Archief - Krijg trojan/backdoor niet weg

GuntherDW · 26 jan 2010

Nu, deze is een lastige eigenlijk.

M'n pa z'n laptop heeft malwar antimalware & nod32 draaien, en die kwamen de laatste dagen continu met meldingen oplopen.
Dan heb ik me dus eens voor die laptop gezet, en blijkt dat er een background proces draait dat continu UAC volledig uitzet, dingen infecteert (?) en van http://91.x.x.x/ e1.exe probeert binnen te halen via een iexplorer.exe die als system draait.

(onzichtbaar dus, buiten het feit dat er om de 5 botten een "internet explorer is niet de standaard browser" box komt, de antivirus & antimalware houden het wel elke keer tegen though)

Ik heb nu ondertussen al vanalles geprobeerd, "beetje" liggen opzoeken, gisteren spybot s&d, hijackthis zelf eens laten draaien & proberen cleanen, volledige scans met up to date anti-malware programma's. Al heb ik ook op aanraden van iemand prevx geprobeerd, die met veel afkwam, maar die blijft precies maar results geven.
Zelfs m'n antimalwalware, of adobe producten, laat staan radmin of office is malware voor prevx.

Ik ben een beetje ten einde raad dus kom ik het hier even posten

.

NB: als ik iexplore afsluit, is het wel daar terug binnen de 5 minuten of bij een reboot/relogin.

met voorbaat dank

.

edit: ik zie het nu maar pas, maar ik ga eens nakijken waarom er bij sommige apps een spatie tussen de appnaam & de .exe zit.

Er zitten dus blijkbaar 2 files elke keer, een file van 304KB en de uiteindelijke app.
Eens zien wat al die dingen deleten geeft.

Wat ik ook nog gezien heb met netlimiter & process explorer, is dat de service (svchost.exe process) van power & plug&play altijd de connectie proberen openen om die e1.exe binnen te halen.

Code:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 06:29:01, on 26/01/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\alcohol soft\alcohol 120\axcmd.exe
C:\program files\netlimiter 3\nlclientapp .exe
C:\Program Files\Alcohol Soft\Alcohol 120\AlCmd.exe
C:\Program Files\Common Files\Adobe\Installers\b2d6abde968e6f277ddbfd501383e02\Setup.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\rdpclip.exe
C:\program files\malwarebytes' anti-malware\mbam .exe
C:\program files\malwarebytes' anti-malware\mbamgui .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [NetLimiter] C:\Program Files\NetLimiter 3\NLClientApp.exe /tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3174481477-1541696535-1444457090-1000\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Paul')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Doel van koppeling converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Doel van koppeling toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab[/url]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NetLimiter 3 Service (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 3\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech Corp. - C:\Windows\system32\rserver30\RServer3.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
[b]O23 - Service: Software Protection sppsvcTrustedInstaller (sppsvcTrustedInstaller) - Unknown owner - þÿÿÿü.exe (file missing)[/b] Deze komt precies altijd terug, elke keer als ik het uit hijackthis verwijder, al blijft er (file missing) staan
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8662 bytes

GuntherDW · 26 jan 2010

k, heb een aantal fixes gedaan, lspfix gedownload en die 2 unkown dll's geremoved(kheb ganse dir verwijderd, m'n pa gebruikt geen msn).

Na reboot gedaan is nog eens logje posten.

edit: k, nog wat fixjes geprobeerd, kga nu logje posten en tegelijk m'n nod32 & malware antimalware nog eens een volledige scan laten draaien terwijl ik m'n examens ga doen.

(UAC gehalte blijft totnogtoe nog staan, ma ik zie da straks wel of het nog veranderd is)

Code:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 08:09:39, on 26/01/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\NetLimiter 3\nlclientapp.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox 3.6 Beta 4\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [NetLimiter] C:\Program Files\NetLimiter 3\NLClientApp.exe /tray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Doel van koppeling converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Doel van koppeling toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NetLimiter 3 Service (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 3\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech Corp. - C:\Windows\system32\rserver30\RServer3.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 5107 bytes

Juisterr · 26 jan 2010

Zet eerst eens Teatimer van spybot uit.

Dan,.
Uitvoeren als administrator.

Open een kladblok bestand en kopieer onderstaande vetgedrukte tekst in dat kladblokbestand:

cd..
sc delete sppsvcTrustedInstaller

Sla het op op je bureaublad als sc.bat met als type "alle bestanden"
Dubbelklik sc.bat.

Herstart je pc.

Download Combofix naar je Bureaublad en gebruik het volgens deze handleiding.

OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!

Dubbelklik op Combofix.exe om het te starten.
Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
Klik op OK in het "NirCmd" venstertje.
Klik na afloop terug op Ja om het scannen op malware te starten.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.

Post dit logje in je volgende antwoord

GuntherDW · 26 jan 2010

Die service had ik al verwijderd, hetzelfde voor spybot s&d & prevx,

nu eens die combofix draaien.

edit: ik liet hem een tijdje draaien (ik doe alles via remote desktop), maar na een tijdje kreeg ik er niks meer uit.
Dan ga ik naar beneden om eens te kijken en stond er een mooie BSOD (IRQL_NOT_LESS_OR_EQUAL) op me te wachten, nu eens gereboot en opnieuw laten draaien.

edit :
(maar ik zag al een tijdje geen IE meldingen of Malware anti-malware meldingen meer, alsook UAC staat nog altijd aan.

Ik zie nog wel hoe het gaat

(+ 192.168.10.4 => m'n nighttimepc die even squid stond te draaien (heeft ook extern ip, 2 simulaten PPPoE connecties) omdat m'n server lastig deed)

Code:

ComboFix 10-01-25.06 - lisa 26/01/2010  15:13:18.1.2 - x86
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.32.1033.18.3070.2094 [GMT 1:00]
Gestart vanuit: c:\users\lisa\Downloads\ComboFix.exe
 * Aanwezig AV is actief

.

((((((((((((((((((((((((((((((((((   Andere Verwijderingen   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\169785866.dat

.
((((((((((((((((((((   Bestanden Gemaakt van 2009-12-26 to 2010-01-26  ))))))))))))))))))))))))))))))
.

