trojan horse packed.protector.c

Alain

06-12-2009 12:32

Hallo,
Ik krijg sinds enkele dagen van AVG steeds de melding dat er een trojan horse threat gevonden is, nl. packed.protector.c in atapi.sys. AVG kan hem niet verwijderen, ik heb daarna jullie stappenplan gedaan en heb de volgende logjes gevonden:
HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:39, on 6-12-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\mHotMon.exe
C:\ACER\MPS.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Alain\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Alain\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alain\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: CNYHKey.exe
O4 - HKLM\..\Run: sser.exe
O4 - HKLM\..\Run: mHotMon.exe
O4 - HKLM\..\Run: C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: C:\ACER\MPS.EXE
O4 - HKLM\..\Run: “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM\..\Run: “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM\..\Run: C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM\..\Run: “C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe”
O4 - HKLM\..\Run: “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKCU\..\Run: “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU\..\Run: C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: “C:\Program Files\Microsoft ActiveSync\wcescomm.exe”
O4 - HKCU\..\Run: “C:\Documents and Settings\Alain\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKCU\..\Run: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘Lokale service’)
O4 - HKUS\S-1-5-19\..\Run: RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User ‘Lokale service’)
O4 - HKUS\S-1-5-20\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘Netwerkservice’)
O4 - HKUS\S-1-5-18\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\.DEFAULT\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Mediacontrole Picture Motion Browser.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: algqeh32.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager… - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Mobiele favorieten maken - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137002439109
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
–
End of file - 9809 bytes
MBAM:
Malwarebytes' Anti-Malware 1.42
Database versie: 3303
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6-12-2009 11:30:59
mbam-log-2009-12-06 (11-30-59).txt
Scan type: Snelle Scan
Objecten gescand: 122796
Verstreken tijd: 15 minute(s), 33 second(s)
Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 8
Registerwaarden geïnfecteerd: 2
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 12
Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Registersleutels geïnfecteerd:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mwmpupdate (Trojan.Downloader) -> Quarantined and deleted successfully.
Registerwaarden geïnfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.
Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)
Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)
Bestanden geïnfecteerd:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Program Files\otdll50.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\imageload.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\M2VSoftEnc.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\MachineControl.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\NavCmdAssembler.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\RTPreviewControl.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\P3Package.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\P4Package.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\CDRDriveControl.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\DLTTapeControl.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\TMPGEnc.exe (Trojan.Alphabet) -> Quarantined and deleted successfully.
Ik heb het idee, dat de trojan horse nog steeds niet verwijderd is, kunnen jullie iets met deze log files?
Alvast hartelijk bedankt!
Alain.
Teaser

06-12-2009 15:21
Download Combofix naar je Bureaublad.
Indien je Combofix al eerder hebt gebruikt, gelieve die versie te verwijderen en Combofix opnieuw te downloaden via bovenstaande link,
want Combofix wordt dagelijks geupdate.
OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt
van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
Dubbelklik op Combofix.exe
Volg de instructies, aanvaard de disclaimer.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log combofix.txt openen.
Plaats deze log in je volgende post samen met een nieuw HijackThis log.
Bericht dan maar aangepast.
Argus

06-12-2009 15:33

@Teaser
Zelf getest?
Teaser

06-12-2009 15:52

Argus Schreef:
——————————————————-
> @Teaser
> Zelf getest?
Installeert spyware doctor Helaas
Maar heb op dit moment nog geen beter alternatief
alex

06-12-2009 16:20

Ik zou eerst combo inzetten
Volgens mij kan je deze beter even aan Argus overlaten
Argus

06-12-2009 16:47

atapi.sys word door ComboFix weer terug gezet dus die moet je maar toepassen
Alain

