Mivercon Security Forum

Vanavond was het toch weer zover.....na ongeveer 4 dagen prima te hebben gewerkt.
Zie http://support.bluemedicine.be/mybb/thread-7588.html

Ik downloade van mijn kleine digitale sleutelhanger camera een bestand van ongeveer 1Gb. Het duurde erg lang...systeem werd zeer traag !

Taakbeheer gaf veel svhost.exe aan +/- 8 stuks.
NO-System processen-> normaal 80-99%
Ook in systemeventviewer weer FOUTEN -> disk

PC gereset, icoontjes verschenen langzaam na elkaar (+/- 1 minuut)
Plots (terwijl er nog niks opgestart werd -> Uitgestelde schijfbewerking windowtje! Daarna in de systray ook zo'n soort melding.
Daarna een stuk of 5 windows meldinkjes weer......PC VAST alleen nog de muiscursor die bewoog.

Tja zeg het maar.....ik snap er niks meer van wat het kan zijn !

Merci alvast !

Maak eens een nieuwe log met Gmer.
Heb je al eens een kompleet nieuwe installatie geprobeerd?

Hallo Marckie,

Ik heb windows7 Ultimate op een andere schijf staan en die werkt prima (maar daar werk ik maar soms ff een uurtje mee).
Ook heb ik WinXP Pro SP3 op nog een andere schijf geinstalleerd sinds eergisteren en ook (nog) geen problemen mee opgetreden.

De huidige schijf opnieuw te installen heb ik nl. 2 a 3 dagen werk mee...
dus wil dat ik zolang mogelijk uitstellen.
Sinds ik gistermiddag (iets voor 18:00uur) de PC heb opgestart heb ik geen probs meer tot nu toe)

GMER heeft nu eindelijk een complete log gemaakt vannacht.
Ik heb wel eerst 2 mappen verwijderd: C:\HTCHD2 (heel veel kleine bestandjes met lange path) en alles wat in MIJN DOCUMENTEN stond (500Gb) veel foto's en film.....

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-11 09:50:58
Windows 5.1.2600 Service Pack 3
Running: q6hik00u.exe; Driver: C:\Temp\uxlirpod.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3B 0xD4 0xE3 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF5 0x8A 0x76 0xDF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x51 0x83 0x45 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4E 0x64 0x8C 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xCB 0x18 0x04 0xA7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x26 0x60 0xC7 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xDA 0x06 0xA5 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA2 0xF0 0xD0 0xCD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3B 0xAA 0x7D 0xD6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0xC8 0xDA 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xD3 0xAB 0x3D 0xD4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3B 0xD4 0xE3 0x1B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF5 0x8A 0x76 0xDF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x51 0x83 0x45 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4E 0x64 0x8C 0xA9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xCB 0x18 0x04 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x26 0x60 0xC7 0x9A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xDA 0x06 0xA5 0x12 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA2 0xF0 0xD0 0xCD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3B 0xAA 0x7D 0xD6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0xC8 0xDA 0x1D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xD3 0xAB 0x3D 0xD4 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----

Ook een scan gedaan met ROOTREPEAL.

Kleine uitsnede van de log gemaakt met een verdachte 36.tmp regel erin mijns inziens (ik heb alle Files Visible -NO- regels erin gezet):

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/11 12:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 000.fcl Image Path: C:\Program Files\CyberLink\PowerDVD9\000.fcl Address: 0xA3D76000 Size: 180224 File Visible: - Signed: - Status: -
Name: 1394BUS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS Address: 0xBA0B8000 Size: 57344 File Visible: - Signed: - Status: -
Name: 36.tmp Image Path: C:\WINDOWS\system32\36.tmp Address: 0xBA606000 Size: 6144 File Visible: No Signed: - Status: -
Name: giveio.sys Image Path: giveio.sys Address: 0xBA672000 Size: 1664 File Visible: No Signed: - Status: -
Name: speedfan.sys Image Path: speedfan.sys Address: 0xBA5AE000 Size: 5248 File Visible: No Signed: - Status: -

Schakel de CD emulators uit en maak dan een nieuwe scan met Gmer.
Ik dacht trouwens dat je deze had uitgeschakeld? Zoals ik eerder zei zit daar misschien de oorzaak van het probleem.

Ik heb ze zelf niet meer ingeschakeld in ieder geval !
En heb alles (deels handmatig) trouwens verwijderd wat met emulators te maken had....

Nogmaals met defrogger gedisabled:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 17:51 on 11/03/2010 (Gerrit)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
SPTD -> Already disabled

-=E.O.F=-

Zal zo GMER nog draaien.....

Ook nog even vermelden:

Alvorens de eerste GMER scan in deze thread is:

1. een weekje geleden combofix uninstalled.
2. System restore uitgezet.