2010-01-26 14:23 . 2010-01-26 14:24	--------	d-----w-	c:\users\lisa\AppData\Local\temp
2010-01-26 14:23 . 2010-01-26 14:23	--------	d-----w-	c:\users\Simonne\AppData\Local\temp
2010-01-26 14:23 . 2010-01-26 14:23	--------	d-----w-	c:\users\Paul\AppData\Local\temp
2010-01-26 14:23 . 2010-01-26 14:23	--------	d-----w-	c:\users\Default\AppData\Local\temp
2010-01-25 14:25 . 2010-01-25 14:25	--------	d-----w-	c:\program files\uTorrent
2010-01-25 14:25 . 2010-01-25 14:36	--------	d-----w-	c:\users\lisa\AppData\Roaming\uTorrent
2010-01-25 14:08 . 2010-01-25 14:08	53136	----a-w-	c:\windows\system32\PxSecure.dll
2010-01-25 14:07 . 2010-01-25 14:07	47664	----a-w-	c:\windows\system32\drivers\pxrts.sys
2010-01-25 14:07 . 2010-01-25 14:07	24496	----a-w-	c:\windows\system32\drivers\pxkbf.sys
2010-01-25 14:07 . 2010-01-26 04:28	--------	d-----w-	c:\program files\Prevx
2010-01-25 13:48 . 2010-01-25 13:48	--------	d-----w-	C:\Kill'em
2010-01-25 13:47 . 2010-01-25 13:47	--------	d-----w-	c:\program files\List_Kill'em
2010-01-25 13:26 . 2010-01-26 06:58	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2010-01-25 13:26 . 2010-01-26 06:57	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2010-01-25 13:26 . 2010-01-25 13:26	388096	----a-r-	c:\users\lisa\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-25 13:26 . 2010-01-25 13:26	--------	d-----w-	c:\program files\TrendMicro
2010-01-25 13:02 . 2010-01-25 13:02	--------	d-----w-	c:\users\lisa\AppData\Local\Locktime
2010-01-25 12:43 . 2010-01-25 12:43	--------	d-----w-	c:\programdata\Locktime
2010-01-25 12:40 . 2010-01-26 05:34	--------	d-----w-	c:\program files\NetLimiter 3
2010-01-24 20:26 . 2010-01-24 20:26	--------	d-----w-	c:\users\Paul\AppData\Local\ESET
2010-01-22 21:22 . 2010-01-22 21:22	--------	d-----w-	c:\users\Default\AppData\Local\Microsoft Help
2010-01-22 20:59 . 2010-01-22 20:59	--------	d-----w-	c:\users\lisa\AppData\Roaming\Malwarebytes
2010-01-22 20:48 . 2009-01-01 05:34	528744	----a-w-	c:\windows\system32\OGAVerify.exe
2010-01-22 20:37 . 2010-01-22 20:43	--------	d-----w-	c:\program files\Microsoft Works
2010-01-22 20:34 . 2010-01-22 20:34	--------	d-----w-	c:\program files\Microsoft.NET
2010-01-22 20:32 . 2010-01-22 20:32	--------	d-----w-	c:\program files\Microsoft Visual Studio 8
2010-01-22 20:30 . 2010-01-22 20:30	--------	d-----r-	C:\MSOCache
2010-01-22 20:00 . 2010-01-22 20:00	5115824	----a-w-	c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-22 19:58 . 2010-01-22 19:58	--------	d-----w-	c:\users\Paul\AppData\Roaming\Malwarebytes
2010-01-22 19:58 . 2010-01-07 15:07	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-22 19:58 . 2010-01-22 19:58	--------	d-----w-	c:\programdata\Malwarebytes
2010-01-22 19:58 . 2010-01-07 15:07	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-01-22 19:58 . 2010-01-26 05:37	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-01-22 19:31 . 2006-10-26 18:58	30512	----a-w-	c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-22 19:31 . 2006-10-26 18:58	30512	----a-w-	c:\windows\system32\mdimon.dll
2010-01-22 17:35 . 2010-01-22 17:35	176128	----a-w-	c:\programdata\Microsoft\Windows Defender\LocalCopy\{3C5055BE-3A87-B463-9533-B24B8FF54BAD}-msb.exe
2010-01-22 17:20 . 2010-01-22 17:20	176128	----a-w-	c:\programdata\Microsoft\Windows Defender\LocalCopy\{0B9371AE-82C1-AE8D-F0E4-439B20CE3974}-msa.exe
2010-01-22 05:17 . 2009-12-19 09:02	977920	----a-w-	c:\windows\system32\wininet.dll
2010-01-22 03:56 . 2010-01-22 03:56	--------	d-----w-	c:\windows\system32\rserver30
2010-01-22 03:56 . 2010-01-22 03:56	--------	d-----w-	c:\users\lisa\AppData\Local\Downloaded Installations
2010-01-18 18:17 . 2010-01-18 18:17	98304	----a-w-	c:\programdata\Microsoft\Windows Defender\LocalCopy\{67671892-40C8-3236-BCD5-9E97C1BD29B7}-nssdbm3.dll
2010-01-13 09:14 . 2009-10-19 14:10	108544	----a-w-	c:\windows\system32\t2embed.dll
2010-01-13 09:14 . 2009-10-19 14:10	70656	----a-w-	c:\windows\system32\fontsub.dll
2010-01-09 08:23 . 2010-01-09 08:23	--------	d-----w-	c:\users\lisa\Office Genuine Advantage
2010-01-08 18:40 . 2010-01-08 18:40	36864	----a-w-	c:\users\Paul\AppData\Roaming\Autodesk\AutoCAD 2010\R18.0\enu\ContextualTabSelectorRules.dll
2010-01-08 16:14 . 2010-01-22 17:23	--------	d-----w-	c:\users\Paul\AppData\Roaming\Autodesk
2010-01-08 16:14 . 2010-01-08 16:14	--------	d-----w-	c:\users\Paul\AppData\Local\Autodesk
2010-01-08 15:59 . 2009-02-21 15:25	691592	----a-w-	c:\windows\system32\OGACheckControl.DLL
2009-12-31 14:29 . 2009-12-31 14:29	--------	d-----w-	c:\users\Paul\AppData\Roaming\Media Player Classic
2009-12-28 12:32 . 2009-12-28 12:32	411368	----a-w-	c:\windows\system32\deploytk.dll
2009-12-28 12:32 . 2009-12-28 12:32	--------	d-----w-	c:\program files\Java
2009-12-28 09:27 . 2009-12-28 09:27	48648	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2009-12-28 09:27 . 2009-12-28 09:27	704320	----a-w-	c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-26 13:37 . 2009-12-12 17:46	--------	d-----w-	c:\program files\Mozilla Firefox 3.6 Beta 4
2010-01-26 07:03 . 2009-12-12 18:05	140480	----a-w-	c:\users\lisa\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-26 06:52 . 2009-12-12 22:14	--------	d-----w-	c:\program files\Common Files\Adobe
2010-01-26 05:25 . 2009-12-12 22:02	--------	d-----w-	c:\program files\Windows Live
2010-01-26 04:31 . 2009-07-14 00:02	543232	----a-w-	c:\windows\system32\termsrv.dll
2010-01-25 13:13 . 2009-12-12 20:21	--------	d-----w-	c:\programdata\Microsoft Help
2010-01-23 11:16 . 2009-12-12 18:13	140480	----a-w-	c:\users\Simonne\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-23 09:55 . 2009-12-12 17:47	694684	----a-w-	c:\windows\system32\perfh013.dat
2010-01-23 09:55 . 2009-12-12 17:47	131278	----a-w-	c:\windows\system32\perfc013.dat
2010-01-22 23:01 . 2009-12-12 21:17	140480	----a-w-	c:\users\Paul\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-22 22:16 . 2009-12-12 22:28	--------	d-----w-	c:\program files\Common Files\PX Storage Engine
2010-01-22 20:36 . 2009-07-14 04:52	--------	d-----w-	c:\program files\MSBuild
2010-01-22 17:23 . 2009-12-13 00:49	--------	d-----w-	c:\programdata\Autodesk
2010-01-21 09:52 . 2009-12-12 21:14	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-01-14 10:12 . 2009-10-14 09:58	181120	------w-	c:\windows\system32\MpSigStub.exe
2010-01-08 16:17 . 2009-12-17 09:44	--------	d-----w-	c:\programdata\FLEXnet
2009-12-27 02:51 . 2009-12-27 02:50	--------	d-----w-	c:\program files\OpenVPN
2009-12-17 09:51 . 2009-12-17 09:51	--------	d-----w-	c:\programdata\hps
2009-12-17 09:49 . 2009-12-17 09:49	--------	d-----w-	c:\program files\Fotoservice
2009-12-13 01:36 . 2009-12-13 00:49	--------	d-----w-	c:\program files\AutoCAD 2010
2009-12-13 00:52 . 2009-12-13 00:49	--------	d-----w-	c:\program files\Common Files\Autodesk Shared
2009-12-13 00:49 . 2009-12-13 00:49	--------	d-----w-	c:\users\lisa\AppData\Roaming\Autodesk
2009-12-12 22:36 . 2009-12-12 22:36	--------	d-----w-	c:\program files\Adobe Media Player
2009-12-12 22:33 . 2009-12-12 22:33	--------	d-----w-	c:\program files\Common Files\Adobe AIR
2009-12-12 22:28 . 2009-12-12 22:28	--------	d-----w-	c:\program files\Google
2009-12-12 22:26 . 2009-12-12 22:26	--------	d-----w-	c:\program files\Common Files\Macrovision Shared
2009-12-12 22:08 . 2009-12-12 22:08	--------	d-----w-	c:\program files\Microsoft Office Outlook Connector
2009-12-12 22:06 . 2009-12-12 22:06	--------	d-----w-	c:\program files\Microsoft Sync Framework
2009-12-12 22:04 . 2009-12-12 22:04	--------	d-----w-	c:\program files\Microsoft SQL Server Compact Edition
2009-12-12 22:03 . 2009-12-12 21:14	--------	d-----w-	c:\program files\Microsoft
2009-12-12 22:03 . 2009-12-12 22:03	--------	d-----w-	c:\program files\Windows Live SkyDrive
2009-12-12 21:36 . 2009-12-12 21:36	--------	d-----w-	c:\programdata\Office Genuine Advantage
2009-12-12 21:32 . 2009-12-12 21:32	--------	d-----w-	c:\program files\Common Files\Windows Live
2009-12-12 21:10 . 2009-12-12 20:52	--------	d-----w-	c:\programdata\NOS
2009-12-12 20:52 . 2009-12-12 20:52	--------	d-----w-	c:\program files\NOS
2009-12-12 20:31 . 2009-12-12 19:54	--------	d-----w-	c:\users\lisa\AppData\Roaming\Media Player Classic
2009-12-12 20:27 . 2009-12-12 20:27	--------	d-----w-	c:\users\lisa\AppData\Roaming\Foxit
2009-12-12 20:27 . 2009-12-12 20:27	--------	d-----w-	c:\program files\Foxit Software
2009-12-12 20:07 . 2009-12-12 20:07	--------	d-----w-	c:\program files\Alcohol Soft
2009-12-12 19:59 . 2009-12-12 19:59	721904	----a-w-	c:\windows\system32\drivers\sptd.sys
2009-12-12 18:23 . 2009-12-12 18:23	--------	d-----w-	c:\program files\ESET
2009-12-12 18:21 . 2009-12-12 18:21	--------	d-----w-	c:\programdata\Hewlett-Packard
2009-12-12 18:01 . 2009-12-12 18:00	--------	d-----w-	c:\programdata\NVIDIA
2009-12-12 17:58 . 2009-12-12 17:58	--------	d-----w-	c:\program files\Combined Community Codec Pack
2009-12-12 17:51 . 2009-12-12 17:51	--------	d-----w-	c:\program files\NVIDIA Corporation
2009-12-12 17:51 . 2009-12-12 17:51	--------	d-----w-	c:\program files\AGEIA Technologies
2009-12-12 17:51 . 2009-12-12 17:51	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-12-12 17:46 . 2009-07-14 04:52	--------	d-----w-	c:\program files\Windows Sidebar
2009-12-12 17:46 . 2009-07-14 04:52	--------	d-----w-	c:\program files\DVD Maker
2009-12-12 17:46 . 2009-07-14 02:37	--------	d-----w-	c:\program files\Windows Mail
2009-12-12 17:46 . 2009-07-14 07:50	--------	d-----w-	c:\program files\Windows Journal
2009-12-12 17:46 . 2009-07-14 04:52	--------	d-----w-	c:\program files\Windows Photo Viewer
2009-12-12 17:46 . 2009-07-14 04:52	--------	d-----w-	c:\program files\Windows Defender
2009-12-12 17:46 . 2009-12-12 17:47	43068	----a-w-	c:\windows\system32\perfd013.dat
2009-12-12 17:46 . 2009-12-12 17:47	341322	----a-w-	c:\windows\system32\perfi013.dat
2009-12-12 17:46 . 2009-12-12 17:46	43068	----a-w-	c:\windows\inf\PERFLIB\0413\perfd.dat
2009-12-12 17:46 . 2009-12-12 17:46	43068	----a-w-	c:\windows\inf\PERFLIB\0413\perfc.dat
2009-12-12 17:46 . 2009-12-12 17:46	341322	----a-w-	c:\windows\inf\PERFLIB\0413\perfi.dat
2009-12-12 17:46 . 2009-12-12 17:46	341322	----a-w-	c:\windows\inf\PERFLIB\0413\perfh.dat
2009-12-12 17:41 . 2009-12-12 17:41	0	---ha-w-	c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-12 17:22 . 2009-12-12 17:22	--------	d-sh--we	c:\programdata\Templates
2009-12-12 17:22 . 2009-12-12 17:22	--------	d-sh--we	c:\programdata\Start Menu
2009-12-12 17:22 . 2009-12-12 17:22	--------	d-sh--we	c:\programdata\Favorites
2009-12-12 17:22 . 2009-12-12 17:22	--------	d-sh--we	c:\programdata\Documents
2009-12-12 17:22 . 2009-12-12 17:22	--------	d-sh--we	c:\programdata\Desktop
2009-12-11 23:48 . 2009-12-11 23:48	25984	----a-w-	c:\windows\system32\drivers\tap0901.sys
2009-12-08 09:12 . 2009-12-08 09:12	5229568	----a-w-	c:\windows\system32\drivers\nlndis.sys
2009-12-01 18:43 . 2009-12-12 20:51	34496	----a-w-	c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-01 18:43 . 2009-12-12 20:51	25936	----a-w-	c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-20 19:33 . 2009-11-20 19:33	87144	----a-w-	c:\windows\system32\nvhotkey.dll
2009-11-20 19:33 . 2009-11-20 19:33	812648	----a-w-	c:\windows\system32\nvsvc.dll
2009-11-20 19:33 . 2009-11-20 19:33	66664	----a-w-	c:\windows\system32\nvshext.dll
2009-11-20 19:33 . 2009-11-20 19:33	1323624	----a-w-	c:\windows\system32\nvsvcr.dll
2009-11-20 19:33 . 2009-11-20 19:33	12685928	----a-w-	c:\windows\system32\nvcpl.dll
2009-11-20 19:33 . 2009-11-20 19:33	122984	----a-w-	c:\windows\system32\nvvsvc.exe
2009-11-20 19:33 . 2009-11-20 19:33	110184	----a-w-	c:\windows\system32\nvmctray.dll
2009-11-16 08:06 . 2009-11-16 08:06	95896	----a-w-	c:\windows\system32\drivers\epfwwfpr.sys
2009-11-16 08:03 . 2009-11-16 08:03	108792	----a-w-	c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56 . 2009-11-16 07:56	116520	----a-w-	c:\windows\system32\drivers\eamon.sys
2009-10-29 07:22 . 2009-12-12 17:42	2048	----a-w-	c:\windows\system32\tzres.dll
2009-06-10 21:26 . 2009-07-14 02:04	9633792	--sha-r-	c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42	396800	--sha-w-	c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
[code]<pre>
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\Alcohol Soft\Alcohol 120\axcmd .exe
c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\versio~2 .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
</pre>