07-12-2009 08:55

Ik heb je raadgeving opgevolgd, en volgens mij is het gelukt .
Log van Combofix:
ComboFix 09-12-06.09 - Alain 07-12-2009 8:16.1.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.510.25
Gestart vanuit: c:\documents and settings\Alain\Mijn documenten\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Alain\Menu Start\Programma's\Opstarten\algqeh32.exe
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
J:\Autorun.inf
Besmet exemplaar van c:\windows\system32\Drivers\atapi.sys werd aangetroffen en gedesinfecteerd
Hersteld exemplaar van - c:\windows\ServicePackFiles\i386\atapi.sys
.
(((((((((((((((((((( Bestanden Gemaakt van 2009-11-07 to 2009-12-07 ))))))))))))))))))))))))))))))
.
2009-12-07 07:01 . 2009-12-07 06:48 ——– d—–w- C:\32788R22FWJFW
2009-12-06 11:01 . 2009-12-06 11:01 ——– d—–w- c:\program files\Trend Micro
2009-12-06 10:11 . 2009-12-06 10:11 ——– d—–w- c:\documents and settings\Alain\Application Data\Malwarebytes
2009-12-06 10:11 . 2009-12-03 15:14 38224 —-a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-06 10:11 . 2009-12-06 10:11 ——– d—–w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-06 10:11 . 2009-12-03 15:13 19160 —-a-w- c:\windows\system32\drivers\mbam.sys
2009-12-06 10:11 . 2009-12-06 10:11 ——– d—–w- c:\program files\Malwarebytes' Anti-Malware
2009-12-04 00:47 . 2009-12-03 22:00 15880 —-a-w- c:\windows\system32\lsdelete.exe
2009-12-03 22:01 . 2009-09-23 12:55 64288 —-a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-03 21:59 . 2009-12-03 21:59 ——– d–h–w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-03 21:59 . 2009-10-03 08:15 2924848 —-a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-03 21:58 . 2009-12-03 21:58 ——– d—–w- c:\program files\Lavasoft
2009-12-03 21:58 . 2009-12-03 21:58 ——– d—–w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-03 20:55 . 2009-12-03 20:55 ——– d—–w- c:\program files\Spybot - Search & Destroy
2009-12-03 20:55 . 2009-12-03 20:55 ——– d—–w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-03 19:39 . 2009-12-03 19:39 ——– d—–w- c:\documents and settings\Alain\Application Data\thecleaner
2009-11-29 17:54 . 2009-09-10 21:03 32768 —-a-w- c:\program files\Ziggo Live Televisie Player 1.0.7.exe
2009-11-27 21:39 . 2009-11-27 21:39 ——– d—–w- c:\documents and settings\Alain\Local Settings\Application Data\Readon_Technology
2009-11-27 21:37 . 2009-11-27 21:37 5430 —-a-r- c:\documents and settings\Alain\Application Data\Microsoft\Installer\{76A006E1-9C8A-421D-B666-D202A50F2774}\_6FEFF9B68218417F98F549.exe
2009-11-27 21:37 . 2009-11-27 21:37 5430 —-a-r- c:\documents and settings\Alain\Application Data\Microsoft\Installer\{76A006E1-9C8A-421D-B666-D202A50F2774}\_554F2D735C26835141FD45.exe
2009-11-27 21:37 . 2009-11-27 21:37 5430 —-a-r- c:\documents and settings\Alain\Application Data\Microsoft\Installer\{76A006E1-9C8A-421D-B666-D202A50F2774}\_307A0500ADC970657432C5.exe
2009-11-27 21:37 . 2009-11-27 21:37 5430 —-a-r- c:\documents and settings\Alain\Application Data\Microsoft\Installer\{76A006E1-9C8A-421D-B666-D202A50F2774}\_1630DE13156CDEBFB12C8B.exe
2009-11-27 21:37 . 2009-11-27 21:37 ——– d—–w- c:\program files\Readon Technology
2009-11-27 05:39 . 2009-11-27 05:39 ——– d-sh–w- c:\documents and settings\NetworkService\IETldCache
2009-11-25 18:00 . 2009-11-06 18:01 2064152 —-a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 22:01 . 2009-12-03 22:00 862040 —-a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-28 10:34 . 2009-11-28 10:34 12 —-a-w- c:\documents and settings\NetworkService\Application Data\cbqozg.dat
2009-11-28 10:34 . 2009-11-28 10:34 4 —-a-w- c:\documents and settings\Alain\Application Data\avdrn.dat
2009-11-04 18:49 . 2009-11-04 18:49 152576 —-a-w- c:\documents and settings\Alain\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-04 18:49 . 2009-11-04 18:49 79488 —-a-w- c:\documents and settings\Alain\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-02 19:42 . 2009-10-02 18:19 195456 ——w- c:\windows\system32\MpSigStub.exe
2009-10-15 02:15 . 1979-12-31 23:00 92564 —-a-w- c:\windows\system32\perfc013.dat
2009-10-15 02:15 . 1979-12-31 23:00 513384 —-a-w- c:\windows\system32\perfh013.dat
2009-10-11 03:17 . 2009-05-25 09:07 411368 —-a-w- c:\windows\system32\deploytk.dll
2009-09-11 15:20 . 1979-12-31 23:00 136192 —-a-w- c:\windows\system32\msv1_0.dll
2009-02-02 07:00 . 2005-11-26 11:31 8139 —-a-w- c:\program files\CurrentCfg.tpr
2009-02-02 07:00 . 2005-11-26 11:23 5608 —-a-w- c:\program files\TMPGEnc.ini
2009-01-18 11:15 . 2009-01-18 11:15 1094021 —-a-w- c:\program files\dvdshrink32.zip
2009-01-11 07:46 . 2009-01-11 07:38 7072516 —-a-w- c:\program files\USDownloader135.zip
2008-12-14 13:55 . 2008-12-14 13:55 1378435 —-a-w- c:\program files\VirtualDub-1.8.6.zip
2008-12-06 22:45 . 2008-12-06 22:44 1851544 —-a-w- c:\program files\install_flash_player.exe
2008-12-04 19:17 . 2008-12-04 19:17 8137408 —-a-w- c:\program files\Firefox Setup 3.0.4.exe