Vanmiddag Prevx3.0 gedraaid (wat geen "infecties" liet zien), dit vanwege de 36.tmp die rootrepeal liet zien (ff op gegoogled en ik kwam bij prevx uit).

Hier de net gemaakte GMER log(nadat GMER klaar was kwam er nog een windowtje met de melding Rootkit Activity) :

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-11 19:26:25
Windows 5.1.2600 Service Pack 3
Running: q6hik00u.exe; Driver: C:\Temp\uxlirpod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xA4142464]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xA414249E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xA4142290]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xA4142302]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xA41427B2]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xA414268E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xA414252A]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xA4142426]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xA414238E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xA41428E6]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xA41425AE]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xA41425E6]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp pxrts.sys (Prevx Realtime Security/Prevx)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp pxrts.sys (Prevx Realtime Security/Prevx)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\PxSecure.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1256] 0x00B90000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3B 0xD4 0xE3 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF5 0x8A 0x76 0xDF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x51 0x83 0x45 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4E 0x64 0x8C 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xCB 0x18 0x04 0xA7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x26 0x60 0xC7 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xDA 0x06 0xA5 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA2 0xF0 0xD0 0xCD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3B 0xAA 0x7D 0xD6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0xC8 0xDA 0x1D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xD3 0xAB 0x3D 0xD4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3B 0xD4 0xE3 0x1B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF5 0x8A 0x76 0xDF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x51 0x83 0x45 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4E 0x64 0x8C 0xA9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0xCB 0x18 0x04 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x26 0x60 0xC7 0x9A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xDA 0x06 0xA5 0x12 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA2 0xF0 0xD0 0xCD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x3B 0xAA 0x7D 0xD6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAC 0xC8 0xDA 0x1D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xD3 0xAB 0x3D 0xD4 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.15 ----

Maak nu een nieuwe log met ComboFix en post deze.

Combofix kwam met de melding dat antivirus soft uitgeschakeld moest worden, deed dit vervolgens bij resident shield van AVG.
Combofix meldde dat antivirus nog niet was uitgeschakeld....ik
klikte op OK Combofix wilde een backup maken maar bleef daarin hangen -> PC gereset en toen ging het wel goed:

ComboFix 10-03-11.02 - Gerrit 11-03-2010 19:54:07.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.3327.2708 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Gerrit\Bureaublad\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((( Bestanden Gemaakt van 2010-02-11 to 2010-03-11 ))))))))))))))))))))))))))))))
.

