rootkit.agent

View previous topic View next topic Go down

rootkit.agent

Post by Venlo on Thu 07 Apr 2011, 6:05 am

Hi,

Recently I had the antimalware doctor virus on my pc (Windows XP sp 3). I thought I removed it succesfully with malwarebytes, but everytime I run malwarebytes it keeps finding rootkit.agent. Malwarebytes deletes it, but it keeps coming back. It is located in c:\WINDOWS\system32\Drivers\str.sys
Here's the log (I hope you can figure it out, because the log is in Dutch):

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Databaseversie: 6256

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

6-4-2011 19:39:20
mbam-log-2011-04-06 (19-39-20).txt

Scantype: Snelle scan
Objecten gescand: 213897
Verstreken tijd: 15 minuut/minuten, 22 seconde(n)

Geheugenprocessen geďnfecteerd: 0
Geheugenmodulen geďnfecteerd: 0
Registersleutels geďnfecteerd: 0
Registerwaarden geďnfecteerd: 0
Registerdata geďnfecteerd: 0
Mappen geďnfecteerd: 0
Bestanden geďnfecteerd: 1

Geheugenprocessen geďnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen geďnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels geďnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden geďnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerdata geďnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Mappen geďnfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Bestanden geďnfecteerd:
c:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Belahzur on Thu 07 Apr 2011, 9:53 am

Hello.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Fri 08 Apr 2011, 4:28 am

OTL logfile created on: 7-4-2011 19:15:08 - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Martijn van Vegchel\Mijn documenten\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 81,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 93,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298,08 Gb Total Space | 29,14 Gb Free Space | 9,78% Space Free | Partition Type: NTFS

Computer Name: MARTIJN | User Name: Martijn van Vegchel | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011-04-07 19:07:09 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Martijn van Vegchel\Mijn documenten\Downloads\OTL.exe
PRC - [2010-11-11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2008-04-14 19:02:58 | 001,037,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011-04-07 19:07:09 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Martijn van Vegchel\Mijn documenten\Downloads\OTL.exe
MOD - [2010-08-23 18:13:25 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011-03-22 20:23:50 | 000,000,000 | ---- | M] () [Auto | Stopped] -- C:\Documents and Settings\Martijn van Vegchel\Local Settings\Temp\DAT3DF.tmp -- (wafdpwpatelvih)
SRV - [2010-11-11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010-02-19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009-09-23 13:38:18 | 000,935,208 | ---- | M] (Nero AG) [Auto | Stopped] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008-05-21 13:42:56 | 000,064,000 | ---- | M] (Creative Technology Ltd) [On_Demand | Stopped] -- C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe -- (CTUPnPSv)
SRV - [2007-04-02 08:15:40 | 000,061,440 | ---- | M] (Creative Technology Ltd) [Auto | Stopped] -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe -- (CTDevice_Srv)


========== Driver Services (SafeList) ==========

DRV - [2009-08-05 23:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2008-10-29 05:10:58 | 003,341,824 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008-09-28 15:46:47 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008-07-07 09:40:49 | 000,056,108 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2007-08-28 10:55:10 | 004,609,024 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007-04-14 10:28:00 | 000,094,592 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2006-07-01 22:56:04 | 000,043,520 | ---- | M] (Advanced Micro Devices) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {47e161a0-f4ba-41dd-a17b-d2eb26ad6a02} - C:\Program Files\LimewirePlus\tbLime.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.venlonaren.nl/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..keyword.URL: "http://search.avg.com/route/?d=4cc69566&v=6.010.006.004&i=23&tp=ab&iy=&ychte=nl&lng=nl&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-12-14 23:26:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011-03-28 19:39:25 | 000,000,000 | ---D | M]