2008-12-02 20:33 . 2008-12-02 20:33 2125249 —-a-w- c:\program files\burrrn_package.exe
2008-11-25 20:14 . 2008-11-25 20:14 1379672 —-a-w- c:\program files\NeatSetup.exe
2008-11-01 12:06 . 2008-11-01 12:06 20630 —-a-w- c:\program files\K3_en_het_Toverhart_2008.torrent
2008-11-01 11:53 . 2008-11-01 11:53 25313 —-a-w- c:\program files\Tinker_Bell_2008.torrent
2008-10-25 15:10 . 2008-10-25 15:10 20329 —-a-w- c:\program files\Ilse_Delange_-_Incredible.torrent
2008-10-25 15:07 . 2006-06-22 19:08 20480 –sha-w- c:\program files\Thumbs.db
2008-10-25 15:05 . 2008-10-25 15:05 23999 —-a-w- c:\program files\sinterklaasss.torrent
2008-10-18 20:40 . 2008-10-18 20:40 8420211 —-a-w- c:\program files\20070814151944406_Samsung_USB_Driver_Installer.exe
2008-09-15 18:18 . 2008-09-15 18:18 2905 —-a-w- c:\program files\CzDC.xml
2008-09-15 18:18 . 2008-09-15 18:18 101 —-a-w- c:\program files\ADLSearch.xml
2008-09-15 18:18 . 2008-09-15 18:18 595 —-a-w- c:\program files\Favorites.xml
2008-09-15 18:18 . 2008-09-15 18:18 366 —-a-w- c:\program files\Recents.xml
2008-09-15 18:18 . 2008-09-15 17:53 584 —-a-w- c:\program files\Users.xml
2008-09-15 18:17 . 2008-09-15 17:53 100 —-a-w- c:\program files\Queue.xml
2008-09-15 18:10 . 2008-09-15 17:55 100 —-a-w- c:\program files\Queue.xml.bak
2008-09-08 17:55 . 2008-09-08 17:55 3168146 —-a-w- c:\program files\CzDC-0699.7z
2008-05-12 08:48 . 2008-05-12 08:48 1307613 —-a-w- c:\program files\MAC_401b2.exe
2007-06-23 19:21 . 2007-06-23 19:21 92057 —-a-w- c:\program files\Mr_Bean_-_Mr_Bean_-_Complete_Mr_Bean_On_One_DVD.torrent
2007-06-23 18:07 . 2007-06-23 18:07 4647 —-a-w- c:\program files\Within_Temptation-Frozen-CDS-2007-KORV_--_.torrent
2007-06-23 16:38 . 2007-06-23 16:38 22610 —-a-w- c:\program files\THE_WILD.ISO.torrent
2007-06-23 14:49 . 2007-06-23 14:49 10050902 —-a-w- c:\program files\Codecs6030_allin1.exe
2007-04-13 23:51 . 2007-04-13 23:51 42876 —-a-w- c:\program files\Apocalypto.ISO
2007-04-09 08:01 . 2007-04-09 08:01 23627 —-a-w- c:\program files\_-_American_Pie_5.torrent
2007-04-09 07:57 . 2007-04-09 07:57 29272 —-a-w- c:\program files\frank_and_frey_2.torrent
2007-04-08 10:15 . 2007-04-08 10:15 95076 —-a-w- c:\program files\Ap_Assepoester_-_Terug_in_de_tijd.torrent
2007-04-06 14:00 . 2007-04-06 14:00 43492 —-a-w- c:\program files\ghost.torrent
2007-04-04 18:58 . 2007-04-04 18:58 8490050 —-a-w- c:\program files\MediaJukebox8.exe
2007-03-17 16:19 . 2007-03-17 16:19 37588 —-a-w- c:\program files\Spetters.torrent
2007-03-17 14:05 . 2007-03-17 14:05 15713 —-a-w- c:\program files\Marillion_Somewhere_Else.mp3.torrent
2007-03-17 08:42 . 2007-03-17 08:42 5151744 —-a-w- c:\program files\WindowsDefender.msi
2007-03-17 08:22 . 2007-03-17 08:22 19755560 —-a-w- c:\program files\avg75free_446a965.exe
2007-01-21 14:24 . 2007-01-21 14:24 23654120 —-a-w- c:\program files\dvdlabpro22.exe
2007-01-21 12:58 . 2007-01-21 12:58 3232813 —-a-w- c:\program files\SuperMegaSpoof_vb.exe
2007-01-21 12:55 . 2007-01-21 12:55 2080036 —-a-w- c:\program files\SuperMegaSpoof DukeN-NL.exe
2006-11-29 19:47 . 2006-11-29 19:47 23435 —-a-w- c:\program files\Live_8_2005_DVD_3_of_4_colombo-bt.org.torrent
2006-11-26 17:59 . 2006-11-26 17:59 168140 —-a-w- c:\program files\golden earring Live in Ahoy ( 2006 ).torrent
2006-11-26 17:01 . 2006-11-26 17:00 22648 —-a-w- c:\program files\iceage2cauldr0n.torrent
2006-11-26 16:57 . 2006-11-26 16:57 22401 —-a-w- c:\program files\ice age 2 retail.torrent
2006-11-13 22:42 . 2006-11-13 22:42 311105 —-a-w- c:\program files\U2.torrent
2006-11-13 22:24 . 2006-11-13 22:24 17805 —-a-w- c:\program files\Sugababes-overloaded Singles Collection–2006-uf [-www.meganova.org-].torrent
2006-11-12 12:03 . 2006-11-12 12:03 359112 —-a-w- c:\program files\LimeWireWin.exe
2006-09-23 18:06 . 2006-09-23 18:06 309912 —-a-w- c:\program files\ChapterXtractor.0.962.zip
2006-08-29 21:05 . 2006-08-29 21:05 56647 —-a-w- c:\program files\United.93DvDrip-aXXo.torrent
2006-08-29 21:02 . 2006-08-29 21:02 76012 —-a-w- c:\program files\Braveheart.avi.torrent
2006-08-29 21:00 . 2006-08-29 21:00 28659 —-a-w- c:\program files\Braveheart.(1995)...torrent
2006-08-28 21:39 . 2006-08-28 21:39 2473850 —-a-w- c:\program files\vsoDivxToDVD.zip
2006-08-28 21:33 . 2006-08-28 21:33 7071124 —-a-w- c:\program files\vsoConvertXtoDVD2_setup.exe
2006-08-28 21:04 . 2006-08-28 21:04 337563 —-a-w- c:\program files\SRTtoSSA.zip
2006-08-26 12:41 . 2006-08-26 12:41 19318121 —-a-w- c:\program files\Cinemaster.2000.Codec.zip
2006-08-26 11:42 . 2006-08-26 11:42 4972445 —-a-w- c:\program files\Maestro v2.9.2915a.WinNT2k.exe
2006-08-26 11:37 . 2006-08-26 11:37 1087682 —-a-w- c:\program files\subtitleworkshop251.zip
2006-08-26 11:35 . 2006-08-26 11:35 89722 —-a-w- c:\program files\Vobedit06.zip
2006-02-11 12:57 . 2006-02-11 12:57 11817800 —-a-w- c:\program files\GoogleEarth.exe
2005-12-16 17:58 . 2005-12-16 17:58 1665325 ——w- c:\program files\agsetup.exe
2005-12-12 18:34 . 2005-12-12 18:34 10347544 ——w- c:\program files\TE3XP-trial-3.1.5.82-install-EN.exe