2010-03-11 18:59 . 2010-03-11 18:59 53248 ----a-w- c:\temp\catchme.dll
2010-03-11 18:54 . 2010-03-11 18:54 -------- d-----w- c:\temp\WPDNSE
2010-03-11 18:52 . 2010-03-11 18:52 -------- d-----w- c:\temp\MessengerCache
2010-03-11 16:17 . 2010-03-11 16:38 -------- d-----w- c:\documents and settings\Gerrit\DoctorWeb
2010-03-11 12:44 . 2010-03-11 12:44 50504 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-03-11 12:44 . 2010-03-11 12:44 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-03-11 11:38 . 2010-03-11 11:38 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-11 10:58 . 2010-03-11 10:58 -------- d-----w- c:\program files\Sophos
2010-03-07 21:06 . 2008-12-16 14:44 516480 ----a-w- c:\windows\system32\drivers\Ca1528av.sys
2010-03-07 21:06 . 2008-06-27 15:41 11648 ----a-w- c:\windows\system32\drivers\Bulk1528.sys
2010-03-07 21:06 . 2002-01-20 06:33 131072 ----a-w- c:\windows\system\SP5X_32.DLL
2010-03-07 21:06 . 2010-03-07 21:06 -------- d-----w- c:\program files\SPCA1528
2010-03-04 15:11 . 2010-03-04 15:11 -------- d-----w- c:\windows\system32\NtmsData
2010-03-04 13:53 . 2010-03-04 13:53 7358 ----a-r- c:\documents and settings\Gerrit\Application Data\Microsoft\Installer\{C4FCD87F-2C29-44BF-AAD5-FEA89622177D}\_7DCE978102B970AAAFC0F5.exe
2010-03-04 13:53 . 2010-03-04 13:53 7358 ----a-r- c:\documents and settings\Gerrit\Application Data\Microsoft\Installer\{C4FCD87F-2C29-44BF-AAD5-FEA89622177D}\_01D7CD3B9371AFBA25368A.exe
2010-03-04 13:53 . 2010-03-04 13:53 7358 ----a-r- c:\documents and settings\Gerrit\Application Data\Microsoft\Installer\{C4FCD87F-2C29-44BF-AAD5-FEA89622177D}\_6FEFF9B68218417F98F549.exe
2010-03-04 13:53 . 2010-03-04 13:53 7358 ----a-r- c:\documents and settings\Gerrit\Application Data\Microsoft\Installer\{C4FCD87F-2C29-44BF-AAD5-FEA89622177D}\_21F3885A18D238E15AAE81.exe
2010-03-04 13:53 . 2010-03-04 13:53 -------- d-----w- c:\program files\inteks
2010-03-02 22:21 . 2009-10-06 17:32 327168 ----a-w- c:\windows\system32\cutil32.dll
2010-03-02 22:21 . 2009-08-03 19:25 285696 ----a-w- c:\windows\system32\cudart.dll
2010-02-28 15:46 . 2010-03-02 22:21 -------- d-----w- c:\program files\CPUID
2010-02-28 15:46 . 2009-03-27 00:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
2010-02-28 12:18 . 2010-02-18 13:17 781824 ----a-w- c:\documents and settings\Gerrit\Application Data\Octoshape\Octoshape Streaming Services\pmv306a-1002180-0-libOctoshapeClient.dll
2010-02-28 12:18 . 2010-02-01 12:24 71960 ----a-w- c:\documents and settings\Gerrit\Application Data\Octoshape\Octoshape Streaming Services\sua-1002010-0-npoctoshape.dll
2010-02-28 12:18 . 2010-02-01 12:24 417280 ----a-w- c:\documents and settings\Gerrit\Application Data\Octoshape\Octoshape Streaming Services\sua-1002010-0-libOctoshapeClient.dll
2010-02-28 12:18 . 2010-02-01 12:24 124184 ----a-w- c:\documents and settings\Gerrit\Application Data\Octoshape\Octoshape Streaming Services\sua-1002010-0-apoctoshape.dll
2010-02-28 12:18 . 2010-02-28 16:13 71960 ----a-w- c:\documents and settings\Gerrit\Application Data\Mozilla\Plugins\npoctoshape.dll
2010-02-28 12:18 . 2010-02-28 12:18 -------- d-----w- c:\documents and settings\Gerrit\Application Data\Octoshape
2010-02-28 12:18 . 2009-01-08 13:44 70936 ----a-w- c:\documents and settings\Gerrit\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
2010-02-25 00:24 . 2010-02-25 00:24 -------- d-----w- c:\program files\UPC Fiber Power Optimizer
2010-02-25 00:23 . 2010-02-25 00:23 -------- d-----w- c:\documents and settings\Gerrit\Local Settings\Application Data\PackageAware
2010-02-23 23:16 . 2010-02-23 23:16 -------- d-----w- c:\program files\Common Files\Java
2010-02-23 23:16 . 2010-02-23 23:16 503808 ----a-w- c:\documents and settings\Gerrit\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e323826-n\msvcp71.dll
2010-02-23 23:16 . 2010-02-23 23:16 499712 ----a-w- c:\documents and settings\Gerrit\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e323826-n\jmc.dll
2010-02-23 23:16 . 2010-02-23 23:16 348160 ----a-w- c:\documents and settings\Gerrit\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e323826-n\msvcr71.dll
2010-02-23 23:16 . 2010-02-23 23:16 61440 ----a-w- c:\documents and settings\Gerrit\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3d945445-n\decora-sse.dll
2010-02-23 23:16 . 2010-02-23 23:16 12800 ----a-w- c:\documents and settings\Gerrit\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3d945445-n\decora-d3d.dll
2010-02-20 02:11 . 2010-02-03 03:19 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-02-18 12:15 . 2010-02-18 12:15 79488 ----a-w- c:\documents and settings\Gerrit\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-18 11:57 . 2010-02-18 11:57 -------- d-----w- c:\program files\QuickTime
2010-02-18 11:57 . 2010-02-18 11:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-18 11:56 . 2010-02-18 11:56 -------- d-----w- c:\program files\Common Files\Apple
2010-02-10 19:16 . 2010-02-10 19:16 -------- d-----w- c:\program files\FFmpeg for Audacity
2010-02-10 15:41 . 2010-02-11 15:23 -------- d-----w- c:\documents and settings\Gerrit\Application Data\Audacity
2010-02-10 15:41 . 2010-02-10 15:41 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 18:31 . 2009-07-28 18:01 -------- d-----w- c:\documents and settings\Gerrit\Application Data\HPAppData
2010-03-07 21:06 . 2008-09-03 22:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-05 23:41 . 2008-09-13 18:23 1882904 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-03-02 23:04 . 2009-12-05 18:08 -------- d-----w- c:\program files\Driver Checker
2010-03-02 19:10 . 2008-09-13 09:15 -------- d-----w- c:\program files\Common Files\Acronis
2010-03-01 22:34 . 2009-03-25 16:43 -------- d-----w- c:\program files\AltBinz
2010-02-28 18:44 . 2008-11-17 23:35 -------- d-----w- c:\program files\MSI
2010-02-28 16:31 . 2008-09-05 21:18 -------- d-----w- c:\program files\SpeedFan
2010-02-26 21:18 . 2002-11-28 12:16 573882 ----a-w- c:\windows\system32\perfh013.dat
2010-02-26 21:18 . 2002-11-28 12:16 115044 ----a-w- c:\windows\system32\perfc013.dat