[2010-08-17 11:14:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Mozilla\Extensions
[2010-08-17 11:14:29 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2011-04-06 20:56:07 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Mozilla\Firefox\Profiles\57g4lc25.default\extensions
[2010-09-09 17:54:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Mozilla\Firefox\Profiles\57g4lc25.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011-04-06 20:56:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010-11-10 10:57:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2008-12-16 19:33:31 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010-09-15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010-07-23 02:32:15 | 000,001,892 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bolcom-nl.xml
[2010-07-23 02:32:15 | 000,004,558 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\marktplaats-nl.xml
[2010-07-23 02:32:15 | 000,001,111 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\vandale-nl.xml
[2010-07-23 02:32:15 | 000,001,049 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-nl.xml
[2010-07-23 02:32:15 | 000,001,106 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-nl.xml

Hosts file not found
O2 - BHO: (LimewirePlus Toolbar) - {47e161a0-f4ba-41dd-a17b-d2eb26ad6a02} - C:\Program Files\LimewirePlus\tbLime.dll (Conduit Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (LimewirePlus Toolbar) - {47e161a0-f4ba-41dd-a17b-d2eb26ad6a02} - C:\Program Files\LimewirePlus\tbLime.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (LimewirePlus Toolbar) - {47E161A0-F4BA-41DD-A17B-D2EB26AD6A02} - C:\Program Files\LimewirePlus\tbLime.dll (Conduit Ltd.)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NBKeyScan] File not found
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe (Electronic Arts)
O4 - HKCU..\Run: [RGSC] File not found
O4 - HKCU..\Run: [SoftAuto.exe] C:\Program Files\Creative\Software Update 3\SoftAuto.exe (Creative Technology Ltd)
O4 - HKCU..\Run: [Steam] File not found
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\REALTEK RTL8185 Wireless LAN Utility.lnk = C:\Program Files\Realtek\RTL8185 Wireless LAN Utility\RtWLan.exe (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\Martijn van Vegchel\Menu Start\Programma's\Opstarten\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (Lime Wire, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: com.tw ([asia.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: com.tw ([global.msi] http in Trusted sites)
O15 - HKCU\..Trusted Domains: com.tw ([[You must be registered and logged in to see this link.] http in Trusted sites)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} [You must be registered and logged in to see this link.] (MSN Games – Matchmaking)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} [You must be registered and logged in to see this link.] (System Requirements Lab Class)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} [You must be registered and logged in to see this link.] (Checkers Class)
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} [You must be registered and logged in to see this link.] (MSN Games – Buddy Invite)
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} [You must be registered and logged in to see this link.] (CTVUAxCtrl Object)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} [You must be registered and logged in to see this link.] (MSN Games – Game Chat)
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} [You must be registered and logged in to see this link.] (WebSDev Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_22)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} [You must be registered and logged in to see this link.] (MSN Games – Texas Holdem Poker)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} [You must be registered and logged in to see this link.] (MSN Games - Installer)
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} [You must be registered and logged in to see this link.] (Zylom Games Player)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} [You must be registered and logged in to see this link.] (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_22)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} [You must be registered and logged in to see this link.] (MSN Games – Game Communicator)
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} [You must be registered and logged in to see this link.] (Image Uploader Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.54.40.25 212.54.35.25
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\cryptnet32: DllName - cryptnet32.dll - File not found
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Martijn van Vegchel\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Martijn van Vegchel\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008-08-28 13:39:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{4d42fc7a-99ce-11dd-aeaa-0018e74ca16a}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe
