ik kamp al een tijdje met een virus met de volgende kenmerken:
1: mijn pc liep vast in normale modus
2: reboot en na het windows XP logo (blauw laad balkje) viel hij stil op een zwart scherm met wit pijltje
3: veilige modus werkte prima
4: stap voor stap vielen in veilige modus functies uit zoals systeemherstel, internet, usb sticks vind hij niet meer, cd-r dvd-r reagerem niet meer.
5: Systeemherstel doet het weer maar nu zijn ineens alle herstelpunten verwijderd
6: ik draaide in Mei combofix, hij gaf de melding "rootkit activiteit gevonden ik reboot en hij starte normaal op en het probleem was verholpen..
7: nu had ik dus een 2e keer hetzelfde virus en ik deed nu eerst systeemherstel, dat haalde niets uit.. toen draaide ik alsnog combofix en ik kreeg dezelfde rootkit activity melding.. ik reboot en hij loopt nu dus helaas niet door.. wat ik nu krijg is hetzelfde zwarte scherm..
8: ik probeerde net dus een lading free virus scanners (van download.com op een cd te gebruiken..maar de cd rom functie (lijkt wel alsof de snelheid wordt afgeremd..)
9: in het begin had ik dus wel internet in veilige modus en toen heb ik combofix kunnen updaten en ook die revovery tool kunnen installeren.. dat is geloof ik handmatig pc herstel maar ik heb hier geen ervaring mee.. ik heb ook geen flauw idee wat ik dan moet doen of waar ik naar op zoek ben.
10: Wat ik wel heb zijn 2 logs..
Hijack this en een Combofix log.. zelf heb ik hier 0,0 verstand van.
---------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31:37, on 5-6-2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\7c76b373-49be-4a74-8b28-6255311eedbc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminator.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OP_CACHE.ATR
O4 - Startup: OP_CACHE.IDX
O4 - Global Startup: OP_CACHE.ATR
O4 - Global Startup: OP_CACHE.IDX
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendm.../win32/activex/hcImpl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn...aireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn...tatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.../MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: MFDTNXD - Unknown owner - C:\DOCUME~1\matthijs\LOCALS~1\Temp\MFDTNXD.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 6619 bytes
---------------------------------------------------------------------------------------------------------
ComboFix 10-06-03.01 - matthijs 05-06-2010 4:25.3.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.1983.1692 [GMT 2:00]
Gestart vanuit: c:\documents and settings\matthijs\Mijn documenten\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
Besmet exemplaar van c:\windows\system32\DRIVERS\ftdisk.sys werd aangetroffen en gedesinfecteerd
Hersteld exemplaar van - Kitty had a snack
.
(((((((((((((((((((( Bestanden Gemaakt van 2010-05-05 to 2010-06-05 ))))))))))))))))))))))))))))))
.
