Hijack!

Hallo Argus.

Geinstaleerd en laten scannen.

SDFix:

SDFix: Version 1.240

Run by Marinus van der wal on 2009-01-16 at 21:58

Microsoft Windows XP

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-16 22:05:31

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

“AppInit_DLLs”=“”

“DeviceNotSelectedTimeout”=“15”

“GDIProcessHandleQuota”=dword:00002710

“Spooler”=“yes”

“swapdisk”=“”

“TransmissionRetryTimeout”=“90”

“USERProcessHandleQuota”=dword:00002710

scanning hidden files …

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

“%windir%\\system32\\sessmgr.exe”=“%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

“C:\\Program Files\\Sitecom\\IVT BlueSoleil\\BlueSoleil.exe”=“C:\\Program Files\\Sitecom\\IVT BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil”

“%windir%\\system32\\sessmgr.exe”=“%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”

Remaining Files :

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR — “C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll”

Wed 22 Oct 2008 962,896 A.SHR — “C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll”

Mon 21 Jan 2008 6,219,320 A..H. — “C:\Program Files\Picasa2\setup.exe”

Mon 15 Sep 2008 1,562,960 A.SHR — “C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll”

Wed 22 Oct 2008 949,072 A.SHR — “C:\Program Files\Spybot - Search & Destroy\advcheck.dll”

Mon 15 Sep 2008 1,562,960 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDHelper.dll”

Mon 7 Jul 2008 1,429,840 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe”

Mon 7 Jul 2008 4,891,472 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe”

Mon 7 Jul 2008 2,156,368 A.SHR — “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe”

Wed 22 Oct 2008 962,896 A.SHR — “C:\Program Files\Spybot - Search & Destroy\Tools.dll”

Tue 16 Sep 2008 1,833,296 A.SHR — “C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe”

Sat 24 Dec 2005 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”

Thu 15 Sep 2005 20,480 …H. — “C:\Documents and Settings\Marinus van der wal\Application Data\Microsoft\Word\~WRL0004.tmp”

Sun 18 Apr 2004 21,504 …H. — “C:\Documents and Settings\Marinus van der wal\Application Data\Microsoft\Word\~WRL0005.tmp”

Sun 18 Apr 2004 24,064 …H. — “C:\Documents and Settings\Marinus van der wal\Application Data\Microsoft\Word\~WRL1439.tmp”

Sat 24 Dec 2005 4,348 A..H. — “C:\Documents and Settings\Marinus van der wal\Mijn documenten\Mijn muziek\Back-up van licentie\drmv1key.bak”

Sat 29 Jul 2006 20 A..H. — “C:\Documents and Settings\Marinus van der wal\Mijn documenten\Mijn muziek\Back-up van licentie\drmv1lic.bak”

Sat 29 Jul 2006 400 A.SH. — “C:\Documents and Settings\Marinus van der wal\Mijn documenten\Mijn muziek\Back-up van licentie\drmv2key.bak”

Finished!

COMBOfix:

ComboFix 09-01-15.01 - Marinus van der wal 2009-01-16 21:32:14.1 - NTFSx86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1043.18.1023.818

Gestart vanuit: c:\documents and settings\Marinus van der wal\Bureaublad\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)

AV: NOD32 antivirus systeem 2.51 *On-access scanning disabled* (Outdated)

AV: Panda Titanium Antivirus 2004 *On-access scanning disabled* (Outdated)

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\smdat32m.sys

c:\windows\system32\nthst32.dll

(((((((((((((((((((( Bestanden Gemaakt van 2008-12-16 to 2009-01-16 ))))))))))))))))))))))))))))))

2009-01-16 21:23 . 2008-11-06 02:03 d——– C:\SDFix

2009-01-16 14:23 . 2009-01-16 14:23 d——– c:\program files\CleanUp!

2009-01-16 13:17 . 2009-01-16 13:17 d——– c:\program files\Common Files\Wise Installation Wizard

2009-01-16 13:17 . 2009-01-16 13:18 d——– c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-16 12:42 . 2009-01-16 12:42 d——– c:\program files\Uniblue

2009-01-16 12:42 . 2009-01-16 12:42 d——– c:\documents and settings\Marinus van der wal\Application Data\Uniblue

2009-01-16 12:42 . 2009-01-16 12:42 d–h-c— c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}

2009-01-16 12:24 . 2009-01-16 12:24 d——– c:\documents and settings\All Users\Application Data\NortonInstaller

2009-01-15 21:12 . 2009-01-15 21:12 d——– c:\program files\Trend Micro

2009-01-15 18:28 . 2009-01-15 18:28 d——– c:\program files\Malwarebytes' Anti-Malware

2009-01-15 18:28 . 2009-01-15 18:28 d——– c:\documents and settings\Marinus van der wal\Application Data\Malwarebytes