------- Sigcheck -------

[-] 2010-01-26 . FB53ED7B93B4B2CA6EF7580490B7A9D4 . 543232 . . [6.1.7600.16385] . . c:\windows\System32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetLimiter"="c:\program files\NetLimiter 3\NLClientApp.exe" [2009-12-08 1646592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [16/11/2009 09:03 108792]
R1 nltdi;nltdi;c:\program files\NetLimiter 3\nltdi.sys [8/12/2009 10:12 5281024]
R1 raddrvv3;raddrvv3;c:\windows\System32\rserver30\raddrvv3.sys [9/10/2009 14:00 46304]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [14/07/2009 00:52 48128]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16/11/2009 09:04 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfwwfpr.sys [16/11/2009 09:06 95896]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [22/01/2010 20:58 236368]
R2 RServer3;Radmin Server V3;c:\windows\System32\rserver30\rserver3.exe [9/10/2009 14:00 1242504]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [22/01/2010 20:58 19160]
R3 mirrorv3;mirrorv3;c:\windows\System32\drivers\rminiv3.sys [9/10/2009 14:00 3328]
R3 NLNdisMP;NLNdisMP;c:\windows\System32\drivers\nlndis.sys [8/12/2009 10:12 5229568]
R3 pxkbf;pxkbf;c:\windows\System32\drivers\pxkbf.sys [25/01/2010 15:07 24496]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\System32\drivers\VSTAZL3.SYS [13/07/2009 23:13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [13/07/2009 23:13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [13/07/2009 23:13 661504]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [12/12/2009 20:59 721904]
S2 hehmdniz;Microsoft Tunnel Miniport Adapter Support;c:\windows\System32\svchost.exe -k netsvcs [14/07/2009 00:19 20992]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\System32\drivers\nlndis.sys [8/12/2009 10:12 5229568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hehmdniz
.
Inhoud van de 'Gedeelde Taken' map
.
.
------- Bijkomende Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\
FF - prefs.js: network.proxy.ftp - 192.168.10.4
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 192.168.10.4
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 192.168.10.4
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 192.168.10.4
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 192.168.10.4
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox 3.6 Beta 4\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8641E856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x856da398
QueryNameProcedure -> 0x856da528
user & kernel MBR OK

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-01-26 15:27:34
ComboFix-quarantined-files.txt 2010-01-26 14:27

Pre-Run: 41.311.059.968 bytes beschikbaar
Post-Run: 44.668.551.168 bytes beschikbaar

- - End Of File - - 2DFCCFFBCAD8460B26E334DB125F30AD
[/code]

Ik heb nu wel de bestanden die em gaf verwijderd/originele files teruggezet. (die met de spacie tussen de filename + .exe)

Juisterr · 27 jan 2010

Ga nu niet zelf lopen :puke:

rommelen want anders lukt de fix straks niet meer.

Open Kladblok, kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:

RENV::
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray .exe
c:\program files\Alcohol Soft\Alcohol 120\axcmd .exe
c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\versio~2 .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\cs4servicemanager .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe

Sla dit op op je Bureaublad als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :

Dit zal ComboFix doen herstarten.

Na het herstarten van je computer, (indien het vraagt om te herstarten), kopieer en plak de inhoud van Combofix.txt in je volgende antwoord.

Download GMER van één van de volgende locaties, en sla het op je Bureaublad op:

Primaire downloadlocatie Deze mirror zal een random genaamd bestand geven (Aanbevolen)
Gezipt bestand Deze optie zal een zip-bestand geven dat eerst uitgepakt moet worden. Als je deze gebruikt, pak het dan uit naar je bureaublad.

Disconnecteer van het internet, en sluit alle open programma's.
Schakel tijdelijk je real-time beveiligingssoftware uit.
Dubbelklik op hetrandom vernoemd GMER bestand (bijv. n7gmo46c.exe) en sta toe dat de gmer.sys driver wordt geladen, als dit gevraagd wordt.
Let op: Als je de gezipte vesie hebt gedownload, pak het bestand dan uit naar een vaste map, zoals bijvoorbeeld C:\gmer en dubbelklik dan op gmer.exe.
GMER zal het Rootkit/Malware tabblad openen, en een automatische snelle scan uitvoeren wanneer GMER voor de eerste keer uitgevoerd wordt. (gebruik de computer niet tijdens de scan)
Als je een WARNING!!! over rootkit activiteit ontvangt, en je wordt gevraagd om je systeem geheel te scannen...klik dan op NO.
Klik nu op de Scan knop. Als je een rootkit waarschuwingsvenster krijgt, klik dan op OK.
Klik op de Save... knop als de scan voltooid is, en sla het logbestand op je bureaublad op. Sla het bestand op als gmer.log.
Klik op de Copy knop en post de log in je volgende bericht.
Sluit GMER en zet alle real-time protectie weer aan.

-- Als je enige problemen hebt, probeer GMER dan in veilige modus uit te voeren.

Download TDSSKiller.zip en plaats het op je bureaublad.

Pak de bestanden uit.

Open een kladblokbestand.
Kopieer onderstaande code in dit kladblokbestand.

Code:

@ECHO OFF
TDSSKiller.exe -l report.txt -v
DEL %0

Ga naar Bestand - Opslaan als.

Bij "Opslaan in" kies je: de map waarin TDSSKiller.exe staat.
Bij "Bestandsnaam" zet je: start.bat
Bij "Opslaan als type" selecteer je: Alle bestanden (*.*).
Klik op de knop Opslaan.

Dubbelklik op start.bat
Dit zal de TDSSKiller.exe starten en een logfile (report.txt) maken in dezelfde map.
Wanneer TDSSKiller.exe klaar is post je de inhoud van report.txt.

Herstart daarna je computer.

Na de herstart maak je een nieuw logje met Combofix en deze post je ook hier in dit topic ter controle.

GuntherDW · 28 jan 2010

combofix log 1 :

ComboFix 10-01-27.03 - lisa 28/01/2010 10:31:02.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.32.1033.18.3070.2138 [GMT 1:00]
Gestart vanuit: c:\users\lisa\Downloads\ComboFix.exe
gebruikte Opdracht switches :: c:\users\lisa\Downloads\CFScript.txt
* Aanwezig AV is actief

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Fonts\MyriadPro-Regular.otf

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-12-28 to 2010-01-28 ))))))))))))))))))))))))))))))
.

2010-01-28 09:41 . 2010-01-28 09:42 -------- d-----w- c:\users\lisa\AppData\Local\temp
2010-01-28 09:41 . 2010-01-28 09:41 -------- d-----w- c:\users\Simonne\AppData\Local\temp
2010-01-28 09:41 . 2010-01-28 09:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-28 09:41 . 2010-01-28 09:41 -------- d-----w- c:\users\Paul\AppData\Local\temp
2010-01-28 09:41 . 2010-01-28 09:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-28 06:14 . 2010-01-28 06:14 -------- d-----w- c:\programdata\ALM
2010-01-27 18:09 . 2008-04-07 04:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-01-27 15:07 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-01-27 15:07 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-01-26 15:29 . 2010-01-26 15:29 -------- d-----w- c:\users\Simonne\AppData\Roaming\Malwarebytes
2010-01-25 14:25 . 2010-01-25 14:25 -------- d-----w- c:\program files\uTorrent
2010-01-25 14:25 . 2010-01-25 14:36 -------- d-----w- c:\users\lisa\AppData\Roaming\uTorrent
2010-01-25 14:08 . 2010-01-25 14:08 53136 ----a-w- c:\windows\system32\PxSecure.dll
2010-01-25 14:07 . 2010-01-25 14:07 47664 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-01-25 14:07 . 2010-01-25 14:07 24496 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-01-25 14:07 . 2010-01-26 04:28 -------- d-----w- c:\program files\Prevx
2010-01-25 13:48 . 2010-01-25 13:48 -------- d-----w- C:\Kill'em
2010-01-25 13:47 . 2010-01-25 13:47 -------- d-----w- c:\program files\List_Kill'em
2010-01-25 13:26 . 2010-01-26 06:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-25 13:26 . 2010-01-25 13:26 388096 ----a-r- c:\users\lisa\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-25 13:26 . 2010-01-25 13:26 -------- d-----w- c:\program files\TrendMicro
2010-01-25 13:02 . 2010-01-25 13:02 -------- d-----w- c:\users\lisa\AppData\Local\Locktime
2010-01-25 12:43 . 2010-01-25 12:43 -------- d-----w- c:\programdata\Locktime
2010-01-25 12:40 . 2010-01-26 05:34 -------- d-----w- c:\program files\NetLimiter 3
2010-01-24 20:26 . 2010-01-24 20:26 -------- d-----w- c:\users\Paul\AppData\Local\ESET
2010-01-22 21:22 . 2010-01-22 21:22 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-01-22 20:59 . 2010-01-22 20:59 -------- d-----w- c:\users\lisa\AppData\Roaming\Malwarebytes
2010-01-22 20:48 . 2009-01-01 05:34 528744 ----a-w- c:\windows\system32\OGAVerify.exe
2010-01-22 20:37 . 2010-01-22 20:43 -------- d-----w- c:\program files\Microsoft Works
2010-01-22 20:34 . 2010-01-22 20:34 -------- d-----w- c:\program files\Microsoft.NET
2010-01-22 20:32 . 2010-01-22 20:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-01-22 20:30 . 2010-01-22 20:30 -------- d-----r- C:\MSOCache
2010-01-22 20:00 . 2010-01-22 20:00 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-22 19:58 . 2010-01-22 19:58 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
2010-01-22 19:58 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-22 19:58 . 2010-01-22 19:58 -------- d-----w- c:\programdata\Malwarebytes
2010-01-22 19:58 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-22 19:58 . 2010-01-26 05:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 19:31 . 2006-10-26 18:58 30512 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-22 19:31 . 2006-10-26 18:58 30512 ----a-w- c:\windows\system32\mdimon.dll
2010-01-22 17:35 . 2010-01-22 17:35 176128 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{3C5055BE-3A87-B463-9533-B24B8FF54BAD}-msb.exe
2010-01-22 17:20 . 2010-01-22 17:20 176128 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{0B9371AE-82C1-AE8D-F0E4-439B20CE3974}-msa.exe
2010-01-22 05:17 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-22 03:56 . 2010-01-22 03:56 -------- d-----w- c:\windows\system32\rserver30
2010-01-22 03:56 . 2010-01-22 03:56 -------- d-----w- c:\users\lisa\AppData\Local\Downloaded Installations
2010-01-18 18:17 . 2010-01-18 18:17 98304 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{67671892-40C8-3236-BCD5-9E97C1BD29B7}-nssdbm3.dll
2010-01-13 09:14 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 09:14 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-09 08:23 . 2010-01-09 08:23 -------- d-----w- c:\users\lisa\Office Genuine Advantage
2010-01-08 18:40 . 2010-01-08 18:40 36864 ----a-w- c:\users\Paul\AppData\Roaming\Autodesk\AutoCAD 2010\R18.0\enu\ContextualTabSelectorRules.dll
2010-01-08 16:14 . 2010-01-22 17:23 -------- d-----w- c:\users\Paul\AppData\Roaming\Autodesk
2010-01-08 16:14 . 2010-01-08 16:14 -------- d-----w- c:\users\Paul\AppData\Local\Autodesk
2009-12-31 14:29 . 2009-12-31 14:29 -------- d-----w- c:\users\Paul\AppData\Roaming\Media Player Classic