2010-02-23 23:16 . 2009-03-31 21:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 22:52 . 2008-09-09 17:06 -------- d-----w- c:\program files\Java
2010-02-20 02:11 . 2008-09-03 22:15 -------- d-----w- c:\program files\ATI Technologies
2010-02-18 12:15 . 2009-11-03 21:15 152576 ----a-w- c:\documents and settings\Gerrit\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-11 15:36 . 2009-05-17 11:29 -------- d-----w- c:\program files\DivX
2010-02-11 15:35 . 2009-05-17 11:29 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-11 11:34 . 2009-03-27 19:51 117760 ----a-w- c:\documents and settings\Gerrit\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-11 11:32 . 2010-02-01 20:22 52224 ----a-w- c:\documents and settings\Gerrit\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-10 15:37 . 2010-02-07 11:41 -------- d-----w- c:\program files\Audacity
2010-02-07 22:32 . 2010-02-07 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2010-02-07 21:16 . 2010-02-07 21:16 -------- d-----w- c:\program files\Lavalys
2010-02-07 11:51 . 2010-02-07 11:51 -------- d-----w- c:\program files\Lame for Audacity
2010-02-06 13:38 . 2008-09-07 10:41 -------- d-----w- c:\program files\Warsow
2010-02-05 23:33 . 2010-02-05 23:33 -------- d-----w- c:\documents and settings\Gerrit\Application Data\Warsow 0.5
2010-02-03 04:52 . 2007-07-22 02:02 4605952 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-02-03 04:12 . 2009-02-25 20:32 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-02-03 04:12 . 2009-02-25 20:32 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-02-03 04:10 . 2009-02-25 20:30 3633152 ----a-w- c:\windows\system32\aticaldd.dll
2010-02-03 04:07 . 2008-09-03 22:15 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-02-03 04:02 . 2007-07-22 01:20 14188544 ----a-w- c:\windows\system32\atioglxx.dll
2010-02-03 03:50 . 2007-07-22 01:44 3566048 ----a-w- c:\windows\system32\ati3duag.dll
2010-02-03 03:40 . 2008-09-03 22:15 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-02-03 03:39 . 2007-07-22 02:03 301568 ----a-w- c:\windows\system32\ati2dvag.dll
2010-02-03 03:35 . 2007-07-22 01:33 2176640 ----a-w- c:\windows\system32\ativvaxx.dll
2010-02-03 03:34 . 2008-09-03 22:15 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-02-03 03:34 . 2008-09-03 22:15 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-02-03 03:32 . 2007-07-22 01:15 397312 ----a-w- c:\windows\system32\atiok3x2.dll
2010-02-03 03:23 . 2007-07-22 01:55 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-02-03 03:23 . 2007-07-22 01:55 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-02-03 03:23 . 2007-07-22 01:55 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-02-03 03:23 . 2007-07-22 01:55 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-02-03 03:22 . 2007-07-22 01:54 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-02-03 03:21 . 2007-07-22 01:53 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-02-03 03:19 . 2007-07-22 01:52 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-02-03 03:18 . 2009-03-16 19:40 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-02-03 03:18 . 2008-08-01 03:46 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-02-03 03:17 . 2007-07-22 01:17 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-02-03 03:15 . 2007-07-22 01:20 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-02-03 03:12 . 2008-08-01 03:40 180224 ----a-w- c:\windows\system32\atiadlxx.dll
2010-02-03 03:12 . 2007-07-22 01:18 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-02-03 03:06 . 2007-07-22 01:12 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-02-01 19:47 . 2008-09-28 19:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-01 19:35 . 2008-09-29 19:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 19:35 . 2008-09-29 19:09 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-31 22:36 . 2009-08-11 11:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2010-01-21 12:46 . 2008-09-05 20:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 16:14 . 2008-09-06 12:38 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-07 15:07 . 2008-09-29 19:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2008-09-29 19:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 09:59 . 2008-06-23 16:43 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 09:59 . 2008-09-03 20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:59 . 2008-09-03 20:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 17:14 . 2008-09-11 16:46 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-31 16:50 . 2008-04-13 22:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-25 17:50 . 2009-03-25 22:30 358944 ----a-w- c:\windows\vncutil.exe
2009-12-25 17:50 . 2008-09-08 17:23 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2009-12-25 17:50 . 2008-09-08 17:23 1833504 ----a-w- c:\windows\SkyTel.exe
2009-12-25 17:50 . 2008-09-08 17:23 1489440 ----a-w- c:\windows\RtlUpd.exe
2009-12-25 17:50 . 2008-09-08 17:23 9721888 ----a-w- c:\windows\RTLCPL.EXE
2009-12-25 17:50 . 2009-03-25 22:30 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2009-12-25 17:50 . 2009-03-25 22:30 129568 ----a-w- c:\windows\RtkAudioService.exe
2009-12-25 17:50 . 2008-09-08 17:23 18789408 ----a-w- c:\windows\RTHDCPL.EXE
2009-12-25 17:49 . 2008-09-08 17:23 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2009-12-25 17:49 . 2008-09-08 17:23 2177568 ----a-w- c:\windows\MicCal.exe
2009-12-25 17:49 . 2008-09-08 17:23 64032 ----a-w- c:\windows\ALCMTR.EXE
2009-12-25 17:26 . 2008-09-08 17:23 6039584 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2009-12-17 07:42 . 2008-09-03 22:05 345600 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:10 . 2008-04-14 20:32 33280 ----a-w- c:\windows\system32\csrsrv.dll