2009-01-15 18:28 . 2009-01-15 18:28 d——– c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-15 18:28 . 2009-01-14 16:11 38,496 –a—— c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-15 18:28 . 2009-01-14 16:11 15,504 –a—— c:\windows\system32\drivers\mbam.sys

2009-01-13 14:50 . 2007-10-25 17:44 8,507,392 ——— c:\windows\system32\SET157.tmp

2009-01-13 14:50 . 2007-10-25 17:44 8,507,392 —–c— c:\windows\system32\dllcache\SET158.tmp

2009-01-08 19:58 . 2009-01-08 19:58 410,984 –a—— c:\windows\system32\deploytk.dll

2008-12-22 11:03 . 2008-12-22 11:03 d——– c:\program files\SDHelper (Spybot - Search & Destroy)

2008-12-22 11:03 . 2008-12-22 11:03 d——– c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2008-12-22 11:03 . 2008-12-22 11:03 d——– c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-12-20 11:09 . 2008-06-14 19:00 272,640 —–c— c:\windows\system32\dllcache\bthport.sys

2008-12-20 11:09 . 2008-08-14 10:51 138,368 —–c— c:\windows\system32\dllcache\afd.sys

2008-12-20 11:05 . 2008-09-15 16:42 1,846,144 —–c— c:\windows\system32\dllcache\win32k.sys

2008-12-20 11:04 . 2008-05-01 15:33 331,776 —–c— c:\windows\system32\dllcache\msadce.dll

2008-12-20 11:03 . 2008-04-11 19:51 683,520 —–c— c:\windows\system32\dllcache\inetcomm.dll

2008-12-20 11:01 . 2008-10-03 11:17 247,326 —–c— c:\windows\system32\dllcache\strmdll.dll

2008-12-19 23:38 . 2008-12-19 23:38 d——– c:\windows\ServicePackFiles

2008-12-19 23:28 . 2004-08-04 06:29 1,897,408 ——— c:\windows\system32\drivers\nv4_mini.sys

2008-12-19 23:27 . 2004-08-04 08:54 327,168 ——— c:\windows\system32\drivers\ati2mtaa.sys

2008-12-19 21:02 . 2008-12-19 21:28 d——– c:\program files\Avira

2008-12-19 21:02 . 2008-12-19 21:28 d——– c:\documents and settings\All Users\Application Data\Avira

2008-12-19 19:38 . 2008-12-19 22:34 22,058,104 –a—— c:\program files\antivir_workstation_winu_en_h.exe

2008-12-19 19:24 . 2008-12-20 11:13 d——– c:\windows\system32\CatRoot_bak

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-01-16 12:17 ——— d—–w c:\program files\Lavasoft

2009-01-16 12:03 ——— d—–w c:\program files\Spybot - Search & Destroy

2009-01-16 11:53 ——— d—–w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-16 11:24 ——— d—–w c:\program files\Common Files\Symantec Shared

2009-01-16 11:20 ——— d—–w c:\program files\LimeWire

2009-01-16 11:06 ——— d—–w c:\program files\ESET

2009-01-15 21:40 ——— d—–w c:\program files\software

2009-01-15 21:37 ——— d—–w c:\program files\Symantec

2009-01-15 21:21 ——— d—–w c:\documents and settings\Marinus van der wal\Application Data\Lavasoft

2009-01-12 11:16 ——— d—–w c:\program files\Overhoor

2008-12-22 10:03 ——— d—–w c:\program files\TeaTimer (Spybot - Search & Destroy)

2008-12-20 15:06 31 —-a-w c:\documents and settings\Marinus van der wal\jagex_runescape_preferences.dat

2008-12-19 18:09 ——— d—–w c:\program files\Avira(2)

2008-12-19 18:09 ——— d—–w c:\documents and settings\All Users\Application Data\Avira(2)

2008-12-11 17:07 ——— d—–w c:\program files\Malmberg

2008-12-11 11:57 333,184 —-a-w c:\windows\system32\drivers\srv.sys

2008-12-08 15:15 ——— d—–w c:\program files\Java

2008-11-18 18:45 ——— d–h–w c:\program files\InstallShield Installation Information

2008-11-18 18:45 ——— d—–w c:\program files\Common Files\InstallShield

2008-10-26 12:16 27,231,129 —-a-w c:\program files\ivdf_fusebundle_nt_en.zip

2008-08-29 20:59 4,898,704 —-a-w c:\program files\LimeWireWin.exe

2008-01-21 17:59 6,219,320 —-a-w c:\program files\picasaweb-current-setup.exe

2007-12-06 21:33 390,235 —-a-w c:\program files\GoogleVideoUploaderInstaller.exe

2007-12-06 20:59 9,733,451 —-a-w c:\program files\vlc-0.8.6d-win32.exe

2007-03-21 21:57 14,994,152 —-a-w c:\program files\GoogleEarthWin_EARD.exe

2006-10-30 17:57 339 —ha-w c:\documents and settings\Marinus van der wal\hpothb07.dat