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 08:28 . 2009-12-12 22:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-28 08:24 . 2009-12-12 18:05 142400 ----a-w- c:\users\lisa\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-28 06:06 . 2009-12-12 22:28 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-01-27 19:59 . 2009-12-12 21:17 142400 ----a-w- c:\users\Paul\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-27 15:06 . 2009-12-12 18:13 140480 ----a-w- c:\users\Simonne\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-26 13:37 . 2009-12-12 17:46 -------- d-----w- c:\program files\Mozilla Firefox 3.6 Beta 4
2010-01-26 05:25 . 2009-12-12 22:02 -------- d-----w- c:\program files\Windows Live
2010-01-26 04:31 . 2009-07-14 00:02 543232 ----a-w- c:\windows\system32\termsrv.dll
2010-01-25 13:13 . 2009-12-12 20:21 -------- d-----w- c:\programdata\Microsoft Help
2010-01-23 09:55 . 2009-12-12 17:47 694684 ----a-w- c:\windows\system32\perfh013.dat
2010-01-23 09:55 . 2009-12-12 17:47 131278 ----a-w- c:\windows\system32\perfc013.dat
2010-01-22 20:36 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-01-22 17:23 . 2009-12-13 00:49 -------- d-----w- c:\programdata\Autodesk
2010-01-21 09:52 . 2009-12-12 21:14 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 10:12 . 2009-10-14 09:58 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 16:17 . 2009-12-17 09:44 -------- d-----w- c:\programdata\FLEXnet
2009-12-28 12:32 . 2009-12-28 12:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-28 12:32 . 2009-12-28 12:32 -------- d-----w- c:\program files\Java
2009-12-28 09:27 . 2009-12-28 09:27 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2009-12-28 09:27 . 2009-12-28 09:27 704320 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-27 02:51 . 2009-12-27 02:50 -------- d-----w- c:\program files\OpenVPN
2009-12-17 09:51 . 2009-12-17 09:51 -------- d-----w- c:\programdata\hps
2009-12-17 09:49 . 2009-12-17 09:49 -------- d-----w- c:\program files\Fotoservice
2009-12-13 01:36 . 2009-12-13 00:49 -------- d-----w- c:\program files\AutoCAD 2010
2009-12-13 00:52 . 2009-12-13 00:49 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-12-13 00:49 . 2009-12-13 00:49 -------- d-----w- c:\users\lisa\AppData\Roaming\Autodesk
2009-12-12 22:36 . 2009-12-12 22:36 -------- d-----w- c:\program files\Adobe Media Player
2009-12-12 22:33 . 2009-12-12 22:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-12 22:28 . 2009-12-12 22:28 -------- d-----w- c:\program files\Google
2009-12-12 22:26 . 2009-12-12 22:26 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-12 22:08 . 2009-12-12 22:08 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-12-12 22:06 . 2009-12-12 22:06 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-12-12 22:04 . 2009-12-12 22:04 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-12-12 22:03 . 2009-12-12 21:14 -------- d-----w- c:\program files\Microsoft
2009-12-12 22:03 . 2009-12-12 22:03 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-12 21:36 . 2009-12-12 21:36 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-12-12 21:32 . 2009-12-12 21:32 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-12 21:10 . 2009-12-12 20:52 -------- d-----w- c:\programdata\NOS
2009-12-12 20:52 . 2009-12-12 20:52 -------- d-----w- c:\program files\NOS
2009-12-12 20:31 . 2009-12-12 19:54 -------- d-----w- c:\users\lisa\AppData\Roaming\Media Player Classic
2009-12-12 20:27 . 2009-12-12 20:27 -------- d-----w- c:\users\lisa\AppData\Roaming\Foxit
2009-12-12 20:27 . 2009-12-12 20:27 -------- d-----w- c:\program files\Foxit Software
2009-12-12 20:07 . 2009-12-12 20:07 -------- d-----w- c:\program files\Alcohol Soft
2009-12-12 19:59 . 2009-12-12 19:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-12 18:23 . 2009-12-12 18:23 -------- d-----w- c:\program files\ESET
2009-12-12 18:21 . 2009-12-12 18:21 -------- d-----w- c:\programdata\Hewlett-Packard
2009-12-12 18:01 . 2009-12-12 18:00 -------- d-----w- c:\programdata\NVIDIA
2009-12-12 17:58 . 2009-12-12 17:58 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-12-12 17:51 . 2009-12-12 17:51 -------- d-----w- c:\program files\NVIDIA Corporation
2009-12-12 17:51 . 2009-12-12 17:51 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-12 17:51 . 2009-12-12 17:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-12 17:46 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar
2009-12-12 17:46 . 2009-07-14 04:52 -------- d-----w- c:\program files\DVD Maker
2009-12-12 17:46 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2009-12-12 17:46 . 2009-07-14 07:50 -------- d-----w- c:\program files\Windows Journal
2009-12-12 17:46 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Photo Viewer
2009-12-12 17:46 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Defender
2009-12-12 17:46 . 2009-12-12 17:47 43068 ----a-w- c:\windows\system32\perfd013.dat
2009-12-12 17:46 . 2009-12-12 17:47 341322 ----a-w- c:\windows\system32\perfi013.dat
2009-12-12 17:46 . 2009-12-12 17:46 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfd.dat
2009-12-12 17:46 . 2009-12-12 17:46 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfc.dat
2009-12-12 17:46 . 2009-12-12 17:46 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfi.dat
2009-12-12 17:46 . 2009-12-12 17:46 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfh.dat
2009-12-12 17:41 . 2009-12-12 17:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Templates
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Start Menu
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Favorites
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Documents
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Desktop
2009-12-11 23:48 . 2009-12-11 23:48 25984 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-12-08 09:12 . 2009-12-08 09:12 5229568 ----a-w- c:\windows\system32\drivers\nlndis.sys
2009-12-01 18:43 . 2009-12-12 20:51 34496 ----a-w- c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-01 18:43 . 2009-12-12 20:51 25936 ----a-w- c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-20 19:33 . 2009-11-20 19:33 87144 ----a-w- c:\windows\system32\nvhotkey.dll
2009-11-20 19:33 . 2009-11-20 19:33 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-20 19:33 . 2009-11-20 19:33 66664 ----a-w- c:\windows\system32\nvshext.dll
2009-11-20 19:33 . 2009-11-20 19:33 1323624 ----a-w- c:\windows\system32\nvsvcr.dll
2009-11-20 19:33 . 2009-11-20 19:33 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-20 19:33 . 2009-11-20 19:33 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-20 19:33 . 2009-11-20 19:33 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-16 08:06 . 2009-11-16 08:06 95896 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
2009-11-16 08:03 . 2009-11-16 08:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56 . 2009-11-16 07:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-01-26 . FB53ED7B93B4B2CA6EF7580490B7A9D4 . 543232 . . [6.1.7600.16385] . . c:\windows\System32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-01-26_14.24.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-27 15:02 . 2009-12-11 07:12 69120 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.7600.20594_none_bbfdf44c22665152\iecompat.dll
+ 2010-01-27 15:02 . 2009-12-11 07:30 69120 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.7600.16484_none_bb7f276d09409597\iecompat.dll
+ 2009-12-12 18:02 . 2010-01-26 15:30 31296 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-01-27 15:36 37296 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-14 06:57 . 2008-08-14 06:57 74720 c:\windows\System32\drivers\adfs.sys
- 2009-12-12 17:20 . 2010-01-26 14:07 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-12 17:20 . 2010-01-28 08:59 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-12 17:20 . 2010-01-26 14:07 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 17:20 . 2010-01-28 08:59 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2010-01-28 08:59 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:41 . 2010-01-26 14:07 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-07 04:38 . 2008-04-07 04:38 45392 c:\windows\System32\AdobePDF.dll
+ 2009-12-12 17:26 . 2010-01-28 09:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-12 17:26 . 2010-01-26 14:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:34 . 2010-01-27 17:38 73256 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-07-14 04:34 . 2010-01-25 19:25 73256 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2009-12-12 17:26 . 2010-01-26 14:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 17:26 . 2010-01-28 09:01 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-12 17:26 . 2010-01-26 14:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-12 17:26 . 2010-01-28 09:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-12 19:12 . 2010-01-26 14:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-12 19:12 . 2010-01-28 08:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-12 21:07 . 2010-01-26 14:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 21:07 . 2010-01-28 09:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 21:07 . 2010-01-28 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-12-12 21:07 . 2010-01-26 14:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-12-12 21:07 . 2010-01-26 14:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-12-12 21:07 . 2010-01-28 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-12-12 19:12 . 2010-01-26 14:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 19:12 . 2010-01-28 09:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-12 19:12 . 2010-01-26 14:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-12 19:12 . 2010-01-28 08:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-27 18:09 . 2010-01-27 18:09 25214 c:\windows\Installer\{AC76BA86-1040-7D70-7760-000000000004}\_SC_Distiller.exe
+ 2010-01-27 18:09 . 2010-01-27 18:09 36294 c:\windows\Installer\{AC76BA86-1040-7D70-7760-000000000004}\_SC_Acrobat_Standard.exe
+ 2010-01-27 18:09 . 2010-01-27 18:09 38926 c:\windows\Installer\{AC76BA86-1040-7D70-7760-000000000004}\_SC_Acrobat_3D.exe
+ 2010-01-27 18:09 . 2010-01-27 18:09 38926 c:\windows\Installer\{AC76BA86-1040-7D70-7760-000000000004}\_SC_Acrobat.exe
- 2010-01-25 19:44 . 2010-01-25 19:44 77824 c:\windows\Installer\{3A6829EF-0791-4FDD-9382-C690DD0821B9}\ARPPRODUCTICON.exe
+ 2010-01-27 18:01 . 2010-01-27 18:01 77824 c:\windows\Installer\{3A6829EF-0791-4FDD-9382-C690DD0821B9}\ARPPRODUCTICON.exe
- 2010-01-25 19:44 . 2010-01-25 19:44 77824 c:\windows\Installer\{03DEEAD2-F3B7-45BF-9006-A25D015F00D2}\ARPPRODUCTICON.exe
+ 2010-01-27 18:01 . 2010-01-27 18:01 77824 c:\windows\Installer\{03DEEAD2-F3B7-45BF-9006-A25D015F00D2}\ARPPRODUCTICON.exe
+ 2009-12-12 18:02 . 2010-01-26 16:14 3774 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3174481477-1541696535-1444457090-1002_UserData.bin
+ 2009-12-12 17:27 . 2010-01-27 15:36 4854 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3174481477-1541696535-1444457090-1000_UserData.bin
+ 2007-12-10 02:00 . 2007-12-10 02:00 9200 c:\windows\System32\drivers\cdralw2k.sys
+ 2007-12-10 02:00 . 2007-12-10 02:00 9072 c:\windows\System32\drivers\cdr4_xp.sys
- 2010-01-26 13:42 . 2010-01-26 14:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-28 08:59 . 2010-01-28 08:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-28 08:59 . 2010-01-28 08:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-01-26 13:42 . 2010-01-26 14:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-27 18:09 . 2010-01-27 18:09 7278 c:\windows\Installer\{AC76BA86-1040-7D70-7760-000000000004}\_SC_ELEMENTS_DT.exe
+ 2010-01-27 15:07 . 2009-10-28 05:52 285696 c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
+ 2010-01-27 15:07 . 2009-10-28 06:17 285696 c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
+ 2009-08-03 14:07 . 2009-08-03 14:07 403816 c:\windows\System32\OGACheckControl.DLL
+ 2009-10-14 09:58 . 2010-01-28 08:59 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-10-14 09:58 . 2010-01-26 14:04 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-01-27 18:09 . 2010-01-27 18:09 335872 c:\windows\Installer\{AC76BA86-1040-7D70-7760-000000000004}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2010-01-27 15:07 . 2009-10-31 06:00 2614272 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
+ 2010-01-27 15:07 . 2009-10-31 05:45 2614272 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
+ 2009-07-14 02:03 . 2010-01-28 09:11 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:03 . 2010-01-26 14:17 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 04:33 . 2010-01-28 08:59 2415424 c:\windows\System32\FNTCACHE.DAT
+ 2009-07-14 04:34 . 2010-01-27 15:33 3606945 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:34 . 2010-01-24 10:02 3606945 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2008-09-20 09:28 . 2008-09-20 09:28 6258176 c:\windows\Installer\790f3e.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 5661696 c:\windows\Installer\790f37.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 4067840 c:\windows\Installer\790f11.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3131904 c:\windows\Installer\790f0b.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 5710848 c:\windows\Installer\790f04.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3161600 c:\windows\Installer\790edb.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3141632 c:\windows\Installer\790ed4.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3133952 c:\windows\Installer\790ec5.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3140608 c:\windows\Installer\790ebd.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 3148288 c:\windows\Installer\790eb4.msi
+ 2008-09-20 09:27 . 2008-09-20 09:27 3230720 c:\windows\Installer\790ead.msi
+ 2008-09-17 00:59 . 2008-09-17 00:59 6892032 c:\windows\Installer\790ea3.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3123200 c:\windows\Installer\790e97.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3115008 c:\windows\Installer\790e8c.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3252736 c:\windows\Installer\790e85.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3120640 c:\windows\Installer\790e7e.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3123200 c:\windows\Installer\790e78.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3136000 c:\windows\Installer\790e72.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 3084288 c:\windows\Installer\790e6c.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 3116544 c:\windows\Installer\790e64.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3117568 c:\windows\Installer\790e5c.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3118592 c:\windows\Installer\790e56.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3118080 c:\windows\Installer\790e50.msi
+ 2008-09-20 09:27 . 2008-09-20 09:27 3245568 c:\windows\Installer\790e48.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 4620800 c:\windows\Installer\790e39.msi
+ 2008-09-20 09:27 . 2008-09-20 09:27 3120128 c:\windows\Installer\790e33.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3119104 c:\windows\Installer\790e2d.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3123200 c:\windows\Installer\790e27.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3121152 c:\windows\Installer\790e21.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3123712 c:\windows\Installer\790e1b.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 3769344 c:\windows\Installer\790e15.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3140608 c:\windows\Installer\790e0f.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 4945408 c:\windows\Installer\790e08.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3160576 c:\windows\Installer\790dfe.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 6033920 c:\windows\Installer\790df8.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 4938752 c:\windows\Installer\790df2.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 3139584 c:\windows\Installer\790de4.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3133440 c:\windows\Installer\790dde.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3137536 c:\windows\Installer\790dd8.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 5480960 c:\windows\Installer\790dd2.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3117056 c:\windows\Installer\790dcb.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3328512 c:\windows\Installer\790dc4.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3127296 c:\windows\Installer\790dbe.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 3781120 c:\windows\Installer\790db8.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3746304 c:\windows\Installer\790db2.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3119104 c:\windows\Installer\790dab.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3116544 c:\windows\Installer\790da4.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3115008 c:\windows\Installer\790d9e.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 3117568 c:\windows\Installer\790d97.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 3115008 c:\windows\Installer\790d90.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3750400 c:\windows\Installer\790d89.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3160576 c:\windows\Installer\790d83.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 5802496 c:\windows\Installer\790d7c.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3120640 c:\windows\Installer\790d76.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3118080 c:\windows\Installer\790d70.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3118080 c:\windows\Installer\790d69.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3118080 c:\windows\Installer\790d62.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 5413376 c:\windows\Installer\790d5b.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3222528 c:\windows\Installer\790d55.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3130880 c:\windows\Installer\790d4f.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 3154944 c:\windows\Installer\790d49.msi
+ 2008-09-20 09:31 . 2008-09-20 09:31 3190272 c:\windows\Installer\790d43.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 5435392 c:\windows\Installer\790d3d.msi
+ 2008-09-20 09:27 . 2008-09-20 09:27 3115008 c:\windows\Installer\790d37.msi
+ 2008-09-20 18:32 . 2008-09-20 18:32 3769856 c:\windows\Installer\790d31.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 5767168 c:\windows\Installer\3a13746.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 3897856 c:\windows\Installer\3a1373e.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 5858816 c:\windows\Installer\31dc1b5.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 4078592 c:\windows\Installer\31dc1af.msi
+ 2008-09-20 09:27 . 2008-09-20 09:27 5684736 c:\windows\Installer\31dc1a8.msi
+ 2008-09-20 09:30 . 2008-09-20 09:30 5920256 c:\windows\Installer\31dc186.msi
+ 2008-09-20 09:29 . 2008-09-20 09:29 5862400 c:\windows\Installer\31dc163.msi
[/code]