2010-06-04 19:03 . 2010-06-05 00:17 -------- d--h--r- c:\documents and settings\matthijs\Onlangs geopend
2010-06-04 17:21 . 2010-06-04 17:21 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-04 17:01 . 2010-06-04 19:03 -------- d-----w- C:\ComboFix(2)
2010-05-17 17:33 . 2010-05-17 17:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{DF6EE7CF-7EF2-42A2-A664-02694AB6B72E}
2010-05-17 17:33 . 2009-03-06 14:29 2691296 -c--a-w- c:\documents and settings\All Users\Application Data\{DF6EE7CF-7EF2-42A2-A664-02694AB6B72E}\BYKI4Installer.exe
2010-05-17 17:33 . 2010-05-17 17:33 -------- d-----w- c:\program files\Transparent
2010-05-17 17:33 . 2010-05-17 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Transparent
2010-05-15 13:49 . 2010-05-15 13:49 -------- d-----w- c:\documents and settings\matthijs\Local Settings\Application Data\Macromedia
2010-05-06 18:26 . 2010-05-06 18:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-05-06 18:25 . 2010-05-06 18:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-06 18:19 . 2010-05-06 18:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-06 18:11 . 2010-05-06 18:11 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 00:09 . 2009-02-24 08:30 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 2
2010-06-04 19:19 . 2007-09-24 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-04 16:47 . 2007-09-23 16:35 201972768 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-03 15:53 . 2007-09-23 16:31 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-06-03 09:48 . 2007-09-23 16:35 9572640 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-03 09:48 . 2007-09-23 16:35 908948 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-03 09:48 . 2007-09-23 16:35 2723588 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-02 04:25 . 2007-09-24 00:22 -------- d-----w- c:\documents and settings\matthijs\Application Data\ICQ
2010-05-31 15:42 . 2007-10-23 07:39 74344497 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-05-29 18:47 . 2007-09-27 04:08 -------- d-----w- c:\documents and settings\matthijs\Application Data\uTorrent
2010-05-24 18:59 . 2007-09-23 00:28 241104 ----a-w- c:\documents and settings\matthijs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-24 10:31 . 2010-05-24 10:31 3936768 ----a-w- c:\windows\Internet Logs\xDB8CB.tmp
2010-05-19 17:29 . 2010-04-07 17:28 439816 ----a-w- c:\documents and settings\matthijs\Application Data\Real\Update\setup3.10\setup.exe
2010-05-16 05:53 . 2007-09-27 04:08 -------- d-----w- c:\program files\uTorrent
2010-05-15 13:49 . 2007-10-05 17:04 -------- d-----w- c:\program files\Common Files\Macromedia
2010-05-15 13:48 . 2008-10-22 14:38 -------- d-----w- c:\program files\Macromedia
2010-05-15 13:48 . 2007-09-24 00:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-15 13:26 . 2009-02-20 23:07 -------- d-----w- c:\program files\Opera 10 Preview
2010-05-14 15:58 . 2007-10-18 05:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-14 07:03 . 2007-09-23 21:46 -------- d-----w- c:\program files\Winamp
2010-05-09 11:50 . 2007-10-08 18:35 -------- d-----w- c:\program files\eMule
2010-05-09 11:45 . 2009-11-06 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{29DE7D8A-76E9-40C8-AD3B-3D95E76E1227}
2010-05-09 11:44 . 2007-10-05 20:34 -------- d-----w- c:\program files\LimeWire Plus
2010-05-09 11:44 . 2009-06-16 18:45 -------- d-----w- c:\documents and settings\matthijs\Application Data\Hide IP NG
2010-05-09 11:10 . 2008-11-05 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-05 19:29 . 2009-12-14 06:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-04-29 13:39 . 2008-08-12 10:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2008-08-12 10:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 11:09 . 2004-08-04 12:00 74802 ----a-w- c:\windows\system32\perfc013.dat
2010-03-29 11:09 . 2004-08-04 12:00 454118 ----a-w- c:\windows\system32\perfh013.dat
2010-03-29 10:51 . 2010-03-29 10:51 8 ----a-w- c:\documents and settings\NetworkService\Application Data\jasltw.dat
2008-02-07 18:47 . 2008-02-07 18:47 2212 ----a-w- c:\program files\unins000.dat
2003-06-16 14:23 . 2003-06-16 14:23 131072 ----a-w- c:\program files\T2DXi.dll
2003-06-16 14:17 . 2003-06-16 14:17 4317184 ----a-w- c:\program files\Triangle II.dll
2003-06-03 11:33 . 2003-06-03 11:33 90112 ----a-w- c:\program files\Triangle II.exe
2002-12-17 02:00 . 2002-12-17 02:00 82253 ----a-w- c:\program files\unins000.exe
2008-09-05 17:37 . 2008-09-05 17:37 88 --sh--r- c:\windows\system32\F147695CF6.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-05-10_07.47.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-23 20:48 . 2010-05-15 17:55 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2007-09-22 23:52 . 2010-05-05 03:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-22 23:52 . 2010-06-04 16:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-22 23:52 . 2010-05-05 03:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2007-09-22 23:52 . 2010-06-04 16:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2007-09-23 16:35 . 2010-06-04 15:47 883860 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2007-09-23 16:35 . 2009-02-22 22:29 883860 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2010-01-27 00:58 . 2010-01-27 00:58 256280 c:\windows\system32\Macromed\Flash\FlashUtil10e.exe