2005-12-04 23:24 . 2005-12-04 23:24 7230264 ——w- c:\program files\Azureus_2.3.0.6_Win32.setup.exe
2005-11-28 22:00 . 2005-11-28 22:00 1881212 ——w- c:\program files\kl200nfi-2.exe
2005-11-01 20:26 . 2005-11-01 20:25 2951156 ——w- c:\program files\bitcomet_setup.exe
2005-10-31 20:52 . 2005-10-31 20:52 2731374 ——w- c:\program files\avi_mpg_rm_joiner.exe
2002-11-06 19:42 . 2006-08-28 19:49 237568 —-a-w- c:\program files\VobEdit.exe
2002-01-25 23:24 . 2002-01-25 23:24 4608 ——w- c:\program files\SnagIT Key Gen.EXE
2001-12-19 21:36 . 2001-12-19 21:36 4020989 ——w- c:\program files\snagit.exe
2001-09-27 08:39 . 2006-08-26 11:43 1376256 ——w- c:\program files\EncoderControl.dll
2001-09-27 08:38 . 2006-08-26 11:43 1511424 ——w- c:\program files\DVDCompiler.dll
2001-08-23 13:28 . 2006-08-26 11:43 65536 ——w- c:\program files\DVDNavigationControl.dll
2001-08-23 13:26 . 2006-08-26 11:43 753664 ——w- c:\program files\EncodeDecodeDevices.dll
2001-08-23 13:22 . 2006-08-26 11:43 163840 ——w- c:\program files\DSInterface.dll
2001-08-23 13:22 . 2006-08-26 11:43 69632 ——w- c:\program files\MFCSupportLibs.dll
2001-08-23 13:21 . 2006-08-26 11:43 946176 ——w- c:\program files\Gxdll50.dll
2001-08-23 13:13 . 2006-08-26 11:43 1019904 ——w- c:\program files\DVDMuxer.dll
2001-08-23 13:09 . 2006-08-26 11:43 1028096 ——w- c:\program files\Sal.dll
2001-08-23 12:59 . 2006-08-26 11:43 266240 ——w- c:\program files\ImageTools.dll
2001-08-23 12:59 . 2006-08-26 11:43 245760 ——w- c:\program files\MediaDatabase.dll
2001-08-23 12:59 . 2006-08-26 11:43 729088 ——w- c:\program files\MediaFile.dll
2001-08-23 12:52 . 2006-08-26 11:43 389120 ——w- c:\program files\SupportLibs.dll
2001-08-23 11:40 . 2006-08-26 11:43 36352 ——w- c:\program files\SX32W.DLL
2001-08-23 11:40 . 2006-08-26 11:43 57344 ——w- c:\program files\Pfcu1040.dll
2001-08-23 11:40 . 2006-08-26 11:43 45056 ——w- c:\program files\Pfcu1041.dll
2001-08-23 11:40 . 2006-08-26 11:43 57344 ——w- c:\program files\Pfcu1036.dll
2001-08-23 11:40 . 2006-08-26 11:43 57344 ——w- c:\program files\Pfcu1034.dll
2001-08-23 11:40 . 2006-08-26 11:43 65536 ——w- c:\program files\Pfcu1031.dll
2001-08-23 11:40 . 2006-08-26 11:43 57344 ——w- c:\program files\Pfcu1033.dll
2001-08-23 11:40 . 2006-08-26 11:43 413696 ——w- c:\program files\Pfcu.dll
2009-04-12 17:50 . 2006-08-06 11:33 848 –sha-w- c:\windows\system32\KGyGaAvL.sys
2009-04-25 15:02 . 2009-04-25 15:02 477 –sha-w- c:\windows\system32\_itmp_878.exe
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
“MSMSGS”=“c:\program files\Messenger\MSMSGS.EXE”
“H/PC Connection Agent”=“c:\program files\Microsoft ActiveSync\wcescomm.exe”
“Google Update”=“c:\documents and settings\Alain\Local Settings\Application Data\Google\Update\GoogleUpdate.exe”
“SpybotSD TeaTimer”=“c:\program files\Spybot - Search & Destroy\TeaTimer.exe”
“ledpointer”=“CNYHKey.exe”
“SSER”=“sser.exe”
“mHotmon”=“mHotMon.exe”
“KnobMonitor”=“c:\acer\KnobMonitor.exe”
“MPS”=“c:\acer\MPS.EXE”
“Windows Defender”=“c:\program files\Windows Defender\MSASCui.exe”
“Sony Ericsson PC Suite”=“c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe”
“QuickTime Task”=“c:\program files\QuickTime\qttask.exe”
“AVG8_TRAY”=“c:\progra~1\AVG\AVG8\avgtray.exe”
“CanonSolutionMenu”=“c:\program files\Canon\SolutionMenu\CNSLMAIN.exe”
“CanonMyPrinter”=“c:\program files\Canon\MyPrinter\BJMyPrt.exe”
“SSBkgdUpdate”=“c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe”
“OpwareSE4”=“c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe”
“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe”
“CTFMON.EXE”=“c:\windows\System32\CTFMON.EXE”
c:\documents and settings\Alain\Menu Start\Programma's\Opstarten\
Mediacontrole Picture Motion Browser.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
2009-08-18 07:46 11952 —-a-w- c:\windows\system32\avgrsstx.dll
@=“Service”
@=“Service”
“%windir%\\system32\\sessmgr.exe”=
“c:\\Program Files\\Messenger\\MSMSGS.EXE”=
“c:\\StubInstaller.exe”=
“c:\\Program Files\\LimeWire\\LimeWire.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“c:\\Program Files\\Azureus\\Azureus.exe”=
“c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe”=
“c:\\Program Files\\AVG\\AVG8\\avgupd.exe”=
“c:\program files\Microsoft ActiveSync\rapimgr.exe”= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
“c:\program files\Microsoft ActiveSync\wcescomm.exe”= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
“c:\program files\Microsoft ActiveSync\WCESMgr.exe”= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
“c:\\Program Files\\MSN Messenger\\msnmsgr.exe”=
“c:\\Program Files\\MSN Messenger\\livecall.exe”=
“c:\\Documents and Settings\\Alain\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe”=
“23764:TCP”= 23764:TCP:*isabled:BitComet 23764 TCP
“23764:UDP”= 23764:UDP:*isabled:BitComet 23764 UDP
“12674:TCP”= 12674:TCP:*isabled:BitComet 12674 TCP
“12674:UDP”= 12674:UDP:*isabled:BitComet 12674 UDP
“49152:TCP”= 49152:TCP:*isabled:BitComet 49152 TCP
“49152:UDP”= 49152:UDP:*isabled:BitComet 49152 UDP