GuntherDW · 28 jan 2010

Vervolg:

+ 2008-09-20 09:29 . 2008-09-20 09:29 6596096 c:\windows\Installer\31dc15c.msi
+ 2008-09-20 09:28 . 2008-09-20 09:28 6286336 c:\windows\Installer\31dc151.msi
+ 2009-07-14 07:18 . 2010-01-27 15:02 24606456 c:\windows\winsxs\ManifestCache\e4e8be02b8fae2a7_blobs.bin
.
-- Snapshot teruggezet naar huidige datum --
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetLimiter"="c:\program files\NetLimiter 3\NLClientApp.exe" [2009-12-08 1646592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [16/11/2009 09:03 108792]
R1 nltdi;nltdi;c:\program files\NetLimiter 3\nltdi.sys [8/12/2009 10:12 5281024]
R1 raddrvv3;raddrvv3;c:\windows\System32\rserver30\raddrvv3.sys [9/10/2009 14:00 46304]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [14/07/2009 00:52 48128]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16/11/2009 09:04 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfwwfpr.sys [16/11/2009 09:06 95896]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [22/01/2010 20:58 236368]
R2 RServer3;Radmin Server V3;c:\windows\System32\rserver30\rserver3.exe [9/10/2009 14:00 1242504]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [22/01/2010 20:58 19160]
R3 mirrorv3;mirrorv3;c:\windows\System32\drivers\rminiv3.sys [9/10/2009 14:00 3328]
R3 NLNdisMP;NLNdisMP;c:\windows\System32\drivers\nlndis.sys [8/12/2009 10:12 5229568]
R3 pxkbf;pxkbf;c:\windows\System32\drivers\pxkbf.sys [25/01/2010 15:07 24496]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\System32\drivers\VSTAZL3.SYS [13/07/2009 23:13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [13/07/2009 23:13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [13/07/2009 23:13 661504]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [12/12/2009 20:59 721904]
S2 hehmdniz;Microsoft Tunnel Miniport Adapter Support;c:\windows\System32\svchost.exe -k netsvcs [14/07/2009 00:19 20992]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 05:46 284016]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\System32\drivers\nlndis.sys [8/12/2009 10:12 5229568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hehmdniz
.
.
------- Bijkomende Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\
FF - prefs.js: network.proxy.ftp - 192.168.10.4
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 192.168.10.4
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 192.168.10.4
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 192.168.10.4
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 192.168.10.4
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox 3.6 Beta 4\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3.6 Beta 4\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86412856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x856cce88
QueryNameProcedure -> 0x856cc018
user & kernel MBR OK

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-01-28 10:45:33
ComboFix-quarantined-files.txt 2010-01-28 09:45
ComboFix2.txt 2010-01-26 14:27

Pre-Run: 33.788.788.736 bytes beschikbaar
Post-Run: 33.816.076.288 bytes beschikbaar

- - End Of File - - 5DC2C42ABCF24051CE001D53301EFA76

GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-28 12:07:29
Windows 6.1.7600
Running: e2m2yiy9.exe; Driver: C:\Users\Paul\AppData\Local\Temp\kxldapod.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1FAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1F104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1F3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C07634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C07898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1F1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1F958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1F6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1FF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C201A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C718E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C913B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 9E9FAC9D 28 Bytes [1E, F4, D5, A3, 06, 0E, F2, ...]
.text peauth.sys 9E9FACC1 28 Bytes [1E, F4, D5, A3, 06, 0E, F2, ...]
PAGE peauth.sys 9EA00B9B 72 Bytes [67, 7E, F2, 49, CE, 5F, E6, ...]
PAGE peauth.sys 9EA00BEC 111 Bytes [50, AA, 17, 77, EF, F9, 00, ...]
PAGE peauth.sys 9EA00E20 1 Byte [26]
PAGE ...
? C:\Users\lisa\AppData\Local\Temp\catchme.sys Het systeem kan het opgegeven bestand niet vinden. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS Het systeem kan het opgegeven bestand niet vinden. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[740] ole32.dll!CoCreateInstance 769F57FC 5 Bytes JMP 0030000A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1744] kernel32.dll!SetUnhandledExceptionFilter 76EF3142 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\ACPI_HAL \Device\00000060 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp nltdi.sys
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp nltdi.sys

Device -> \Driver\atapi \Device\Harddisk0\DR0 86412856

---- Threads - GMER 1.0.15 ----

Thread System [4:256] 867A0930

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5A 0x8D 0xFD 0x5F ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x32 0x41 0xE6 0x8B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x09 0x1E 0xFF 0x87 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5A 0x8D 0xFD 0x5F ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x32 0x41 0xE6 0x8B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x09 0x1E 0xFF 0x87 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
[/code]

TDSSKiller log: (die aangaf dat er een infectie was en ze ze verwijderd had)

Code:

12:07:44:407 4740	TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
12:07:44:407 4740	================================================================================
12:07:44:407 4740	SystemInfo:

12:07:44:407 4740	OS Version: 6.1.7600 ServicePack: 0.0
12:07:44:407 4740	Product type: Workstation
12:07:44:407 4740	ComputerName: PAUL-PC
12:07:44:422 4740	UserName: Paul
12:07:44:422 4740	Windows directory: C:\Windows
12:07:44:422 4740	Processor architecture: Intel x86
12:07:44:422 4740	Number of processors: 2
12:07:44:422 4740	Page size: 0x1000
12:07:44:422 4740	Boot type: Normal boot
12:07:44:422 4740	================================================================================
12:07:44:422 4740	UnloadDriverW: NtUnloadDriver error 2
12:07:44:422 4740	ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:07:44:422 4740	MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
12:07:44:454 4740	UtilityInit: KLMD drop and load success
12:07:44:454 4740	KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
12:07:44:454 4740	UtilityInit: KLMD open success
12:07:44:454 4740	UtilityInit: Initialize success
12:07:44:454 4740	
12:07:44:454 4740	Scanning	Services ...
12:07:44:454 4740	CreateRegParser: Registry parser init started
12:07:44:454 4740	CreateRegParser: DisableWow64Redirection error
12:07:44:454 4740	wfopen_ex: Trying to open file C:\Windows\system32\config\system
12:07:44:454 4740	MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
12:07:44:454 4740	wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:07:44:454 4740	wfopen_ex: Trying to KLMD file open
12:07:44:454 4740	KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
12:07:44:454 4740	wfopen_ex: File opened ok (Flags 2)
12:07:44:469 4740	CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 17912A8
12:07:44:469 4740	wfopen_ex: Trying to open file C:\Windows\system32\config\software
12:07:44:469 4740	MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
12:07:44:469 4740	wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:07:44:469 4740	wfopen_ex: Trying to KLMD file open
12:07:44:469 4740	KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
12:07:44:469 4740	wfopen_ex: File opened ok (Flags 2)
12:07:44:485 4740	CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 17912D0
12:07:44:485 4740	CreateRegParser: EnableWow64Redirection error
12:07:44:485 4740	CreateRegParser: RegParser init completed
12:07:46:310 4740	GetAdvancedServicesInfo: Raw services enum returned 471 services
12:07:46:326 4740	fclose_ex: Trying to close file C:\Windows\system32\config\system
12:07:46:326 4740	fclose_ex: Trying to close file C:\Windows\system32\config\software
12:07:46:326 4740	
12:07:46:326 4740	Scanning	Kernel memory ...
12:07:46:326 4740	KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
12:07:46:326 4740	DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86502080
12:07:46:326 4740	DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
12:07:46:326 4740	
12:07:46:326 4740	DetectCureTDL3: DEVICE_OBJECT: 86829170
12:07:46:326 4740	KLMD_GetLowerDeviceObject: Trying to get lower device object for 86829170
12:07:46:326 4740	DetectCureTDL3: DEVICE_OBJECT: 8688FCB8
12:07:46:326 4740	KLMD_GetLowerDeviceObject: Trying to get lower device object for 8688FCB8
12:07:46:326 4740	KLMD_ReadMem: Trying to ReadMemory 0x8688FCB8[0x38]
12:07:46:326 4740	DetectCureTDL3: DRIVER_OBJECT: 8682C030
12:07:46:326 4740	KLMD_ReadMem: Trying to ReadMemory 0x8682C030[0xA8]
12:07:46:326 4740	KLMD_ReadMem: Trying to ReadMemory 0x874D2AE8[0x1E]
12:07:46:326 4740	DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
12:07:46:326 4740	DetectCureTDL3: IrpHandler (0) addr: 93C0FA02
12:07:46:326 4740	DetectCureTDL3: IrpHandler (1) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (2) addr: 93C0FA7A
12:07:46:326 4740	DetectCureTDL3: IrpHandler (3) addr: 93C0FAF2
12:07:46:326 4740	DetectCureTDL3: IrpHandler (4) addr: 93C0FAF2
12:07:46:326 4740	DetectCureTDL3: IrpHandler (5) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (6) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (7) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (8) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (9) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (10) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (11) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (12) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (13) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (14) addr: 93C0F5FE
12:07:46:326 4740	DetectCureTDL3: IrpHandler (15) addr: 93C02656
12:07:46:326 4740	DetectCureTDL3: IrpHandler (16) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (17) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (18) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (19) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (20) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (21) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (22) addr: 93C0D9BA
12:07:46:326 4740	DetectCureTDL3: IrpHandler (23) addr: 93C0A88E
12:07:46:326 4740	DetectCureTDL3: IrpHandler (24) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (25) addr: 82CEA359
12:07:46:326 4740	DetectCureTDL3: IrpHandler (26) addr: 82CEA359
12:07:46:326 4740	KLMD_ReadMem: Trying to ReadMemory 0x93C04EA2[0x400]
12:07:46:326 4740	TDL3_StartIoHookDetect: CheckParameters: 4, 93C09000, 0
12:07:46:326 4740	TDL3_FileDetect: Processing driver: USBSTOR
12:07:46:326 4740	TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:07:46:326 4740	KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:07:46:341 4740	TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
12:07:46:341 4740	
12:07:46:341 4740	DetectCureTDL3: DEVICE_OBJECT: 865032D0
12:07:46:341 4740	KLMD_GetLowerDeviceObject: Trying to get lower device object for 865032D0
12:07:46:341 4740	DetectCureTDL3: DEVICE_OBJECT: 863BAC10
12:07:46:341 4740	KLMD_GetLowerDeviceObject: Trying to get lower device object for 863BAC10
12:07:46:341 4740	DetectCureTDL3: DEVICE_OBJECT: 86390030
12:07:46:341 4740	KLMD_GetLowerDeviceObject: Trying to get lower device object for 86390030
12:07:46:341 4740	KLMD_ReadMem: Trying to ReadMemory 0x86390030[0x38]
12:07:46:341 4740	DetectCureTDL3: DRIVER_OBJECT: 86619A00
12:07:46:341 4740	KLMD_ReadMem: Trying to ReadMemory 0x86619A00[0xA8]
12:07:46:341 4740	KLMD_ReadMem: Trying to ReadMemory 0x863B4028[0x38]
12:07:46:341 4740	KLMD_ReadMem: Trying to ReadMemory 0x8638D850[0xA8]
12:07:46:341 4740	KLMD_ReadMem: Trying to ReadMemory 0x85F6D1B8[0x1A]

GuntherDW · 28 jan 2010

Vervolg:

12:07:46:341 4740 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
12:07:46:341 4740 DetectCureTDL3: IrpHandler (0) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (1) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (2) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (3) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (4) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (5) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (6) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (7) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (8) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (9) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (10) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (11) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (12) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (13) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (14) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (15) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (16) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (17) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (18) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (19) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (20) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (21) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (22) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (23) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (24) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (25) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: IrpHandler (26) addr: 86412856
12:07:46:341 4740 DetectCureTDL3: All IRP handlers pointed to one addr: 86412856
12:07:46:341 4740 KLMD_ReadMem: Trying to ReadMemory 0x86412856[0x400]
12:07:46:341 4740 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
12:07:46:341 4740 Driver "atapi" Irp handler infected by TDSS rootkit ... 12:07:46:341 4740 KLMD_WriteMem: Trying to WriteMemory 0x864128CF[0xD]
12:07:46:341 4740 cured
12:07:46:341 4740 KLMD_ReadMem: Trying to ReadMemory 0x86412701[0x400]
12:07:46:341 4740 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
12:07:46:341 4740 Driver "atapi" StartIo handler infected by TDSS rootkit ... 12:07:46:341 4740 TDL3_StartIoHookCure: Number of patches 1
12:07:46:341 4740 KLMD_WriteMem: Trying to WriteMemory 0x8641280A[0x6]
12:07:46:341 4740 cured
12:07:46:341 4740 TDL3_FileDetect: Processing driver: atapi
12:07:46:341 4740 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
12:07:46:341 4740 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
12:07:46:372 4740 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Infected
12:07:46:372 4740 File C:\Windows\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 12:07:46:372 4740 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
12:07:46:482 4740 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys:21584, checking..
12:07:46:497 4740 ValidateDriverFile: Stage 1 passed
12:07:46:497 4740 ValidateDriverFile: Stage 2 passed
12:07:46:560 4740 DigitalSignVerifyByHandle: Embedded DS result: 00000000
12:07:46:560 4740 ValidateDriverFile: Stage 3 passed
12:07:46:560 4740 FileCallback: File validated successfully, restore information prepared
12:07:46:653 4740 FindDriverFileBackup: Backup copy found in DriverStore
12:07:46:653 4740 TDL3_FileCure: Backup copy found, using it..
12:07:46:653 4740 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskAE79.tmp
12:07:46:669 4740 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskAE79.tmp, system32\drivers\atapi.sys)
12:07:46:669 4740 TDL3_FileCure: KLMD jobs schedule success
12:07:46:669 4740 will be cured on next reboot
12:07:46:684 4740 UtilityBootReinit: Reboot required for cure complete..
12:07:46:684 4740 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
12:07:46:684 4740 UtilityBootReinit: KLMD drop success
12:07:46:684 4740 KLMD_ApplyPendList: Pending buffer(EE1_10EA, 616) dropped successfully
12:07:46:684 4740 UtilityBootReinit: Cure on reboot scheduled successfully
12:07:46:684 4740
12:07:46:684 4740 Completed
12:07:46:684 4740
12:07:46:684 4740 Results:
12:07:46:684 4740 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
12:07:46:684 4740 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:07:46:684 4740 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:07:46:684 4740
12:07:46:684 4740 UnloadDriverW: NtUnloadDriver error 1
12:07:46:684 4740 KLMD_Unload: UnloadDriverW(klmd21) error 1
12:07:46:684 4740 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
12:07:46:684 4740 UtilityDeinit: KLMD(ARK) unloaded successfully
[/code]

Combofix log 2
ComboFix 10-01-27.03 - lisa 28/01/2010 12:28:05.4.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.32.1033.18.3070.2217 [GMT 1:00]
Gestart vanuit: c:\users\lisa\Downloads\ComboFix.exe
* Aanwezig AV is actief

.

(((((((((((((((((((( Bestanden Gemaakt van 2009-12-28 to 2010-01-28 ))))))))))))))))))))))))))))))
.