+ 2010-05-17 17:33 . 2010-05-17 17:33 401408 c:\windows\Installer\23172ae.msi
+ 2007-09-27 06:33 . 2010-06-04 19:03 3321544 c:\windows\system32\Restore\rstrlog.dat
+ 2007-09-23 01:41 . 2010-05-19 11:10 1933608 c:\windows\system32\FNTCACHE.DAT
+ 2007-09-23 16:30 . 2010-05-26 17:00 15581274 c:\windows\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\matthijs\Menu Start\Programma's\Opstarten\
OP_CACHE.ATR [2008-2-2 24]
OP_CACHE.IDX [2008-2-2 12]
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
OP_CACHE.ATR [2008-2-2 24]
OP_CACHE.IDX [2008-2-2 12]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^OP_CACHE.ATR]
path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\OP_CACHE.ATR
backup=c:\windows\pss\OP_CACHE.ATRCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^OP_CACHE.IDX]
path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\OP_CACHE.IDX
backup=c:\windows\pss\OP_CACHE.IDXCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^matthijs^Menu Start^Programma's^Opstarten^OP_CACHE.ATR]
path=c:\documents and settings\matthijs\Menu Start\Programma's\Opstarten\OP_CACHE.ATR
backup=c:\windows\pss\OP_CACHE.ATRStartup
[HKLM\~\startupfolder\C:^Documents and Settings^matthijs^Menu Start^Programma's^Opstarten^OP_CACHE.IDX]
path=c:\documents and settings\matthijs\Menu Start\Programma's\Opstarten\OP_CACHE.IDX
backup=c:\windows\pss\OP_CACHE.IDXStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-02-28 21:06 2321600 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AolIdleMonOSInfo]
c:\program files\aim6\services\osinfo\ver1_1_1_3\osinfoosinfo.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2006-06-29 14:45 1581056 ----a-r- c:\windows\mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 22:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 13:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware2\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-10-10 19:49 7286784 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-10-10 19:49 86016 ----a-w- c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-10-10 19:49 1519616 ----a-w- c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-10-19 19:16 286720 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-09-23 20:01 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
2008-11-13 10:52 90112 ----a-w- c:\program files\MAGIX\Movie_Edit_Pro_15_Plus_Download_version\Trayserver.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2007-01-08 12:29 919280 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Autodesk Licensing Service"=2 (0x2)
"FirebirdServerMAGIXInstance"=3 (0x3)
"WinDefend"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"sp_rssrv"=2 (0x2)
"SNAC"=3 (0x3)
"SmcService"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"mi-raysat_3dsmax9_32"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"wscsvc"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"TlntSvr"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"getPlusHelper"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
S0 maqveno;maqveno;c:\windows\system32\drivers\xeecr.sys --> c:\windows\system32\drivers\xeecr.sys [?]
S0 nwbwwfcd;nwbwwfcd;c:\windows\system32\drivers\lkuarqap.sys --> c:\windows\system32\drivers\lkuarqap.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5-11-2008 10:32 97928]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15-1-2009 17:17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15-1-2009 17:17 55024]
S2 pntsmgcxmyazbhz;pntsmgcxmyazbhz;\??\c:\windows\system32\drivers\epxmw.sys --> c:\windows\system32\drivers\epxmw.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [22-2-2009 23:40 109616]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]
S3 MFDTNXD;MFDTNXD;c:\docume~1\matthijs\LOCALS~1\Temp\MFDTNXD.exe --> c:\docume~1\matthijs\LOCALS~1\Temp\MFDTNXD.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15-1-2009 17:17 7408]
S3 XNHG;XNHG;c:\docume~1\matthijs\LOCALS~1\Temp\XNHG.exe --> c:\docume~1\matthijs\LOCALS~1\Temp\XNHG.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15-2-2008 14:42 337800]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13-6-2008 14:14 682232]
S4 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Inhoud van de 'Gedeelde Taken' map
2010-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-261903793-839522115-1003Core1ca5e7e3186b062.job
- c:\documents and settings\matthijs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 17:54]
2010-06-04 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-02-18 14:32]
.