“49153:TCP”= 49153:TCP:*isabled:BitComet 49153 TCP
“49153:UDP”= 49153:UDP:*isabled:BitComet 49153 UDP
“26675:TCP”= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe
S3 o1394bul;o1394bul;\??\c:\docume~1\Alain\LOCALS~1\Temp\o1394bul.sys –> c:\docume~1\Alain\LOCALS~1\Temp\o1394bul.sys
.
——- Bijkomende Scan ——-
.
uStart Page = hxxp://www.google.nl/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy:8080
uInternet Settings,ProxyOverride =
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Save with Download Manager… - c:\program files\J River\Media Jukebox\DMDownload.htm
FF - ProfilePath - c:\documents and settings\Alain\Application Data\Mozilla\Firefox\Profiles\tbogmkxj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - plugin: c:\documents and settings\Alain\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS VERWIJDERD - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKU-Default-Run-NvMediaCenter - c:\windows\System32\NVMCTRAY.DLL
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-CanonSolutionMenu - c:\program files\Canon\SolutionMenu\uninst.exe uninst.ini
AddRemove-dBpoweramp FLAC Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
AddRemove-dBpoweramp Monkeys Audio Codec - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpoweramp Monkeys Audio Codec.dat
AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
AddRemove-Easy-PhotoPrint EX - c:\program files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-07 08:31
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scannen van verborgen processen …
scannen van verborgen autostart items …
scannen van verborgen bestanden …
Scan succesvol afgerond
verborgen bestanden: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN <<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf861bf28
\Driver\ACPI -> ACPI.sys @ 0xf8546cb8
\Driver\atapi -> 0x82b41960
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf845cbd4
PacketIndicateHandler -> NDIS.sys @ 0xf8468a21
SendHandler -> NDIS.sys @ 0xf845cd44
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 1 !
**************************************************************************
.
——————— DLLs Geladen Onder Lopende Processen ———————
- - - - - - - > ‘explorer.exe’(3336)
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
———————— Andere Aktieve Processen ————————
.
c:\acer\KnobService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\CNYHKey.exe
c:\windows\mHotMon.exe
c:\windows\mHotkey.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Voltooingstijd: 2009-12-07 08:47 - machine werd herstart
ComboFix-quarantined-files.txt 2009-12-07 07:47
Pre-Run: 10.502.045.696 bytes beschikbaar
Post-Run: 12.397.903.872 bytes beschikbaar
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=“Microsoft Windows XP Home Edition” /fastdetect /NoExecute=OptIn
- - End Of File - - E500590820DFBF0D0063D29CBED86D05
Log van HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:43, on 7-12-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
c:\acer\KnobService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\CNYHKey.exe
C:\WINDOWS\mHotMon.exe
C:\ACER\MPS.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\Alain\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\mHotkey.exe
C:\Documents and Settings\Alain\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alain\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alain\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: CNYHKey.exe
O4 - HKLM\..\Run: sser.exe
O4 - HKLM\..\Run: mHotMon.exe
O4 - HKLM\..\Run: C:\acer\KnobMonitor.exe
O4 - HKLM\..\Run: C:\ACER\MPS.EXE
O4 - HKLM\..\Run: “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM\..\Run: “C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe” /startoptions
O4 - HKLM\..\Run: “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM\..\Run: C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
O4 - HKLM\..\Run: “C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe”
O4 - HKLM\..\Run: “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKCU\..\Run: “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU\..\Run: “C:\Program Files\Microsoft ActiveSync\wcescomm.exe”
O4 - HKCU\..\Run: “C:\Documents and Settings\Alain\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKCU\..\Run: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\.DEFAULT\..\Run: C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Mediacontrole Picture Motion Browser.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager… - C:\Program Files\J River\Media Jukebox\DMDownload.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Mobiele favorieten maken - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137002439109
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Knob Service (KNOBSERV) - Acer Inc. - c:\acer\KnobService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
–
End of file - 9058 bytes
Ben benieuwd wat jullie ervan vinden….
Alvast heel erg bedankt!
Alain.
Teaser