2006-05-03 09:06 . 2009-09-04 22:06 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-04 22:06 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-04 22:06 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2008-09-03 . A914E641F0710DA6158F4BD9AE3EDF67 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"RTHDCPL"="RTHDCPL.EXE" [2009-12-25 18789408]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2010-01-05 124928]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Blue eye Calibration.lnk - c:\program files\LaCie blue eye Pro\Tools\CLCalibrationLoader.exe [2009-3-24 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 11:58 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-04 20:40 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 11:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^PhotoCAL Startup.lnk]
backup=c:\windows\pss\PhotoCAL Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^RICOH Gate La.lnk]
backup=c:\windows\pss\RICOH Gate La.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Spb Backup Sync.lnk]
backup=c:\windows\pss\Spb Backup Sync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^STK02N 2.0 PNP Monitor.lnk]
backup=c:\windows\pss\STK02N 2.0 PNP Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gerrit^Menu Start^Programma's^Opstarten^Logitech . Productregistratie.lnk]
backup=c:\windows\pss\Logitech . Productregistratie.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-06-10 01:57 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-10-30 15:41 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 14:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 00:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2009-06-30 07:55 2329224 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2009-03-30 15:54 75048 ----a-w- c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 14:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 08:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 15:07 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 14:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-02-28 07:59 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
2009-01-08 13:44 70936 ----a-w- c:\documents and settings\Gerrit\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD9LanguageShortcut]
2008-10-13 18:41 50472 ------w- c:\program files\CyberLink\PowerDVD9\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 00:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl9]
2009-02-16 07:55 87336 ------w- c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-06-25 17:05 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 14:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-06-10 01:55 1326080 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TryAndDecideService"=2 (0x2)
"gupdate1c9bab1c9be453c"=2 (0x2)
"getPlus® Helper"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"WZCSVC"=2 (0x2)
"SandraAgentSrv"=3 (0x3)
"PhenomMsrTweaker"=2 (0x2)
"ATI Smart"=2 (0x2)
"NMIndexingService"=3 (0x3)
"PLFlash DeviceIoControl Service"=2 (0x2)
"ACDaemon"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Infogrames\\Grand Prix 4\\GP4.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\PhoenixRC\\phoenixRC.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"c:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"c:\\Program Files\\Empire Interactive\\FlatOut Ultimate Carnage\\Fouc.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Caplio Software\\RGateLXP.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\DreamCatcher\\Painkiller_full_installed1_6_4\\Bin\\Painkiller.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Gerrit\\Application Data\\Octoshape\\Octoshape Streaming Services\\OctoshapeClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 aar81xx;aar81xx;c:\windows\system32\drivers\aar81xx.sys [17-12-2009 17:40 320048]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [19-2-2009 14:22 91264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3-9-2008 21:02 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3-9-2008 21:02 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3-9-2008 10:37 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3-9-2008 10:37 55024]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/11 13:43];c:\program files\CyberLink\PowerDVD9\000.fcl [30-3-2009 16:53 87536]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4-11-2009 21:40 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4-11-2009 21:40 285392]
R2 nxsIO32;NextSensor Kernel I/O Driver;c:\windows\system32\drivers\nxsIO32.sys [5-9-2008 22:14 2208]
R2 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\progra~1\LACIEB~1\DDCDrv.sys [24-3-2009 23:14 7680]
R3 AmdTools;AMD Special Tools Driver;c:\windows\system32\drivers\AmdTools.sys [7-9-2008 12:17 34304]
S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe [5-5-2009 4:45 124256]
S2 Ca1528av;SPCA1528 Video Camera Service;c:\windows\system32\drivers\Ca1528av.sys [7-3-2010 22:06 516480]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [22-10-2008 21:08 1691480]
S3 Bulk1528;SPCA1528 Still Camera Service;c:\windows\system32\drivers\Bulk1528.sys [7-3-2010 22:06 11648]
S3 DCamUSBSTK02N;Standard Camera;c:\windows\system32\drivers\STK02NW2.sys [29-7-2009 21:24 101520]
S3 i1display;i1 Display;c:\windows\system32\drivers\i1display.sys [24-3-2009 23:14 44344]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\36.tmp --> c:\windows\system32\36.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6-11-2007 21:22 34064]
S3 PD1030VID;Creative WebCam Pro;c:\windows\system32\drivers\p1030vid.sys [5-10-2009 18:50 167673]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3-9-2008 10:37 7408]
S4 gupdate1c9bab1c9be453c;Google Updateservice (gupdate1c9bab1c9be453c);c:\program files\Google\Update\GoogleUpdate.exe [11-4-2009 15:28 133104]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [11-7-2008 1:28 47128]
S4 PhenomMsrTweaker;PhenomMsrTweaker service;c:\program files\PhenomMsrTweaker\PhenomMsrTweakerService.exe [19-3-2009 2:15 19456]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [9-7-2008 23:19 242712]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11-9-2008 17:46 691696]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [11-7-2008 1:28 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Inhoud van de 'Gedeelde Taken' map