.
------- Bijkomende Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\matthijs\Application Data\Mozilla\Firefox\Profiles\m3ml6kpk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.printlife.nl/
FF - plugin: c:\documents and settings\matthijs\Application Data\Mozilla\Firefox\Profiles\m3ml6kpk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\matthijs\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\np_gp.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npdsplay.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npwmsdrm.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 04:36
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4A2EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bfc3
\Driver\ACPI -> ACPI.sys @ 0xf75adcb8
\Driver\atapi -> atapi.sys @ 0xf749f7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Voltooingstijd: 2010-06-05 04:40:26
ComboFix-quarantined-files.txt 2010-06-05 02:40
ComboFix2.txt 2010-06-04 18:21
ComboFix3.txt 2010-05-10 08:17
Pre-Run: 3.578.544.128 bytes beschikbaar
Post-Run: 3.543.797.760 bytes beschikbaar
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BABC72BC3D64FDB687DA7B515D3BC676
-----------------------------------------------------------------------------------------------
1: mijn pc liep vast in normale modus
2: reboot en na het windows XP logo (blauw laad balkje) viel hij stil op een zwart scherm met wit pijltje
3: veilige modus werkte prima
4: stap voor stap vielen in veilige modus functies uit zoals systeemherstel, internet, usb sticks vind hij niet meer, cd-r dvd-r reagerem niet meer.
5: Systeemherstel doet het weer maar nu zijn ineens alle herstelpunten verwijderd
6: ik draaide in Mei combofix, hij gaf de melding "rootkit activiteit gevonden ik reboot en hij starte normaal op en het probleem was verholpen..
7: nu had ik dus een 2e keer hetzelfde virus en ik deed nu eerst systeemherstel, dat haalde niets uit.. toen draaide ik alsnog combofix en ik kreeg dezelfde rootkit activity melding.. ik reboot en hij loopt nu dus helaas niet door.. wat ik nu krijg is hetzelfde zwarte scherm..
8: ik probeerde net dus een lading free virus scanners (van download.com op een cd te gebruiken..maar de cd rom functie (lijkt wel alsof de snelheid wordt afgeremd..)
9: in het begin had ik dus wel internet in veilige modus en toen heb ik combofix kunnen updaten en ook die revovery tool kunnen installeren.. dat is geloof ik handmatig pc herstel maar ik heb hier geen ervaring mee.. ik heb ook geen flauw idee wat ik dan moet doen of waar ik naar op zoek ben.
10: Wat ik wel heb zijn 2 logs..
Hijack this en een Combofix log.. zelf heb ik hier 0,0 verstand van.
---------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31:37, on 5-6-2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\7c76b373-49be-4a74-8b28-6255311eedbc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminator.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OP_CACHE.ATR
O4 - Startup: OP_CACHE.IDX
O4 - Global Startup: OP_CACHE.ATR
O4 - Global Startup: OP_CACHE.IDX
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendm.../win32/activex/hcImpl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn...aireShowdown.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn...tatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.../MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: MFDTNXD - Unknown owner - C:\DOCUME~1\matthijs\LOCALS~1\Temp\MFDTNXD.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 6619 bytes
---------------------------------------------------------------------------------------------------------
ComboFix 10-06-03.01 - matthijs 05-06-2010 4:25.3.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.1983.1692 [GMT 2:00]
Gestart vanuit: c:\documents and settings\matthijs\Mijn documenten\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
Besmet exemplaar van c:\windows\system32\DRIVERS\ftdisk.sys werd aangetroffen en gedesinfecteerd
Hersteld exemplaar van - Kitty had a snack
.