07-12-2009 10:33
Open Kladblok, kopiëer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:
File::
c:\windows\system32\_itmp_878.exe
Sla dit op op je Bureaublad als CFScript.txt
Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :
Dit zal ComboFix doen herstarten.
Start opnieuw op als daarom gevraagd wordt,
en post de inhoud van de Combofix.txt in je volgende antwoord samen met een nieuw HijackThislogje.
Antonia

08-12-2009 12:03

Hoi,
Ik heb ook last van de Trojan horse packed protector C en heb net de Combifix laten uitvoeren. Hier is mijn log. Wat moet ik nu verder doen.
Vriendelijk dank!!
ComboFix 09-12-07.07 - Administrador 08-12-2009 11:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.2038.1332
Running from: c:\documents and settings\Administrador\Escritorio\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\atapi.sys
c:\windows\system32\proquota.exe . . . is missing!!
.
((((((((((((((((((((((((( Files Created from 2009-11-08 to 2009-12-08 )))))))))))))))))))))))))))))))
.
2009-12-08 10:33 . 2009-12-08 10:33 ——– d-sh–w- c:\documents and settings\Administrador\IECompatCache
2009-12-08 10:32 . 2009-12-08 10:32 148768 —-a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-08 08:41 . 2009-12-08 08:41 4844296 —-a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-07 22:26 . 2009-12-08 10:32 ——– d—–w- c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2009-12-07 22:26 . 2009-12-07 22:33 ——– d—–w- c:\archivos de programa\Spybot - Search & Destroy
2009-12-06 16:41 . 2009-12-06 16:41 45312 —-a-w- c:\windows\system32\drivers\viragtlt.sys
2009-12-06 16:22 . 2009-12-06 19:42 ——– d—a-w- c:\documents and settings\All Users\Datos de programa\TEMP
2009-12-06 15:33 . 2009-12-06 15:49 8448 —-a-w- c:\windows\listcmd.bin
2009-12-06 14:22 . 2009-12-06 14:22 ——– d—–w- c:\documents and settings\Administrador\Datos de programa\MozillaControl
2009-12-06 14:22 . 2009-12-06 14:22 ——– d—–w- c:\archivos de programa\Mozilla ActiveX Control v1.7.12
2009-12-06 13:56 . 2009-12-08 08:31 ——– d—–w- c:\archivos de programa\Graboid
2009-12-02 18:27 . 2008-04-16 04:05 372736 —-a-r- c:\windows\system32\hppldcoi.dll
2009-12-02 18:27 . 2008-04-16 04:05 309760 —-a-r- c:\windows\system32\difxapi.dll
2009-12-02 18:26 . 2008-04-16 04:05 729088 —-a-r- c:\windows\system32\hposwia_p01a.dll
2009-12-02 18:26 . 2008-04-16 04:05 974848 —-a-r- c:\windows\system32\hpost_p01a.dll
2009-12-02 18:26 . 2008-02-28 10:08 303104 —-a-r- c:\windows\system32\hposc_p01a.dll
2009-12-02 18:10 . 2009-12-02 18:10 ——– d—–w- c:\documents and settings\All Users\Datos de programa\HP Product Assistant
2009-12-02 18:10 . 2009-12-02 18:10 ——– d—–w- c:\archivos de programa\Hewlett-Packard
2009-12-02 18:10 . 2009-12-02 18:10 ——– d—–w- c:\archivos de programa\Archivos comunes\HP
2009-12-02 18:00 . 2009-12-02 18:45 187707 —-a-w- c:\windows\hpoins30.dat
2009-12-02 18:00 . 2008-06-18 06:22 844 ——w- c:\windows\hpomdl30.dat
2009-11-30 15:05 . 2009-11-30 15:05 ——– d—–w- c:\archivos de programa\Digiarty
2009-11-28 10:58 . 2009-11-28 10:58 ——– d—–w- c:\windows\system32\wbem\snmp
2009-11-28 10:58 . 2009-11-28 10:58 ——– d—–w- c:\windows\system32\xircom
2009-11-28 10:58 . 2009-11-28 10:58 ——– d—–w- c:\windows\srchasst
2009-11-28 10:58 . 2009-11-28 10:58 ——– d—–w- c:\archivos de programa\microsoft frontpage
2009-11-23 09:28 . 2009-11-23 09:28 ——– d—–w- c:\documents and settings\Administrador\Datos de programa\Windows Search
2009-11-17 22:07 . 2009-11-17 22:07 79144 —-a-w- c:\documents and settings\All Users\Datos de programa\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-17 22:05 . 2009-11-17 22:05 ——– d—–w- c:\archivos de programa\iPod
2009-11-17 22:05 . 2009-11-17 22:06 ——– d—–w- c:\archivos de programa\iTunes
2009-11-17 21:54 . 2009-11-17 21:54 79144 —-a-w- c:\documents and settings\All Users\Datos de programa\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-13 10:14 . 2009-11-13 10:15 ——– d—–w- c:\archivos de programa\Windows Live
2009-11-11 15:33 . 2009-11-13 10:16 ——– d—–w- c:\archivos de programa\Microsoft Office Outlook Connector
2009-11-11 15:32 . 2006-11-29 12:06 3426072 —-a-w- c:\windows\system32\d3dx9_32.dll
2009-11-11 15:30 . 2009-11-11 15:34 ——– d—–w- c:\archivos de programa\Microsoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-08 10:35 . 2009-02-07 22:06 ——– d—–w- c:\archivos de programa\BitComet
2009-12-08 08:44 . 2009-08-23 22:37 ——– d—–w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-12-06 13:33 . 2009-12-06 13:33 16 —-a-w- c:\documents and settings\NetworkService\Datos de programa\fvgqad.dat
2009-12-06 13:33 . 2009-11-27 21:13 8 —-a-w- c:\documents and settings\Administrador\Datos de programa\avdrn.dat
2009-12-03 15:14 . 2009-08-23 22:37 38224 —-a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 15:13 . 2009-08-23 22:37 19160 —-a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 18:45 . 2009-04-08 19:19 ——– d—–w- c:\archivos de programa\HP
2009-12-02 18:12 . 2009-04-08 19:26 ——– d—–w- c:\documents and settings\All Users\Datos de programa\HP
2009-12-02 17:39 . 2009-02-02 21:05 ——– d—–w- c:\documents and settings\Administrador\Datos de programa\Skype
2009-12-02 15:11 . 2009-02-02 21:25 ——– d—–w- c:\documents and settings\Administrador\Datos de programa\skypePM
2009-12-01 19:34 . 2009-06-22 19:14 ——– d—–w- c:\documents and settings\Administrador\Datos de programa\Vso