2009-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-05-25 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 14:28]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Trusted Zone: lindinger.at\shop
Trusted Zone: readyheli.com\www
DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} - hxxp://www.partserver.de/partserver/viewer/cnsweb3d/cnsweb3d.cab
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://213-84-112-231.adsl.xs4all.nl/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Gerrit\Application Data\Mozilla\Firefox\Profiles\eitmj4k3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\Gerrit\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS VERWIJDERD - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-PWRISOVM - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-11 19:59
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\36.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(1376)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(1448)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1928)
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Voltooingstijd: 2010-03-11 20:01:33
ComboFix-quarantined-files.txt 2010-03-11 19:01
ComboFix2.txt 2010-03-01 21:55

Pre-Run: 1.920.937.377.792 bytes beschikbaar
Post-Run: 1.920.983.396.352 bytes beschikbaar

- - End Of File - - 419521BEF6D500F52BF0DBC29230F8CE

Ga naar deze website: http://www.virustotal.com/en/indexf.html
Laat volgend bestandje scannen: c:\windows\system32\sfcfiles.dll
Post het resultaat van de scan.

Antivirus Versie Laatst geüpdatet Resultaat
a-squared 4.5.0.50 2010.03.11 -
AhnLab-V3 5.0.0.2 2010.03.11 -
AntiVir 8.2.1.180 2010.03.11 -
Antiy-AVL 2.0.3.7 2010.03.11 -
Authentium 5.2.0.5 2010.03.11 -
Avast 4.8.1351.0 2010.03.10 -
Avast5 5.0.332.0 2010.03.10 -
AVG 9.0.0.787 2010.03.11 -
BitDefender 7.2 2010.03.11 -
CAT-QuickHeal 10.00 2010.03.11 -
ClamAV 0.96.0.0-git 2010.03.11 -
Comodo 4228 2010.03.11 -
DrWeb 5.0.1.12222 2010.03.11 -
eSafe 7.0.17.0 2010.03.11 -
eTrust-Vet 35.2.7354 2010.03.11 -
F-Prot 4.5.1.85 2010.03.11 -
F-Secure 9.0.15370.0 2010.03.11 -
Fortinet 4.0.14.0 2010.03.09 -
GData 19 2010.03.11 -
Ikarus T3.1.1.80.0 2010.03.11 -
Jiangmin 13.0.900 2010.03.11 -
K7AntiVirus 7.10.995 2010.03.11 -
Kaspersky 7.0.0.125 2010.03.11 -
McAfee 5917 2010.03.11 -
McAfee+Artemis 5917 2010.03.11 -
McAfee-GW-Edition 6.8.5 2010.03.11 -
Microsoft 1.5502 2010.03.11 -
NOD32 4937 2010.03.11 -
Norman 6.04.08 2010.03.11 -
nProtect 2009.1.8.0 2010.03.11 -
Panda 10.0.2.2 2010.03.11 -
PCTools 7.0.3.5 2010.03.11 -
Prevx 3.0 2010.03.11 -
Rising 22.38.03.04 2010.03.11 -
Sophos 4.51.0 2010.03.11 -
Sunbelt 5827 2010.03.11 -
Symantec 20091.2.0.41 2010.03.11 Suspicious.Insight
TheHacker 6.5.2.0.230 2010.03.11 -
TrendMicro 9.120.0.1004 2010.03.11 -
VBA32 3.12.12.2 2010.03.11 -
ViRobot 2010.3.11.2222 2010.03.11 -
VirusBuster 5.0.27.0 2010.03.11 -
Extra informatie
File size: 1571840 bytes
MD5...: a914e641f0710da6158f4bd9ae3edf67
SHA1..: 2d632d32508448aae433d2e88a0fa704b709678f
SHA256: 4774823a12b85112625365df8688a93830291b21b1c117a4f41ee3881967b942
ssdeep: 3072:OEe3ebH/3EIKFRCtMPVVXzLiK81oAS8F1NpQ8AKTNiSsM17u/mseuTO1bNr
P:OyoyEVVX3qo8F1NpQ8/Nnz7u/mqyD