(((((((((((((((((((( Bestanden Gemaakt van 2010-05-05 to 2010-06-05 ))))))))))))))))))))))))))))))
.
2010-06-04 19:03 . 2010-06-05 00:17 -------- d--h--r- c:\documents and settings\matthijs\Onlangs geopend
2010-06-04 17:21 . 2010-06-04 17:21 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-04 17:01 . 2010-06-04 19:03 -------- d-----w- C:\ComboFix(2)
2010-05-17 17:33 . 2010-05-17 17:33 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{DF6EE7CF-7EF2-42A2-A664-02694AB6B72E}
2010-05-17 17:33 . 2009-03-06 14:29 2691296 -c--a-w- c:\documents and settings\All Users\Application Data\{DF6EE7CF-7EF2-42A2-A664-02694AB6B72E}\BYKI4Installer.exe
2010-05-17 17:33 . 2010-05-17 17:33 -------- d-----w- c:\program files\Transparent
2010-05-17 17:33 . 2010-05-17 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Transparent
2010-05-15 13:49 . 2010-05-15 13:49 -------- d-----w- c:\documents and settings\matthijs\Local Settings\Application Data\Macromedia
2010-05-06 18:26 . 2010-05-06 18:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-05-06 18:25 . 2010-05-06 18:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-06 18:19 . 2010-05-06 18:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-06 18:11 . 2010-05-06 18:11 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 00:09 . 2009-02-24 08:30 -------- d-----w- c:\program files\Mozilla Firefox 3.1 Beta 2
2010-06-04 19:19 . 2007-09-24 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-04 16:47 . 2007-09-23 16:35 201972768 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-03 15:53 . 2007-09-23 16:31 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-06-03 09:48 . 2007-09-23 16:35 9572640 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-06-03 09:48 . 2007-09-23 16:35 908948 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-06-03 09:48 . 2007-09-23 16:35 2723588 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-02 04:25 . 2007-09-24 00:22 -------- d-----w- c:\documents and settings\matthijs\Application Data\ICQ
2010-05-31 15:42 . 2007-10-23 07:39 74344497 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2010-05-29 18:47 . 2007-09-27 04:08 -------- d-----w- c:\documents and settings\matthijs\Application Data\uTorrent
2010-05-24 18:59 . 2007-09-23 00:28 241104 ----a-w- c:\documents and settings\matthijs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-24 10:31 . 2010-05-24 10:31 3936768 ----a-w- c:\windows\Internet Logs\xDB8CB.tmp
2010-05-19 17:29 . 2010-04-07 17:28 439816 ----a-w- c:\documents and settings\matthijs\Application Data\Real\Update\setup3.10\setup.exe
2010-05-16 05:53 . 2007-09-27 04:08 -------- d-----w- c:\program files\uTorrent
2010-05-15 13:49 . 2007-10-05 17:04 -------- d-----w- c:\program files\Common Files\Macromedia
2010-05-15 13:48 . 2008-10-22 14:38 -------- d-----w- c:\program files\Macromedia
2010-05-15 13:48 . 2007-09-24 00:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-15 13:26 . 2009-02-20 23:07 -------- d-----w- c:\program files\Opera 10 Preview
2010-05-14 15:58 . 2007-10-18 05:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-14 07:03 . 2007-09-23 21:46 -------- d-----w- c:\program files\Winamp
2010-05-09 11:50 . 2007-10-08 18:35 -------- d-----w- c:\program files\eMule
2010-05-09 11:45 . 2009-11-06 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\{29DE7D8A-76E9-40C8-AD3B-3D95E76E1227}
2010-05-09 11:44 . 2007-10-05 20:34 -------- d-----w- c:\program files\LimeWire Plus
2010-05-09 11:44 . 2009-06-16 18:45 -------- d-----w- c:\documents and settings\matthijs\Application Data\Hide IP NG
2010-05-09 11:10 . 2008-11-05 08:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-05 19:29 . 2009-12-14 06:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2010-04-29 13:39 . 2008-08-12 10:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2008-08-12 10:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-29 11:09 . 2004-08-04 12:00 74802 ----a-w- c:\windows\system32\perfc013.dat
2010-03-29 11:09 . 2004-08-04 12:00 454118 ----a-w- c:\windows\system32\perfh013.dat
2010-03-29 10:51 . 2010-03-29 10:51 8 ----a-w- c:\documents and settings\NetworkService\Application Data\jasltw.dat
2008-02-07 18:47 . 2008-02-07 18:47 2212 ----a-w- c:\program files\unins000.dat
2003-06-16 14:23 . 2003-06-16 14:23 131072 ----a-w- c:\program files\T2DXi.dll
2003-06-16 14:17 . 2003-06-16 14:17 4317184 ----a-w- c:\program files\Triangle II.dll