2009-11-28 10:22 . 2009-11-27 21:13 16 —-a-w- c:\documents and settings\NetworkService\Datos de programa\cbqozg.dat
2009-11-27 23:11 . 2009-06-27 07:56 ——– d—–w- c:\documents and settings\All Users\Datos de programa\AVG Security Toolbar
2009-11-27 23:03 . 2009-02-05 20:38 ——– d—–w- c:\documents and settings\All Users\Datos de programa\avg8
2009-11-25 21:59 . 2009-01-20 20:05 ——– d—–w- c:\documents and settings\All Users\Datos de programa\Microsoft Help
2009-11-25 17:53 . 2009-01-20 19:39 ——– d—–w- c:\archivos de programa\Archivos comunes\Adobe
2009-11-17 22:11 . 2009-10-22 15:35 ——– d—–w- c:\archivos de programa\Safari
2009-11-17 22:05 . 2009-05-22 08:01 ——– d—–w- c:\archivos de programa\Archivos comunes\Apple
2009-11-15 10:15 . 2009-05-08 20:48 ——– d—–w- c:\documents and settings\All Users\Datos de programa\WinZip
2009-11-13 10:07 . 2009-03-21 08:16 ——– d—–w- c:\archivos de programa\DivX
2009-11-13 10:05 . 2009-07-23 13:27 ——– d—–w- c:\archivos de programa\Pixum
2009-11-13 10:05 . 2009-02-02 20:44 ——– d—–w- c:\archivos de programa\Google
2009-11-04 19:38 . 2009-11-04 19:38 664 —-a-w- c:\windows\system32\d3d9caps.dat
2009-11-04 09:34 . 2009-11-04 09:34 8854 —-a-r- c:\documents and settings\Administrador\Datos de programa\Microsoft\Installer\{4513F51E-3D1B-4791-B652-4C8B263ACD07}\Uninstall_EasyStudio_2FA333E9845C4292870E7E41F38443CA.exe
2009-11-04 09:34 . 2009-11-04 09:34 10134 —-a-r- c:\documents and settings\Administrador\Datos de programa\Microsoft\Installer\{4513F51E-3D1B-4791-B652-4C8B263ACD07}\ARPPRODUCTICON.exe
2009-11-04 09:34 . 2009-04-17 09:44 ——– d—–w- c:\archivos de programa\SAMSUNG
2009-10-30 12:46 . 2009-04-18 21:51 ——– d—–w- c:\documents and settings\Administrador\Datos de programa\HPAppData
2009-10-25 09:20 . 2004-03-20 12:26 94892 —-a-w- c:\windows\system32\perfc00A.dat
2009-10-25 09:20 . 2004-03-20 12:26 520378 —-a-w- c:\windows\system32\perfh00A.dat
2009-10-22 13:50 . 2009-05-22 08:15 ——– d—–w- c:\documents and settings\Administrador\Datos de programa\Apple Computer
2009-10-17 17:30 . 2009-10-17 17:30 ——– d—–r- c:\archivos de programa\Skype
2009-10-17 17:30 . 2009-10-17 17:30 ——– d—–w- c:\archivos de programa\Archivos comunes\Skype
2009-10-17 17:30 . 2009-02-02 21:02 ——– d—–w- c:\documents and settings\All Users\Datos de programa\Skype
2009-10-16 09:33 . 2009-07-30 08:31 ——– d—–w- c:\documents and settings\All Users\Datos de programa\albelli photo book creator Extra
2009-10-13 21:27 . 2009-01-20 20:07 ——– d—–w- c:\archivos de programa\Microsoft Works
2009-09-11 14:18 . 2008-04-14 07:48 136192 —-a-w- c:\windows\system32\msv1_0.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
“{A3BC75A2-1F87-4686-AA43-5347D756017C}”= “c:\archivos de programa\AVG\AVG8\Toolbar\IEToolbar.dll”
2009-09-02 09:58 1107200 —-a-w- c:\archivos de programa\AVG\AVG8\Toolbar\IEToolbar.dll
“{CCC7A320-B3CA-4199-B1A6-9F516DD69829}”= “c:\archivos de programa\AVG\AVG8\Toolbar\IEToolbar.dll”
“{CCC7A320-B3CA-4199-B1A6-9F516DD69829}”= “c:\archivos de programa\AVG\AVG8\Toolbar\IEToolbar.dll”
“googletalk”=“c:\archivos de programa\Google\Google Talk\googletalk.exe”
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“c:\archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe”
“SpybotSD TeaTimer”=“c:\archivos de programa\Spybot - Search & Destroy\TeaTimer.exe”
“IMJPMIG8.1”=“c:\windows\IME\imjp8_1\IMJPMIG.EXE”
“PHIME2002ASync”=“c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE”
“PHIME2002A”=“c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE”
“egui”=“c:\archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe”
“RTHDCPL”=“RTHDCPL.EXE”
“IgfxTray”=“c:\windows\system32\igfxtray.exe”
“Persistence”=“c:\windows\system32\igfxpers.exe”
“LManager”=“c:\archiv~1\LAUNCH~1\LManager.exe”
“ePower_DMC”=“c:\acer\Empowering Technology\ePower\ePower_DMC.exe”
“Boot”=“c:\acer\Empowering Technology\ePower\Boot.exe”
“PLFSet”=“c:\windows\PLFSet.dll”
“AVG8_TRAY”=“c:\archiv~1\AVG\AVG8\avgtray.exe”
“sclauncher”=“c:\archivos de programa\SimpleCenter\bin\win\sclauncher.exe”
“NeroFilterCheck”=“c:\archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe”
“HP Software Update”=“c:\archivos de programa\HP\HP Software Update\HPWuSchd2.exe”
“Adobe Reader Speed Launcher”=“c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe”
“QuickTime Task”=“c:\archivos de programa\QuickTime\QTTask.exe”
“AppleSyncNotifier”=“c:\archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe”
“iTunesHelper”=“c:\archivos de programa\iTunes\iTunesHelper.exe”
“hpqSRMon”=“c:\archivos de programa\HP\Digital Imaging\bin\hpqSRMon.exe”
“CTFMON.EXE”=“c:\windows\system32\CTFMON.EXE”
“nltide_3”=“advpack.dll”
c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
HP Digital Imaging Monitor.lnk - c:\archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
Windows Search.lnk - c:\archivos de programa\Windows Desktop Search\WindowsSearch.exe
“NoSMConfigurePrograms”= 1 (0x1)
“NoSMMyPictures”= 1 (0x1)
“NoResolveTrack”= 1 (0x1)
“NoSMHelp”= 1 (0x1)
“NoSMConfigurePrograms”= 1 (0x1)
“NoSMMyPictures”= 1 (0x1)
“NoResolveTrack”= 1 (0x1)
“{56F9679E-7826-4C84-81F3-532071A8BCC5}”= “c:\archivos de programa\Windows Desktop Search\MSNLNamespaceMgr.dll”
2009-08-29 08:07 11952 —-a-w- c:\windows\system32\avgrsstx.dll
@=“Driver”
“DisableUnicastResponsesToMulticastBroadcast”= 0 (0x0)
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“%windir%\\system32\\sessmgr.exe”=
“c:\\Archivos de programa\\Google\\Google Talk\\googletalk.exe”=
