Trojaans paard Agent_r.XJ

tofelo · 22 januari 2011

Beste mensen van PC-help forum,

AVG detecteert op mijn PC het trojaanse paard Agent_r.XJ in de twee volgende bestanden: svchost.exe en explorer.exe

Het lukt AVG niet om ze op te schonen of te verwijderen (melding 'bestanden niet toegankelijk')

Ik heb Malwarebytes uitgevoerd, dat vond 5 (andere) geïnfecteerde bestanden en 1 geïnfecteerd register. Die zijn allemaal in quarantaine geplaatst en verwijderd.

Na opnieuw AVG te hebben uitgevoerd, wordt nog steeds Agent_r.XJ gevonden in svchost.exe, explorer.exe en nu ook wcauclt.exe

Wat kan ik nu het beste doen?

Hijackthis-logfile heb ik hieronder bijgevoegd.

Vriendelijke groet en alvast bedankt,

Tofelo

====

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 17:08:10, on 22-1-2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} (JordanUploader Class) - http://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242909971215

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

O23 - Service: Google Updateservice (gupdate1c9ece78225a338) (gupdate1c9ece78225a338) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--

End of file - 8581 bytes

---------- Post toegevoegd om 18:01 ---------- Vorige post was om 17:56 ----------

Excuus, ik was nog vergeten te melden:

Onder de door Malwarebytes verwijderde bestanden bevond zich Palladium (een nep-virus-scanner?), waarvan ik ook allerlei pop-ups kreeg. Die pop-ups zijn nu wel verdwenen.

Groet,

Tofelo

kape · 22 januari 2011

Start Hijackthis op. Selecteer “Scan”. Selecteer alleen de items die hieronder zijn genoemd:

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

Klik op 'Fix checked' om de items te verwijderen.

Download ComboFix van één van deze locaties:

Link 1

Link 2

* BELANGRIJK !!! Sla ComboFix.exe op je Bureaublad op

1. Schakel alle antivirus- en antispywareprogramma's uit, want anders kunnen ze misschien conflicteren met ComboFix. Hier is een handleiding over hoe je ze kan uitschakelen:

Klik hier

Als het je niet lukt om ze uit te schakelen, ga dan gewoon door naar de volgende stap.

2. Dubbelklik op ComboFix.exe en volg de meldingen op het scherm.

3. ComboFix zal controleren of dat de Microsoft Windows Recovery Console reeds is geïnstalleerd.

**Let op: Als de Microsoft Windows Recovery Console al is geïnstalleerd, dan krijg je de volgende schermen niet te zien en zal ComboFix automatisch verder gaan met het scannen naar malware.

4. Volg de meldingen op het scherm om ComboFix de Microsoft Windows Recovery Console te laten downloaden en installeren.

Je krijgt de volgende melding te zien wanneer ComboFix de Microsoft Windows Recovery Console succesvol heeft geïnstalleerd:

Klik op Ja om verder te gaan met het scannen naar malware.

5. Wanneer ComboFix klaar is, zal het een logbestand voor je maken. Post de inhoud van dit logbestand (te vinden als C:\ComboFix.txt) in je volgende bericht, samen met een nieuw log van HijackThis.

23 januari 2011 aangepast door kape

tofelo · 22 januari 2011

Beste kape,

Dank voor de snelle reactie!

Heb Hijackthis en ComboFix uitgevoerd. Voor logs zie hieronder.

Groet,

Tofelo

===

ComboFix 11-01-22.01 - Tofelo 22-01-2011 22:44:53.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.3070.2703 [GMT 1:00]

Gestart vanuit: c:\documents and settings\Tofelo\Bureaublad\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Tofelo\Application Data\install_pal

c:\documents and settings\Tofelo\Application Data\uid_pal

Besmet exemplaar van c:\windows\system32\Drivers\sptd.sys werd aangetroffen en gedesinfecteerd

Hersteld exemplaar van - Kitty ate it

Besmet exemplaar van c:\windows\system32\Drivers\sptd.sys werd aangetroffen en gedesinfecteerd

Hersteld exemplaar van - Kitty ate it

.

(((((((((((((((((((( Bestanden Gemaakt van 2010-12-22 to 2011-01-22 ))))))))))))))))))))))))))))))

.

2011-01-22 21:36 . 2011-01-22 21:37 -------- d-----w- C:\32788R22FWJFW

2011-01-22 20:31 . 2011-01-22 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2011-01-22 14:58 . 2011-01-22 14:58 -------- d-----w- c:\documents and settings\Tofelo\Application Data\Malwarebytes

2011-01-22 14:57 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-01-22 14:57 . 2011-01-22 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-01-22 14:57 . 2011-01-22 14:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-01-22 14:57 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-01-02 14:35 . 2011-01-02 14:35 -------- d-----w- c:\program files\bol.com

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-18 18:15 . 2009-05-10 18:14 86016 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52 . 2003-04-08 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-06 00:23 . 2003-04-08 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-11-06 00:23 . 2003-04-08 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-11-06 00:23 . 2003-04-08 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2010-11-03 12:27 . 2004-08-04 07:55 385024 ----a-w- c:\windows\system32\html.iec

2010-11-02 15:17 . 2003-04-08 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:09 . 2003-04-08 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 14:00 . 2003-04-08 12:00 1853440 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-14 39408]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-06-24 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-21 1797880]

"RTHDCPL"="RTHDCPL.EXE" [2005-11-17 15600128]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Tofelo\Menu Start\Programma's\Opstarten\

SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks\swScheduler\swBOEngine.exe [2007-9-9 488728]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-7-7 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22-8-2009 11:28 721904]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [21-5-2009 14:16 101776]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [21-5-2009 14:16 31504]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [23-9-2009 6:44 2789672]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24-6-2010 15:41 92008]

S2 gupdate1c9ece78225a338;Google Updateservice (gupdate1c9ece78225a338);c:\program files\Google\Update\GoogleUpdate.exe [14-6-2009 12:58 133104]

S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [23-9-2009 6:45 15656]

.

Inhoud van de 'Gedeelde Taken' map

2011-01-22 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-14 11:57]

2011-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 11:58]

2011-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-14 11:58]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.nl/

uInternet Settings,ProxyOverride = *.local

Trusted Zone: ing.nl

DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab

FF - ProfilePath - c:\documents and settings\Tofelo\Application Data\Mozilla\Firefox\Profiles\6f16sc0q.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com

.

- - - - ORPHANS VERWIJDERD - - - -

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

AddRemove-QcDrv - c:\program files\Common Files\Logitech\QCDRV\BIN\SETUP.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2011-01-22 23:03

Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover

Windows 5.1.2600 Disk: SAMSUNG_HM121HI rev.LZ100-08 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ABA6555]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8abac7b0]; MOV EAX, [0x8abac82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AC4DAB8]

3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000007d[0x8AC649E8]

5 ACPI[0xB9E65620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8ABC7940]

\Driver\atapi[0x8AC62908] -> IRP_MJ_CREATE -> 0x8ABA6555

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HM121HI_________________________LZ100-08#31534a31444a5030333939363132202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8ABA639B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

**************************************************************************

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(744)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3944)

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\windows\System32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\WTablet\Wacom_TabletUser.exe

c:\windows\RTHDCPL.EXE

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Voltooingstijd: 2011-01-22 23:20:24 - machine werd herstart

ComboFix-quarantined-files.txt 2011-01-22 22:20

Pre-Run: 60.906.270.720 bytes beschikbaar

Post-Run: 62.100.520.960 bytes beschikbaar

- - End Of File - - DD855072C78867D38510A88641032778

===

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 23:58:28, on 22-1-2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)