2003-06-03 11:33 . 2003-06-03 11:33 90112 ----a-w- c:\program files\Triangle II.exe
2002-12-17 02:00 . 2002-12-17 02:00 82253 ----a-w- c:\program files\unins000.exe
2008-09-05 17:37 . 2008-09-05 17:37 88 --sh--r- c:\windows\system32\F147695CF6.sys
.
code:
1
2
3
| <pre> c:\program files\Borland\InterBase\UninstallerData\Uninstall InterBase 7.1 .exe </pre> |
((((((((((((((((((((((((((((( SnapShot@2010-05-10_07.47.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-23 20:48 . 2010-05-15 17:55 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2007-09-22 23:52 . 2010-05-05 03:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-22 23:52 . 2010-06-04 16:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-09-22 23:52 . 2010-05-05 03:09 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2007-09-22 23:52 . 2010-06-04 16:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Geschiedenis\History.IE5\index.dat
+ 2007-09-23 16:35 . 2010-06-04 15:47 883860 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2007-09-23 16:35 . 2009-02-22 22:29 883860 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2010-01-27 00:58 . 2010-01-27 00:58 256280 c:\windows\system32\Macromed\Flash\FlashUtil10e.exe
+ 2010-05-17 17:33 . 2010-05-17 17:33 401408 c:\windows\Installer\23172ae.msi
+ 2007-09-27 06:33 . 2010-06-04 19:03 3321544 c:\windows\system32\Restore\rstrlog.dat
+ 2007-09-23 01:41 . 2010-05-19 11:10 1933608 c:\windows\system32\FNTCACHE.DAT
+ 2007-09-23 16:30 . 2010-05-26 17:00 15581274 c:\windows\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\matthijs\Menu Start\Programma's\Opstarten\
OP_CACHE.ATR [2008-2-2 24]
OP_CACHE.IDX [2008-2-2 12]
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
OP_CACHE.ATR [2008-2-2 24]
OP_CACHE.IDX [2008-2-2 12]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^OP_CACHE.ATR]
path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\OP_CACHE.ATR
backup=c:\windows\pss\OP_CACHE.ATRCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^OP_CACHE.IDX]
path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\OP_CACHE.IDX
backup=c:\windows\pss\OP_CACHE.IDXCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^matthijs^Menu Start^Programma's^Opstarten^OP_CACHE.ATR]
path=c:\documents and settings\matthijs\Menu Start\Programma's\Opstarten\OP_CACHE.ATR
backup=c:\windows\pss\OP_CACHE.ATRStartup
[HKLM\~\startupfolder\C:^Documents and Settings^matthijs^Menu Start^Programma's^Opstarten^OP_CACHE.IDX]
path=c:\documents and settings\matthijs\Menu Start\Programma's\Opstarten\OP_CACHE.IDX
backup=c:\windows\pss\OP_CACHE.IDXStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-02-28 21:06 2321600 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AolIdleMonOSInfo]
c:\program files\aim6\services\osinfo\ver1_1_1_3\osinfoosinfo.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2006-06-29 14:45 1581056 ----a-r- c:\windows\mixer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 22:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 13:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware2\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-10-10 19:49 7286784 ----a-w- c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-10-10 19:49 86016 ----a-w- c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-10-10 19:49 1519616 ----a-w- c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-10-19 19:16 286720 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-09-23 20:01 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
2008-11-13 10:52 90112 ----a-w- c:\program files\MAGIX\Movie_Edit_Pro_15_Plus_Download_version\Trayserver.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
2007-01-08 12:29 919280 ----a-w- c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Autodesk Licensing Service"=2 (0x2)
"FirebirdServerMAGIXInstance"=3 (0x3)
"WinDefend"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"sp_rssrv"=2 (0x2)
"SNAC"=3 (0x3)
"SmcService"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"mi-raysat_3dsmax9_32"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"wscsvc"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"TlntSvr"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"helpsvc"=2 (0x2)
"getPlusHelper"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
S0 maqveno;maqveno;c:\windows\system32\drivers\xeecr.sys --> c:\windows\system32\drivers\xeecr.sys [?]