O33 - MountPoints2\{4d42fc7a-99ce-11dd-aeaa-0018e74ca16a}\Shell\open\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe
O33 - MountPoints2\{84db80f5-7503-11dd-98a3-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{84db80f5-7503-11dd-98a3-806d6172696f}\Shell\AutoRun\command - "" = D:\Setup.exe
O33 - MountPoints2\{c9c85dc5-adc3-11dd-aed5-0018e74ca16a}\Shell\AutoRun\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe
O33 - MountPoints2\{c9c85dc5-adc3-11dd-aed5-0018e74ca16a}\Shell\open\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe
O33 - MountPoints2\{e262ce48-ee33-11de-b191-0018e74ca16a}\Shell\AutoRun\command - "" = F:\__STICKYDRIVE\StickyDrive.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011-04-05 20:13:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011-04-03 17:49:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011-04-03 17:49:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011-04-03 17:18:12 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011-04-03 17:18:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\Malwarebytes' Anti-Malware
[2011-04-03 17:18:09 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011-04-03 17:17:09 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011-04-03 17:12:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Malwarebytes
[2011-04-03 17:12:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011-03-31 19:15:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Martijn van Vegchel\Bureaublad\Te redden bestanden
[2011-03-30 19:27:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2011-03-28 22:24:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Martijn van Vegchel\Application Data\E2F33F3C66B80EE0F02FF4AA88BAD25B
[2011-03-10 21:26:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Gygan
[2011-03-10 21:26:37 | 000,000,000 | ---D | C] -- C:\Program Files\Xenocode
[2011-03-10 21:26:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Martijn van Vegchel\Local Settings\Application Data\Xenocode
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[38 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011-04-07 19:14:25 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011-04-07 19:09:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011-04-07 18:58:03 | 000,503,092 | ---- | M] () -- C:\WINDOWS\System32\perfh013.dat
[2011-04-07 18:58:03 | 000,436,466 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011-04-07 18:58:03 | 000,088,308 | ---- | M] () -- C:\WINDOWS\System32\perfc013.dat
[2011-04-07 18:58:03 | 000,069,362 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011-04-07 18:49:17 | 000,327,743 | ---- | M] () -- C:\WINDOWS\System32\drivers\str.sys
[2011-04-07 18:47:13 | 000,000,968 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011-04-07 18:47:04 | 000,001,064 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011-04-07 18:46:40 | 000,060,452 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2011-04-06 22:42:00 | 000,001,068 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011-04-06 18:57:50 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011-04-03 17:18:12 | 000,000,809 | ---- | M] () -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011-04-03 17:18:12 | 000,000,791 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2011-04-03 17:02:45 | 000,026,624 | ---- | M] () -- C:\WINDOWS\System32\dll.dll
[2011-04-03 17:00:57 | 000,002,175 | ---- | M] () -- C:\WINDOWS\lsrslt.ini
[2011-04-03 16:59:29 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011-03-28 22:50:04 | 000,296,136 | ---- | M] () -- C:\WINDOWS\System32\shimg.dll
[2011-03-28 22:35:08 | 000,007,680 | ---- | M] () -- C:\Documents and Settings\Martijn van Vegchel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011-03-28 19:39:26 | 000,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\Adobe Reader 9.lnk
[2011-03-17 21:00:53 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011-03-10 12:03:39 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[38 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011-04-06 19:42:17 | 000,327,743 | ---- | C] () -- C:\WINDOWS\System32\drivers\str.sys
[2011-04-05 20:13:59 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011-04-03 17:18:12 | 000,000,809 | ---- | C] () -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011-04-03 17:18:12 | 000,000,791 | ---- | C] () -- C:\Documents and Settings\All Users\Bureaublad\Malwarebytes' Anti-Malware.lnk
[2011-04-03 17:00:57 | 000,002,175 | ---- | C] () -- C:\WINDOWS\lsrslt.ini
[2011-04-03 16:59:23 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\dll.dll
[2011-03-22 20:23:39 | 000,296,136 | ---- | C] () -- C:\WINDOWS\System32\shimg.dll
[2010-09-05 15:45:19 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Adobe GIF Format CS5 Prefs