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x120d
timedatestamp.....: 0x48025238 (Sun Apr 13 18:34:32 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xcbf 0xe00 5.89 544695133840c2c6cb0878b41018220a
.data 0x2000 0x1744f8 0x174600 3.26 2540863e1a5701f4eb8ca52268538b7f
.rsrc 0x177000 0x408 0x600 2.49 d801e5df1215023e9c2b4a081bd7cb32
.reloc 0x178000 0x9cfc 0x9e00 5.77 37cae6f98ebf6f912273de9a40896669

( 1 imports )
> ntdll.dll: LdrDisableThreadCalloutsForDll, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, RtlGetVersion, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory

( 1 exports )
SfcGetFiles

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows 2000 System File Checker
original name:
internal name:
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Alleen Symantec ziet er wat verdachts in.

Hoe draait de pc nu?

Sinds deze thread geen last van vastlopers (op de ene na dat ik combofix startte, maar windows gaf ook toen net aan dat er updates gedownload waren) of wat dan ook gehad.
Ik heb wel de DVD-ROM van de satapoort gehaald.

Was er iets triggy (in combofix) ?

Hoe zit het met die 36.tmp file ? Ik zie 'm niet op de HD.....

Ik heb ongeveer een 1/2 jaar geleden ATAPI.SYS eens vervangen (geen idee meer waar vandaan), omdat ik vermoedde dat ie niet lekker meer was (BSOD met als melding erin atapi.sys).

Heb deze net ook laten scannen:

Antivirus Versie Laatst geüpdatet Resultaat
a-squared 4.5.0.50 2010.03.11 -
AhnLab-V3 5.0.0.2 2010.03.11 -
AntiVir 8.2.1.180 2010.03.11 -
Antiy-AVL 2.0.3.7 2010.03.11 -
Authentium 5.2.0.5 2010.03.11 -
Avast 4.8.1351.0 2010.03.11 -
Avast5 5.0.332.0 2010.03.10 -
BitDefender 7.2 2010.03.11 -
CAT-QuickHeal 10.00 2010.03.11 -
ClamAV 0.96.0.0-git 2010.03.11 -
Comodo 4229 2010.03.11 -
DrWeb 5.0.1.12222 2010.03.11 -
eSafe 7.0.17.0 2010.03.11 Win32.Rootkit
eTrust-Vet 35.2.7354 2010.03.11 -
F-Prot 4.5.1.85 2010.03.11 -
Fortinet 4.0.14.0 2010.03.09 -
GData 19 2010.03.11 -
Ikarus T3.1.1.80.0 2010.03.11 -
Jiangmin 13.0.900 2010.03.11 -
K7AntiVirus 7.10.995 2010.03.11 -
Kaspersky 7.0.0.125 2010.03.11 -
McAfee 5917 2010.03.11 -
McAfee+Artemis 5917 2010.03.11 -
McAfee-GW-Edition 6.8.5 2010.03.11 -
Microsoft 1.5502 2010.03.11 -
NOD32 4937 2010.03.11 -
Norman 6.04.08 2010.03.11 -
nProtect 2009.1.8.0 2010.03.11 -
Panda 10.0.2.2 2010.03.11 -
PCTools 7.0.3.5 2010.03.11 -
Rising 22.38.03.04 2010.03.11 -
Sophos 4.51.0 2010.03.11 -
Sunbelt 5827 2010.03.11 -
TheHacker 6.5.2.0.230 2010.03.11 -
TrendMicro 9.120.0.1004 2010.03.11 -
VBA32 3.12.12.2 2010.03.11 -
ViRobot 2010.3.11.2222 2010.03.11 -
VirusBuster 5.0.27.0 2010.03.11 -
Extra informatie
File size: 96512 bytes
MD5...: 9f3a2f5aa6875c72bf062c712cfa2674
SHA1..: a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159f7
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

UPDATE: vandaag prima kunnen werken.