2010-01-28 11:36 . 2010-01-28 11:37 -------- d-----w- c:\users\lisa\AppData\Local\temp
2010-01-28 11:36 . 2010-01-28 11:36 -------- d-----w- c:\users\Simonne\AppData\Local\temp
2010-01-28 11:36 . 2010-01-28 11:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-28 11:36 . 2010-01-28 11:36 -------- d-----w- c:\users\Paul\AppData\Local\temp
2010-01-28 11:36 . 2010-01-28 11:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-28 06:14 . 2010-01-28 06:14 -------- d-----w- c:\programdata\ALM
2010-01-27 18:09 . 2008-04-07 04:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-01-27 15:07 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-01-27 15:07 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe
2010-01-26 15:29 . 2010-01-26 15:29 -------- d-----w- c:\users\Simonne\AppData\Roaming\Malwarebytes
2010-01-25 14:25 . 2010-01-25 14:25 -------- d-----w- c:\program files\uTorrent
2010-01-25 14:25 . 2010-01-25 14:36 -------- d-----w- c:\users\lisa\AppData\Roaming\uTorrent
2010-01-25 14:08 . 2010-01-25 14:08 53136 ----a-w- c:\windows\system32\PxSecure.dll
2010-01-25 14:07 . 2010-01-25 14:07 47664 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-01-25 14:07 . 2010-01-25 14:07 24496 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-01-25 14:07 . 2010-01-26 04:28 -------- d-----w- c:\program files\Prevx
2010-01-25 13:48 . 2010-01-25 13:48 -------- d-----w- C:\Kill'em
2010-01-25 13:47 . 2010-01-25 13:47 -------- d-----w- c:\program files\List_Kill'em
2010-01-25 13:26 . 2010-01-26 06:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-25 13:26 . 2010-01-25 13:26 388096 ----a-r- c:\users\lisa\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-25 13:26 . 2010-01-25 13:26 -------- d-----w- c:\program files\TrendMicro
2010-01-25 13:02 . 2010-01-25 13:02 -------- d-----w- c:\users\lisa\AppData\Local\Locktime
2010-01-25 12:43 . 2010-01-25 12:43 -------- d-----w- c:\programdata\Locktime
2010-01-25 12:40 . 2010-01-26 05:34 -------- d-----w- c:\program files\NetLimiter 3
2010-01-24 20:26 . 2010-01-24 20:26 -------- d-----w- c:\users\Paul\AppData\Local\ESET
2010-01-22 21:22 . 2010-01-22 21:22 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2010-01-22 20:59 . 2010-01-22 20:59 -------- d-----w- c:\users\lisa\AppData\Roaming\Malwarebytes
2010-01-22 20:48 . 2009-01-01 05:34 528744 ----a-w- c:\windows\system32\OGAVerify.exe
2010-01-22 20:37 . 2010-01-22 20:43 -------- d-----w- c:\program files\Microsoft Works
2010-01-22 20:34 . 2010-01-22 20:34 -------- d-----w- c:\program files\Microsoft.NET
2010-01-22 20:32 . 2010-01-22 20:32 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-01-22 20:30 . 2010-01-22 20:30 -------- d-----r- C:\MSOCache
2010-01-22 20:00 . 2010-01-22 20:00 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-22 19:58 . 2010-01-22 19:58 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
2010-01-22 19:58 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-22 19:58 . 2010-01-22 19:58 -------- d-----w- c:\programdata\Malwarebytes
2010-01-22 19:58 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-22 19:58 . 2010-01-26 05:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 19:31 . 2006-10-26 18:58 30512 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\mdippr.dll
2010-01-22 19:31 . 2006-10-26 18:58 30512 ----a-w- c:\windows\system32\mdimon.dll
2010-01-22 17:35 . 2010-01-22 17:35 176128 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{3C5055BE-3A87-B463-9533-B24B8FF54BAD}-msb.exe
2010-01-22 17:20 . 2010-01-22 17:20 176128 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{0B9371AE-82C1-AE8D-F0E4-439B20CE3974}-msa.exe
2010-01-22 05:17 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll
2010-01-22 03:56 . 2010-01-22 03:56 -------- d-----w- c:\windows\system32\rserver30
2010-01-22 03:56 . 2010-01-22 03:56 -------- d-----w- c:\users\lisa\AppData\Local\Downloaded Installations
2010-01-18 18:17 . 2010-01-18 18:17 98304 ----a-w- c:\programdata\Microsoft\Windows Defender\LocalCopy\{67671892-40C8-3236-BCD5-9E97C1BD29B7}-nssdbm3.dll
2010-01-13 09:14 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 09:14 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-09 08:23 . 2010-01-09 08:23 -------- d-----w- c:\users\lisa\Office Genuine Advantage
2010-01-08 18:40 . 2010-01-08 18:40 36864 ----a-w- c:\users\Paul\AppData\Roaming\Autodesk\AutoCAD 2010\R18.0\enu\ContextualTabSelectorRules.dll
2010-01-08 16:14 . 2010-01-22 17:23 -------- d-----w- c:\users\Paul\AppData\Roaming\Autodesk
2010-01-08 16:14 . 2010-01-08 16:14 -------- d-----w- c:\users\Paul\AppData\Local\Autodesk
2009-12-31 14:29 . 2009-12-31 14:29 -------- d-----w- c:\users\Paul\AppData\Roaming\Media Player Classic

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 11:10 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-28 08:28 . 2009-12-12 22:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-28 08:24 . 2009-12-12 18:05 142400 ----a-w- c:\users\lisa\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-28 06:06 . 2009-12-12 22:28 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-01-27 19:59 . 2009-12-12 21:17 142400 ----a-w- c:\users\Paul\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-27 15:06 . 2009-12-12 18:13 140480 ----a-w- c:\users\Simonne\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-26 13:37 . 2009-12-12 17:46 -------- d-----w- c:\program files\Mozilla Firefox 3.6 Beta 4
2010-01-26 05:25 . 2009-12-12 22:02 -------- d-----w- c:\program files\Windows Live
2010-01-26 04:31 . 2009-07-14 00:02 543232 ----a-w- c:\windows\system32\termsrv.dll
2010-01-25 13:13 . 2009-12-12 20:21 -------- d-----w- c:\programdata\Microsoft Help
2010-01-23 09:55 . 2009-12-12 17:47 694684 ----a-w- c:\windows\system32\perfh013.dat
2010-01-23 09:55 . 2009-12-12 17:47 131278 ----a-w- c:\windows\system32\perfc013.dat
2010-01-22 20:36 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-01-22 17:23 . 2009-12-13 00:49 -------- d-----w- c:\programdata\Autodesk
2010-01-21 09:52 . 2009-12-12 21:14 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 10:12 . 2009-10-14 09:58 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 16:17 . 2009-12-17 09:44 -------- d-----w- c:\programdata\FLEXnet
2009-12-28 12:32 . 2009-12-28 12:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-28 12:32 . 2009-12-28 12:32 -------- d-----w- c:\program files\Java
2009-12-28 09:27 . 2009-12-28 09:27 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2009-12-28 09:27 . 2009-12-28 09:27 704320 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-27 02:51 . 2009-12-27 02:50 -------- d-----w- c:\program files\OpenVPN
2009-12-17 09:51 . 2009-12-17 09:51 -------- d-----w- c:\programdata\hps
2009-12-17 09:49 . 2009-12-17 09:49 -------- d-----w- c:\program files\Fotoservice
2009-12-13 01:36 . 2009-12-13 00:49 -------- d-----w- c:\program files\AutoCAD 2010
2009-12-13 00:52 . 2009-12-13 00:49 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-12-13 00:49 . 2009-12-13 00:49 -------- d-----w- c:\users\lisa\AppData\Roaming\Autodesk
2009-12-12 22:36 . 2009-12-12 22:36 -------- d-----w- c:\program files\Adobe Media Player
2009-12-12 22:33 . 2009-12-12 22:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-12 22:28 . 2009-12-12 22:28 -------- d-----w- c:\program files\Google
2009-12-12 22:26 . 2009-12-12 22:26 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-12 22:08 . 2009-12-12 22:08 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-12-12 22:06 . 2009-12-12 22:06 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-12-12 22:04 . 2009-12-12 22:04 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-12-12 22:03 . 2009-12-12 21:14 -------- d-----w- c:\program files\Microsoft
2009-12-12 22:03 . 2009-12-12 22:03 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-12-12 21:36 . 2009-12-12 21:36 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-12-12 21:32 . 2009-12-12 21:32 -------- d-----w- c:\program files\Common Files\Windows Live
2009-12-12 21:10 . 2009-12-12 20:52 -------- d-----w- c:\programdata\NOS
2009-12-12 20:52 . 2009-12-12 20:52 -------- d-----w- c:\program files\NOS
2009-12-12 20:31 . 2009-12-12 19:54 -------- d-----w- c:\users\lisa\AppData\Roaming\Media Player Classic
2009-12-12 20:27 . 2009-12-12 20:27 -------- d-----w- c:\users\lisa\AppData\Roaming\Foxit
2009-12-12 20:27 . 2009-12-12 20:27 -------- d-----w- c:\program files\Foxit Software
2009-12-12 20:07 . 2009-12-12 20:07 -------- d-----w- c:\program files\Alcohol Soft
2009-12-12 19:59 . 2009-12-12 19:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-12 18:23 . 2009-12-12 18:23 -------- d-----w- c:\program files\ESET
2009-12-12 18:21 . 2009-12-12 18:21 -------- d-----w- c:\programdata\Hewlett-Packard
2009-12-12 18:01 . 2009-12-12 18:00 -------- d-----w- c:\programdata\NVIDIA
2009-12-12 17:58 . 2009-12-12 17:58 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-12-12 17:51 . 2009-12-12 17:51 -------- d-----w- c:\program files\NVIDIA Corporation
2009-12-12 17:51 . 2009-12-12 17:51 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-12 17:51 . 2009-12-12 17:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-12 17:46 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Sidebar
2009-12-12 17:46 . 2009-07-14 04:52 -------- d-----w- c:\program files\DVD Maker
2009-12-12 17:46 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2009-12-12 17:46 . 2009-07-14 07:50 -------- d-----w- c:\program files\Windows Journal
2009-12-12 17:46 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Photo Viewer
2009-12-12 17:46 . 2009-07-14 04:52 -------- d-----w- c:\program files\Windows Defender
2009-12-12 17:46 . 2009-12-12 17:47 43068 ----a-w- c:\windows\system32\perfd013.dat
2009-12-12 17:46 . 2009-12-12 17:47 341322 ----a-w- c:\windows\system32\perfi013.dat
2009-12-12 17:46 . 2009-12-12 17:46 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfd.dat
2009-12-12 17:46 . 2009-12-12 17:46 43068 ----a-w- c:\windows\inf\PERFLIB\0413\perfc.dat
2009-12-12 17:46 . 2009-12-12 17:46 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfi.dat
2009-12-12 17:46 . 2009-12-12 17:46 341322 ----a-w- c:\windows\inf\PERFLIB\0413\perfh.dat
2009-12-12 17:41 . 2009-12-12 17:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Templates
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Start Menu
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Favorites
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Documents
2009-12-12 17:22 . 2009-12-12 17:22 -------- d-sh--we c:\programdata\Desktop
2009-12-11 23:48 . 2009-12-11 23:48 25984 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-12-08 09:12 . 2009-12-08 09:12 5229568 ----a-w- c:\windows\system32\drivers\nlndis.sys
2009-12-01 18:43 . 2009-12-12 20:51 34496 ----a-w- c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-12-01 18:43 . 2009-12-12 20:51 25936 ----a-w- c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-20 19:33 . 2009-11-20 19:33 87144 ----a-w- c:\windows\system32\nvhotkey.dll
2009-11-20 19:33 . 2009-11-20 19:33 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-20 19:33 . 2009-11-20 19:33 66664 ----a-w- c:\windows\system32\nvshext.dll
2009-11-20 19:33 . 2009-11-20 19:33 1323624 ----a-w- c:\windows\system32\nvsvcr.dll
2009-11-20 19:33 . 2009-11-20 19:33 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-20 19:33 . 2009-11-20 19:33 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-20 19:33 . 2009-11-20 19:33 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-16 08:06 . 2009-11-16 08:06 95896 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
2009-11-16 08:03 . 2009-11-16 08:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 07:56 . 2009-11-16 07:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-01-26 . FB53ED7B93B4B2CA6EF7580490B7A9D4 . 543232 . . [6.1.7600.16385] . . c:\windows\System32\termsrv.dll
.
((((((((((((((((((((((((((((( SnapShot_2010-01-28_09.42.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-12 18:02 . 2010-01-28 11:24 31512 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-12-12 17:26 . 2010-01-28 09:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-12 17:26 . 2010-01-28 11:25 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-12 17:26 . 2010-01-28 09:01 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 17:26 . 2010-01-28 11:25 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 17:26 . 2010-01-28 11:25 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-12 17:26 . 2010-01-28 09:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-12 19:12 . 2010-01-28 11:25 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-12 19:12 . 2010-01-28 08:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-12 21:07 . 2010-01-28 11:07 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-12 21:07 . 2010-01-28 09:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 21:07 . 2010-01-28 11:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-12-12 21:07 . 2010-01-28 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-12-12 21:07 . 2010-01-28 09:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-12-12 21:07 . 2010-01-28 11:07 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-12-12 19:12 . 2010-01-28 11:25 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-12 19:12 . 2010-01-28 09:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-12 19:12 . 2010-01-28 11:25 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-12-12 19:12 . 2010-01-28 08:59 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-28 11:23 . 2010-01-28 11:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-01-28 08:59 . 2010-01-28 08:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-28 11:23 . 2010-01-28 11:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-01-28 08:59 . 2010-01-28 08:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
[/code]