“c:\\Archivos de programa\\VoipBuster.com\\VoipBuster\\VoipBuster.exe”=
“c:\\Archivos de programa\\AVG\\AVG8\\avgupd.exe”=
“c:\\Archivos de programa\\AVG\\AVG8\\avgnsx.exe”=
“c:\\Archivos de programa\\MSN Messenger 8.5\\msnmsgr.exe”=
“c:\\Archivos de programa\\Mozilla Firefox\\firefox.exe”=
“c:\\Archivos de programa\\SimpleCenter\\Home Media Server.exe”=
“c:\\Archivos de programa\\Archivos comunes\\Ahead\\Nero Web\\SetupX.exe”=
“c:\\Archivos de programa\\activePDF\\PrimoPDF\\PrimoPDF.exe”=
“c:\\Archivos de programa\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe”=
“c:\\Archivos de programa\\Bonjour\\mDNSResponder.exe”=
“c:\\Archivos de programa\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe”=
“c:\\Archivos de programa\\Skype\\Plugin Manager\\skypePM.exe”=
“c:\\Archivos de programa\\Messenger\\Msmsgs.exe”=
“c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe”=
“c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe”=
“c:\\Archivos de programa\\iTunes\\iTunes.exe”=
“c:\\Archivos de programa\\Skype\\Phone\\Skype.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqtra08.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqste08.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hposid01.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqkygrp.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpoews01.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpiscnapp.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqpsapp.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqpse.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqsudi.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe”=
“c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqgpc01.exe”=
“15322:TCP”= 15322:TCP:BitComet 15322 TCP
“15322:UDP”= 15322:UDP:BitComet 15322 UDP
“427:UDP”= 427:UDP:SLP_Port(427)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\archivos de programa\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
R2 avg8wd;AVG Free8 WatchDog;c:\archiv~1\AVG\AVG8\avgwdsvc.exe
R2 ekrn;Eset Service;c:\archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
——- Supplementary Scan ——-
.
uStart Page = hxxp://www.google.es/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\archivos de programa\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xportar a Microsoft Excel - c:\archiv~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: {74B7E768-356D-41D9-A509-51A2D908077C} = 192.168.1.254,192.168.1.255
TCP: {B39B0750-6890-4020-BF38-B86F89679B10} = 192.168.1.254,192.168.1.255
FF - ProfilePath - c:\documents and settings\Administrador\Datos de programa\Mozilla\Firefox\Profiles\najnap6s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\archivos de programa\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\archivos de programa\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\archivos de programa\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\archivos de programa\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\archivos de programa\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\archivos de programa\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\archivos de programa\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\archivos de programa\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-VIRIT LITE MONITOR - c:\vexplite\MONLITE.EXE
AddRemove-Adobe SVG Viewer - c:\archivos de programa\Archivos comunes\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fc:\archivos de programa\Archivos comunes\Adobe\SVG Viewer 3.0\Uninstall\Install.log
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-08 11:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
**************************************************************************
.
——————— LOCKED REGISTRY KEYS ———————
@Denied: (2) (Administrator)
“88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977”=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8b,23,db,ce,5e,89,50,45,85,ed,ee,\
“2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81”=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8b,23,db,ce,5e,89,50,45,85,ed,ee,\
.
——————— DLLs Loaded Under Running Processes ———————
- - - - - - - > ‘explorer.exe’(5308)
c:\windows\system32\WININET.dll
c:\archivos de programa\Windows Media Player\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
———————— Other Running Processes ————————
.
c:\archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\archivos de programa\Bonjour\mDNSResponder.exe
c:\windows\system32\SearchIndexer.exe
c:\archiv~1\AVG\AVG8\avgrsx.exe
c:\archiv~1\AVG\AVG8\avgnsx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\docume~1\ADMINI~1\CONFIG~1\Temp\RtkBtMnt.exe
c:\archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
c:\archivos de programa\iPod\bin\iPodService.exe
c:\archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
c:\archivos de programa\HP\Digital Imaging\bin\hpqSTE08.exe
c:\archivos de programa\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2009-12-08 12:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-08 11:02
Pre-Run: 63.108.145.152 bytes libres
Post-Run: 63.088.377.856 bytes libres
- - End Of File - - 418422D00E6AC8964C8A968354EE52EE
Teaser

08-12-2009 14:08

Even een eigen topic aan maken.
En dan eerst deze stappen doen

trojan horse packed.protector.c

Alain

Teaser

Argus

Teaser

alex

Argus

Alain

Teaser

Antonia

Teaser