/8/2010 4:16 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/28/2010 2:40 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/28/2010 2:40 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/28/2010 2:40 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/28/2010 2:40 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/28/2010 2:40 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/28/2010 2:40 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/28/2010 2:40 AM 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/28/2010 2:40 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/28/2010 2:40 AM 83496]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/17/2010 3:44 PM 691696]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - mfeavfk01
*Deregistered* - qgjwzqq

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Inhoud van de 'Gedeelde Taken' map

2010-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-838170752-682003330-1005Core.job
- d:\documenten en settings\Louis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-06 16:19]

2010-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-838170752-682003330-1005UA.job
- d:\documenten en settings\Louis\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-06 16:19]
.
.
------- Bijkomende Scan -------
.
IE: E&xporteren naar Microsoft Excel - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documenten en settings\Louis\Application Data\Mozilla\Firefox\Profiles\4vu765p9.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\documenten en settings\Louis\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 15:03
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ... 

scannen van verborgen autostart items ... 

scannen van verborgen bestanden ... 

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qgjwzqq]

.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–}|ےےےےہ•}|ù•9~*]
"3140111900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3412)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
d:\documenten en settings\Louis\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2010-09-19  15:08:47 - machine werd herstart
ComboFix-quarantined-files.txt  2010-09-19 13:08

Pre-Run: 5,236,203,520 bytes beschikbaar
Post-Run: 5,206,650,880 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 4EFA28F88543DEC3769BC7DF3F30E861