GuntherDW · 28 jan 2010

Vervolg

Code:

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetLimiter"="c:\program files\NetLimiter 3\NLClientApp.exe" [2009-12-08 1646592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-11-16 2054360]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp

R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [16/11/2009 09:03 108792]
R1 nltdi;nltdi;c:\program files\NetLimiter 3\nltdi.sys [8/12/2009 10:12 5281024]
R1 raddrvv3;raddrvv3;c:\windows\System32\rserver30\raddrvv3.sys [9/10/2009 14:00 46304]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [14/07/2009 00:52 48128]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [16/11/2009 09:04 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\System32\drivers\epfwwfpr.sys [16/11/2009 09:06 95896]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [22/01/2010 20:58 236368]
R2 RServer3;Radmin Server V3;c:\windows\System32\rserver30\rserver3.exe [9/10/2009 14:00 1242504]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [22/01/2010 20:58 19160]
R3 mirrorv3;mirrorv3;c:\windows\System32\drivers\rminiv3.sys [9/10/2009 14:00 3328]
R3 NLNdisMP;NLNdisMP;c:\windows\System32\drivers\nlndis.sys [8/12/2009 10:12 5229568]
R3 pxkbf;pxkbf;c:\windows\System32\drivers\pxkbf.sys [25/01/2010 15:07 24496]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\System32\drivers\VSTAZL3.SYS [13/07/2009 23:13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\System32\drivers\VSTDPV3.SYS [13/07/2009 23:13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\System32\drivers\VSTCNXT3.SYS [13/07/2009 23:13 661504]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [12/12/2009 20:59 721904]
S2 hehmdniz;Microsoft Tunnel Miniport Adapter Support;c:\windows\System32\svchost.exe -k netsvcs [14/07/2009 00:19 20992]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 05:46 284016]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\System32\drivers\nlndis.sys [8/12/2009 10:12 5229568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ   	getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
hehmdniz
.
.
------- Bijkomende Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Doel van koppeling converteren naar Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Doel van koppeling toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Toevoegen aan bestaande PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
FF - ProfilePath - c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\
FF - prefs.js: network.proxy.ftp - 192.168.10.4
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 192.168.10.4
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 192.168.10.4
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 192.168.10.4
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 192.168.10.4
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox 3.6 Beta 4\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox 3.6 Beta 4\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\lisa\AppData\Roaming\Mozilla\Firefox\Profiles\7pww5zum.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox 3.6 Beta 4\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3.6 Beta 4\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-01-28  12:39:18
ComboFix-quarantined-files.txt  2010-01-28 11:39
ComboFix2.txt  2010-01-28 09:45
ComboFix3.txt  2010-01-26 14:27

Pre-Run: 33.638.633.472 bytes beschikbaar
Post-Run: 33.581.469.696 bytes beschikbaar

- - End Of File - - 733AA68643CCE66D32664B4EA937A095

Juisterr · 29 jan 2010

Start de tdsskiller tool nog eens.

GuntherDW · 29 jan 2010

Deze keer gaf hij aan dat hij niks vond

Code:

21:07:14:541 4184	TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
21:07:14:541 4184	================================================================================
21:07:14:541 4184	SystemInfo:

21:07:14:541 4184	OS Version: 6.1.7600 ServicePack: 0.0
21:07:14:541 4184	Product type: Workstation
21:07:14:541 4184	ComputerName: PAUL-PC
21:07:14:543 4184	UserName: lisa
21:07:14:543 4184	Windows directory: C:\Windows
21:07:14:543 4184	Processor architecture: Intel x86
21:07:14:543 4184	Number of processors: 2
21:07:14:543 4184	Page size: 0x1000
21:07:14:548 4184	Boot type: Normal boot
21:07:14:548 4184	================================================================================
21:07:14:551 4184	UnloadDriverW: NtUnloadDriver error 2
21:07:14:551 4184	ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
21:07:14:552 4184	MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
21:07:14:669 4184	UtilityInit: KLMD drop and load success
21:07:14:669 4184	KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
21:07:14:669 4184	UtilityInit: KLMD open success
21:07:14:669 4184	UtilityInit: Initialize success
21:07:14:669 4184	
21:07:14:670 4184	Scanning	Services ...
21:07:14:671 4184	CreateRegParser: Registry parser init started
21:07:14:671 4184	CreateRegParser: DisableWow64Redirection error
21:07:14:671 4184	wfopen_ex: Trying to open file C:\Windows\system32\config\system
21:07:14:671 4184	MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
21:07:14:671 4184	wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:07:14:671 4184	wfopen_ex: Trying to KLMD file open
21:07:14:671 4184	KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
21:07:14:671 4184	wfopen_ex: File opened ok (Flags 2)
21:07:14:705 4184	CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 241298
21:07:14:705 4184	wfopen_ex: Trying to open file C:\Windows\system32\config\software
21:07:14:705 4184	MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
21:07:14:705 4184	wfopen_ex: MyNtCreateFileW error 32 (C0000043)
21:07:14:705 4184	wfopen_ex: Trying to KLMD file open
21:07:14:705 4184	KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
21:07:14:706 4184	wfopen_ex: File opened ok (Flags 2)
21:07:14:718 4184	CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 2412C0
21:07:14:718 4184	CreateRegParser: EnableWow64Redirection error
21:07:14:718 4184	CreateRegParser: RegParser init completed
21:07:16:695 4184	GetAdvancedServicesInfo: Raw services enum returned 471 services
21:07:16:702 4184	fclose_ex: Trying to close file C:\Windows\system32\config\system
21:07:16:703 4184	fclose_ex: Trying to close file C:\Windows\system32\config\software
21:07:16:703 4184	
21:07:16:703 4184	Scanning	Kernel memory ...
21:07:16:704 4184	KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
21:07:16:704 4184	DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8611F4B0
21:07:16:704 4184	DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
21:07:16:704 4184	
21:07:16:704 4184	DetectCureTDL3: DEVICE_OBJECT: 86120690
21:07:16:704 4184	KLMD_GetLowerDeviceObject: Trying to get lower device object for 86120690
21:07:16:704 4184	DetectCureTDL3: DEVICE_OBJECT: 8603AC10
21:07:16:704 4184	KLMD_GetLowerDeviceObject: Trying to get lower device object for 8603AC10
21:07:16:704 4184	DetectCureTDL3: DEVICE_OBJECT: 85FD2788
21:07:16:704 4184	KLMD_GetLowerDeviceObject: Trying to get lower device object for 85FD2788
21:07:16:704 4184	KLMD_ReadMem: Trying to ReadMemory 0x85FD2788[0x38]
21:07:16:704 4184	DetectCureTDL3: DRIVER_OBJECT: 85FD1930
21:07:16:704 4184	KLMD_ReadMem: Trying to ReadMemory 0x85FD1930[0xA8]
21:07:16:704 4184	KLMD_ReadMem: Trying to ReadMemory 0x85F60DB8[0x1A]
21:07:16:704 4184	DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
21:07:16:704 4184	DetectCureTDL3: IrpHandler (0) addr: 85F481F8
21:07:16:704 4184	DetectCureTDL3: IrpHandler (1) addr: 82CEB359
21:07:16:704 4184	DetectCureTDL3: IrpHandler (2) addr: 85F481F8
21:07:16:704 4184	DetectCureTDL3: IrpHandler (3) addr: 82CEB359
21:07:16:704 4184	DetectCureTDL3: IrpHandler (4) addr: 82CEB359
21:07:16:704 4184	DetectCureTDL3: IrpHandler (5) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (6) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (7) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (8) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (9) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (10) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (11) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (12) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (13) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (14) addr: 85F481F8
21:07:16:705 4184	DetectCureTDL3: IrpHandler (15) addr: 85F481F8
21:07:16:705 4184	DetectCureTDL3: IrpHandler (16) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (17) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (18) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (19) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (20) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (21) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (22) addr: 85F481F8
21:07:16:705 4184	DetectCureTDL3: IrpHandler (23) addr: 85F481F8
21:07:16:705 4184	DetectCureTDL3: IrpHandler (24) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (25) addr: 82CEB359
21:07:16:705 4184	DetectCureTDL3: IrpHandler (26) addr: 82CEB359
21:07:16:705 4184	TDL3_FileDetect: Processing driver: atapi
21:07:16:705 4184	TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
21:07:16:705 4184	KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
21:07:16:724 4184	TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Clean
21:07:16:724 4184	
21:07:16:724 4184	Completed
21:07:16:725 4184	
21:07:16:725 4184	Results:
21:07:16:726 4184	Memory objects infected / cured / cured on reboot:	0 / 0 / 0
21:07:16:726 4184	Registry objects infected / cured / cured on reboot:	0 / 0 / 0
21:07:16:727 4184	File objects infected / cured / cured on reboot:	0 / 0 / 0
21:07:16:727 4184	
21:07:16:729 4184	MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
21:07:16:729 4184	UtilityDeinit: KLMD(ARK) unloaded successfully

edit: merci voor uw tijd hieraan nog te spenderen Juisterr ^^

Juisterr · 31 jan 2010

Gaat het nu beter ?

Plaats even een nieuw HijackThis logje ( niet in code tags aub )

GuntherDW · 1 feb 2010

Ja het gaat beter, (zelfs merkbaar sneller).
Thanks

en ik dacht dat het in code tags rammen net leesbaarder maakte?

en ja ik heb zelf radmin en openvpn op die laptop gezet, was handig als je even aan de andere kant van het land zit maar even moet helpen

.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 06:06:33, on 1/02/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\NetLimiter 3\nlclientapp.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Hotmail | Messenger | Nieuws, entertainment, concerten, video, sport, lifestyle, auto en nog veel meer, dat is MSN !
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Hotmail | Messenger | Nieuws, entertainment, concerten, video, sport, lifestyle, auto en nog veel meer, dat is MSN !
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Hotmail | Messenger | Nieuws, entertainment, concerten, video, sport, lifestyle, auto en nog veel meer, dat is MSN !
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [NetLimiter] C:\Program Files\NetLimiter 3\NLClientApp.exe /tray
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Doel van koppeling converteren naar Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Doel van koppeling toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Toevoegen aan bestaande PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NetLimiter 3 Service (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 3\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech Corp. - C:\Windows\system32\rserver30\RServer3.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6156 bytes

Juisterr · 3 feb 2010

Prima zo, je had een :puke:

rootkit op je PC.

Die lijkt nu wel weg en zou het probleem opgelost moeten zijn.

Nee een bericht in code leest ( zo denk ik erover ) waardeloos.

Dit gaat wel beter

Dat is dus geen [ code ] maar [ spoiler ]

Archief - Krijg trojan/backdoor niet weg

GuntherDW

Legacy Member

GuntherDW

Legacy Member

Juisterr

Legacy Member

GuntherDW

Legacy Member

Juisterr

Legacy Member

GuntherDW

Legacy Member

GuntherDW

Legacy Member

GuntherDW

Legacy Member

GuntherDW

Legacy Member

Juisterr

Legacy Member

GuntherDW

Legacy Member

Juisterr

Legacy Member

GuntherDW

Legacy Member

Juisterr

Legacy Member