Ik sluit de SATA schijf waar de foto's etc. opstaan aan om die weer terug te plaatsen op de bootschijf .....na 1 uurtje bijna voltooid (nog paar minuten te gaan).....ik kom na 5min. weer kijken -> PC vast, alleen reset hielp.

PC startte weer op maar totaan het windows (kleurenvlaggetje) bootscreen logo, die was helder aan het worden maar bleef daar steken.

PC uitgezet...30sec gewacht....en nu werkt alles weer.

KAN het te maken hebben dat er paden bij zitten die langer zijn dan 260tekens ?

Icon_confused

Lijkt me niet dat dit de oorzaak kan zijn van de vastlopers.
Ik ben er wel van overtuigd dat het niets met malware te maken heeft.

Beide replies gelezen Marckie?

Mja wat kan het dan nog zijn.... nieuw MOBO en nieuwe HD helpen niet !
Memtest was OK.

Nog wat gegooled op de fout melding in de systeem eventviewer:

Sommigen vertelden dat ze van de problemen af waren indien ze UDMA 5 (ipv 6) selecteerden in de BIOS en/of de S.M.A.R.T optie disableden.

Nu heb ik UDMA 5 in de BIOS geselecteerd, maar HD Tune geeft doodleuk UDMA 6 aan als zijnde active.

[EDIT] via regedit waardes gewijzigd en na een reboot geeft HD Tune wel UDMA mode 5 weer !

EENS zien of het wat uithaalt......

Je bedoelt je reply ivm atapi.sys?
Ja die had ik gezien en gelezen, maar ik had er niet op geantwoord. Icon_redface

Er is een infectie actief die dit bestand infecteert maar de diverse logs tonen geen sporen van deze infectie.
Indien deze infectie actief is of was zou een scan van dat bestand op virustotal ook hetzelfde resultaat geven aangezien de infectie een clean exemplaar zal aan bieden voor te scannen.
Wat eSafe vindt is een FP.

Wat sfcfiles.dll betreft vindt enkel symantec wat. Ik heb eens sterk vermoeden dat dit bestand niet geïnfecteerd is.
Je kan het eventueel vervangen door een clean copy van een andere XP PRO SP3 computer.
Lukt dit niet dan ik je er wel eentje bezorgen.
Maar dat gaat je probleem niet oplossen vrees ik.

Bedankt Marckie.

Iemand enig idee hoe ik de WD SATA harddisk Caviar green 2TB in UDMA mode 5 kan laten werken?

In bios instellen (UDMA mode 5) geeft soms het gewenste effect, maar komt ook weer in UDMA mode 6 of zelfs UDMA mode 2 etc onder WinXP Pro SP3.

Draait tot nu toe nog steeds perfect (lekker snel met opstarten)

SFCFILES.DLL van new WinXPro SP3 schijf gecopierd en deze laten scannen -> alleen symantec geeft weer dezelfde verdachte besmetting.

Ik heb het idee dat het nu alleen nog maar fout kan gaan als ik een langdurige schijfbewerking uitvoer.

Gebruik inmiddels UDMA 6 weer.......

Eergisteren weer misse boel......

Kan het zijn dat de South Bridge SB600 (MOBO K9A2 Platinum) roet in het eten gooit ?
(MSI heeft eind november 2009 nog een update uitgebracht)

Marckie !

op het MSI forum zegt men dat dit niet pluis is:

Ik had je al eens gevraagd of je dit wel gelezen had over 36.tmp

=============
QUOTE van mezelf:
=============

Kleine uitsnede van de log gemaakt met een verdachte 36.tmp regel erin mijns inziens (ik heb alle Files Visible -NO- regels erin gezet):

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/11 12:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 000.fcl Image Path: C:\Program Files\CyberLink\PowerDVD9\000.fcl Address: 0xA3D76000 Size: 180224 File Visible: - Signed: - Status: -
Name: 1394BUS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS Address: 0xBA0B8000 Size: 57344 File Visible: - Signed: - Status: -
Name: 36.tmp Image Path: C:\WINDOWS\system32\36.tmp Address: 0xBA606000 Size: 6144 File Visible: No Signed: - Status: -
Name: giveio.sys Image Path: giveio.sys Address: 0xBA672000 Size: 1664 File Visible: No Signed: - Status: -
Name: speedfan.sys Image Path: speedfan.sys Address: 0xBA5AE000 Size: 5248 File Visible: No Signed: - Status: -

Tha-Z

Marckie

Tha-Z

Marckie

Tha-Z

Tha-Z

Marckie

Tha-Z

Marckie

Tha-Z

Marckie

Tha-Z

Tha-Z

Marckie

Tha-Z

Marckie

Tha-Z

Tha-Z

Tha-Z

Tha-Z