2006-10-30 17:57 167 —ha-w c:\documents and settings\LocalService\hpothb07.dat

2006-10-30 17:57 0 —ha-w c:\documents and settings\Default User\hpothb07.dat

2006-05-19 19:03 243,512 —-a-w c:\program files\jre-1_5_0_06-windows-i586-p-iftw.exe

2004-03-08 16:25 2,058 ——w c:\documents and settings\Marinus van der wal\Application Data\wklnhst.dat

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

“CTFMON.EXE”=“c:\windows\system32\ctfmon.exe”

“IE New Window Maximizer”=“c:\program files\IE New Window Maximizer\iemaximizer.exe”

“InstantTray”=“c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe”

“ATIPTA”=“c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe”

“HPDJ Taskbar Utility”=“c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe”

“PinnacleDriverCheck”=“c:\windows\System32\PSDrvCheck.exe”

“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe”

“avgnt”=“c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe”

“MSConfig”=“c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe”

“Ptipbmf”=“ptipbmf.dll”

“CTFMON.EXE”=“c:\windows\System32\CTFMON.EXE”

“InstantTray”=“c:\program files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe”

“IW_Drop_Icon”=“c:\program files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe”

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Adobe Reader Snelle start.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0SsiEfr.e\0lsdelete

“AntiVirusOverride”=dword:00000001

“DisableMonitoring”=dword:00000001

“%windir%\\system32\\sessmgr.exe”=

“c:\\Program Files\\Sitecom\\IVT BlueSoleil\\BlueSoleil.exe”=

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys

R0 viaide1;viaide1;c:\windows\system32\drivers\viaidexp.sys

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys

R0 VOBID;VOBID;c:\windows\system32\drivers\vobid.sys

R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys

R1 vobcom;vobcom;c:\windows\system32\drivers\vobcom.sys

R1 vobiw;vobiw;c:\windows\system32\drivers\vobIW.sys

R3 cdrdrv;Cdrdrv;c:\windows\system32\drivers\Cdrdrv.sys

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys

— Andere Services/Drivers In Geheugen —

*NewlyCreated* - PAVDRV

*NewlyCreated* - PAVPROC

*NewlyCreated* - PAVPRSRV

*NewlyCreated* - PAVSRV

*NewlyCreated* - RASMAN

*NewlyCreated* - SHLDDRV

*NewlyCreated* - WS2IFSL

*Deregistered* - pavdrv

*Deregistered* - PavProc

*Deregistered* - PavPrSrv

*Deregistered* - PAVSRV

*Deregistered* - ShldDrv

Inhoud van de ‘Gedeelde Taken’ map

2009-01-14 c:\windows\Tasks\WebReg 20040225203217.job

- c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe

——- Bijkomende Scan ——-

uStart Page = hxxp://www.google.nl/

uInternet Connection Wizard,ShellNext = iexplore

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\WAYNImportOE.dll - O16 -: {083DB4B1-8108-42E3-AC45-A042C1631CA3}

hxxp://www.wayn.com/activex/WAYNImportOE.cab

c:\windows\Downloaded Program Files\ipv6cam.ocx - c:\windows\Downloaded Program Files\AudioClient.ocx

O16 -: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9}

hxxp://213.84.159.82:50000/SysCamInst.cab

c:\windows\Downloaded Program Files\install.inf

c:\windows\Downloaded Program Files\MxPEG_ActiveX.ocx - O16 -: {304171C0-65EA-4B51-B5D9-93A311E26EB1}

hxxp://212.182.185.186/cgi-bin/MxPEG_ActiveX.cab?dummy=2422621

c:\windows\Downloaded Program Files\MxPEG_ActiveX.inf

O16 -: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://82.176.193.16:8090/activex/AMC.cab

c:\windows\Downloaded Program Files\setup.inf

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-16 21:37:12

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen …

scannen van verborgen autostart items …

scannen van verborgen bestanden …

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

——————— DLLs Geladen Onder Lopende Processen ———————

- - - - - - - > ‘winlogon.exe’(232)

c:\windows\SYSTEM32\Ati2evxx.dll

———————— Andere Aktieve Processen ————————

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

**************************************************************************

Voltooingstijd: 2009-01-16 21:42:28 - machine werd herstart

ComboFix-quarantined-files.txt 2009-01-16 20:41:18

Pre-Run: 25,789,181,952 bytes beschikbaar

Post-Run: 25,811,382,272 bytes beschikbaar

189 — E O F — 2009-01-16 01:12:35

Rinus

Jaap Ton

Rinus

Argus

Rinus

Argus

Rinus