[2010-08-13 20:38:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010-07-16 18:17:15 | 000,108,032 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010-06-16 20:28:20 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Martijn van Vegchel\Application Data\Adobe PNG Format CS5 Prefs
[2010-05-07 17:27:52 | 000,000,298 | ---- | C] () -- C:\WINDOWS\thug2.ini
[2010-04-02 17:17:34 | 000,179,091 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009-12-07 21:25:58 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\SfClientDLL.dll
[2009-12-07 21:25:58 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\Iordy.dll
[2009-12-07 21:24:46 | 000,306,688 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[2009-12-07 21:24:46 | 000,095,232 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[2009-11-01 20:42:19 | 000,000,776 | ---- | C] () -- C:\WINDOWS\THPS3.INI
[2009-10-17 21:30:33 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Martijn van Vegchel\Local Settings\Application Data\prvlcl.dat
[2009-06-08 17:50:29 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
[2008-12-18 00:30:06 | 000,815,104 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008-12-18 00:30:06 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008-11-30 17:21:55 | 000,000,790 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2008-11-30 15:17:37 | 000,000,632 | ---- | C] () -- C:\WINDOWS\CoD.INI
[2008-11-16 22:25:45 | 000,000,232 | ---- | C] () -- C:\WINDOWS\XIIIHooligans.ini
[2008-10-22 15:02:58 | 000,000,580 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2008-10-22 15:02:53 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2008-10-22 15:02:42 | 000,000,021 | ---- | C] () -- C:\WINDOWS\VI_setup.ini
[2008-10-22 15:01:15 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PI_setup.ini
[2008-10-22 15:00:35 | 000,000,021 | ---- | C] () -- C:\WINDOWS\PB_setup.ini
[2008-10-22 14:59:58 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\infcpy.dll
[2008-08-28 17:27:06 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008-08-28 16:55:25 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\Martijn van Vegchel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008-08-28 15:25:27 | 000,004,205 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008-08-28 15:22:53 | 003,569,696 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008-08-28 14:31:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ativpsrm.bin
[2008-08-28 14:27:12 | 000,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2008-08-28 14:17:31 | 000,159,873 | ---- | C] () -- C:\WINDOWS\Marsu-Fix Uninstaller.exe
[2008-08-28 14:11:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2008-08-28 14:04:59 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2008-08-28 13:41:07 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008-08-28 13:38:03 | 000,021,748 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008-08-01 05:59:05 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2008-08-01 05:59:05 | 003,107,788 | ---- | C] () -- C:\WINDOWS\System32\ativva5x.dat
[2008-08-01 05:59:05 | 000,887,724 | ---- | C] () -- C:\WINDOWS\System32\ativva6x.dat
[2008-06-23 15:47:40 | 000,176,214 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2008-04-06 21:28:43 | 000,208,361 | ---- | C] () -- C:\WINDOWS\fix.exe
[2008-03-04 19:52:34 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2008-01-31 18:18:14 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\FlashSys.sys
[2007-10-31 10:39:54 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2007-08-21 23:51:16 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ATIODE.exe
[2007-08-21 21:36:12 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ATIODCLI.exe
[2007-05-17 14:58:10 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2004-08-04 14:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004-08-04 14:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004-08-04 14:00:00 | 000,503,092 | ---- | C] () -- C:\WINDOWS\System32\perfh013.dat
[2004-08-04 14:00:00 | 000,436,466 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004-08-04 14:00:00 | 000,318,670 | ---- | C] () -- C:\WINDOWS\System32\perfi013.dat
[2004-08-04 14:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004-08-04 14:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004-08-04 14:00:00 | 000,088,308 | ---- | C] () -- C:\WINDOWS\System32\perfc013.dat
[2004-08-04 14:00:00 | 000,069,362 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004-08-04 14:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004-08-04 14:00:00 | 000,039,178 | ---- | C] () -- C:\WINDOWS\System32\perfd013.dat
[2004-08-04 14:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004-08-04 14:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004-08-04 14:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004-08-04 14:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004-08-04 14:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Fri 08 Apr 2011, 4:58 am