S0 nwbwwfcd;nwbwwfcd;c:\windows\system32\drivers\lkuarqap.sys --> c:\windows\system32\drivers\lkuarqap.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5-11-2008 10:32 97928]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15-1-2009 17:17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15-1-2009 17:17 55024]
S2 pntsmgcxmyazbhz;pntsmgcxmyazbhz;\??\c:\windows\system32\drivers\epxmw.sys --> c:\windows\system32\drivers\epxmw.sys [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [22-2-2009 23:40 109616]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]
S3 MFDTNXD;MFDTNXD;c:\docume~1\matthijs\LOCALS~1\Temp\MFDTNXD.exe --> c:\docume~1\matthijs\LOCALS~1\Temp\MFDTNXD.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15-1-2009 17:17 7408]
S3 XNHG;XNHG;c:\docume~1\matthijs\LOCALS~1\Temp\XNHG.exe --> c:\docume~1\matthijs\LOCALS~1\Temp\XNHG.exe [?]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15-2-2008 14:42 337800]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13-6-2008 14:14 682232]
S4 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Inhoud van de 'Gedeelde Taken' map
2010-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-583907252-261903793-839522115-1003Core1ca5e7e3186b062.job
- c:\documents and settings\matthijs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 17:54]
2010-06-04 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-02-18 14:32]
.
.
------- Bijkomende Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
FF - ProfilePath - c:\documents and settings\matthijs\Application Data\Mozilla\Firefox\Profiles\m3ml6kpk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.printlife.nl/
FF - plugin: c:\documents and settings\matthijs\Application Data\Mozilla\Firefox\Profiles\m3ml6kpk.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\matthijs\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\np_gp.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npdsplay.dll
FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npwmsdrm.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 04:36
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4A2EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bfc3
\Driver\ACPI -> ACPI.sys @ 0xf75adcb8
\Driver\atapi -> atapi.sys @ 0xf749f7b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Voltooingstijd: 2010-06-05 04:40:26
ComboFix-quarantined-files.txt 2010-06-05 02:40
ComboFix2.txt 2010-06-04 18:21
ComboFix3.txt 2010-05-10 08:17
Pre-Run: 3.578.544.128 bytes beschikbaar
Post-Run: 3.543.797.760 bytes beschikbaar
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BABC72BC3D64FDB687DA7B515D3BC676
-----------------------------------------------------------------------------------------------
/u/182737/crop5e7e4250bc879_cropped.png?f=community)
:strip_icc():strip_exif()/u/69754/myshakira.jpg?f=community)
:strip_icc():strip_exif()/u/323697/wtfhat.jpg?f=community)
/u/115333/crop5f45784fcadad_cropped.png?f=community)
:strip_exif()/u/145304/nick.gif?f=community)
:strip_icc():strip_exif()/u/149884/crop5d89fe4a44cb6.jpeg?f=community)
:strip_icc():strip_exif()/u/4167/bacall8.jpg?f=community)