Strangely I can't post the 2nd log. I get an error saying there is something wrong with my internet connection, but the internet connection is ok.

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Fri 08 Apr 2011, 5:01 am

OTL Extras logfile created on: 7-4-2011 19:10:46 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Martijn van Vegchel\Mijn documenten\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

2,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 79,00% Memory free
4,00 Gb Paging File | 4,00 Gb Available in Paging File | 94,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298,08 Gb Total Space | 29,14 Gb Free Space | 9,78% Space Free | Partition Type: NTFS

Computer Name: MARTIJN | User Name: Martijn van Vegchel | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"39903:TCP" = 39903:TCP:*:Enabled:UTorrent

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" = C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe:*:Enabled:CyberLink PowerDVD -- (CyberLink Corp.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Sports Interactive\Football Manager 2007\fm.exe" = C:\Program Files\Sports Interactive\Football Manager 2007\fm.exe:*:Enabled:Football Manager 2007
"C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe" = C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe:*:Enabled:Football Manager 2008
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Sports Interactive\Football Manager 2009\fm.exe" = C:\Program Files\Sports Interactive\Football Manager 2009\fm.exe:*:Enabled:Football Manager 2009
"C:\Program Files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe" = C:\Program Files\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV -- (Sony DADC Austria AG)
"C:\Program Files\Rockstar Games\Grand Theft Auto IV\GTAIV.exe" = C:\Program Files\Rockstar Games\Grand Theft Auto IV\GTAIV.exe:*:Enabled:Grand Theft Auto IV -- (Take-Two Interactive Software, Inc.)
"C:\Program Files\LimeWire Plus\LimeWire.exe" = C:\Program Files\LimeWire Plus\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)
"C:\Program Files\Electronic Arts\EADM\Core.exe" = C:\Program Files\Electronic Arts\EADM\Core.exe:*:Disabled:EA Download Manager -- (Electronic Arts)
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- ([You must be registered and logged in to see this link.]
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- ([You must be registered and logged in to see this link.]
"C:\Program Files\Grand Theft Auto IV - Episodes From Liberty City\EFLC.exe" = C:\Program Files\Grand Theft Auto IV - Episodes From Liberty City\EFLC.exe:*:Enabled:Grand Theft Auto IV - Episodes From Liberty City -- (Take-Two Interactive Software, Inc.)
"C:\Program Files\Sports Interactive\Football Manager 2010\fm.exe" = C:\Program Files\Sports Interactive\Football Manager 2010\fm.exe:*:Enabled:Football Manager 2010 -- (Sports Interactive)
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"D:\CDS\Nero\Installation\SetupX.exe" = D:\CDS\Nero\Installation\SetupX.exe:*:Disabled:Nero ProductSetup
"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
"C:\Program Files\Google\Google Earth\plugin\geplugin.exe" = C:\Program Files\Google\Google Earth\plugin\geplugin.exe:*:Enabled:Google Earth -- (Google)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00E15D21-B68B-D7C4-574B-636E2D1ECEBE}" = Catalyst Control Center HydraVision Full
"{02EBDBB9-4600-41D3-B566-40CB861511D2}" = World of Warcraft FREE Trial
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{062135bc-4afd-4e93-a72c-b083649f7c7f}" = Nero 9
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0B5154C0-8F00-4616-B0AB-6240AE80D9CE}" = SimCity™ Societies
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{1170F665-2359-E439-5BC5-932B87423EF1}" = ccc-utility
"{15FEDA5F-141C-4127-8D7E-B962D1742728}" = Adobe Photoshop CS5
"{1A2A15C2-6780-49c1-B296-503230E9DE00}" = De Sims™ 2 Villa en Tuin Accessoires
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live - Hulpprogramma voor uploaden
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 22
"{2869F5EA-93C3-48E5-80DF-DB696BC84A91}" = Windows Live Mail
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C9413-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CA031C-D3CD-4A28-8D9B-C71466C4F045}" = Windows Live Writer
"{368BA326-73AD-4351-84ED-3C0A7A52CC53}" = Nero Rescue Agent
"{39D74E81-5DED-C7EE-8807-91A8800212FA}" = ccc-core-preinstall
"{3AB65E95-37D6-4DD7-8862-29AED3AFD54B}" = Google SketchUp Pro 8
"{41C01225-45FD-7BCE-1EDA-F7E50945ADD7}" = Catalyst Control Center Core Implementation
"{41DFDD57-21B7-4C48-8C75-FFB35696CA8B}" = Windows Live Toolbar
"{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
"{42C8B7DF-FEB0-4D51-B169-506B6BEC5797}" = Nero 10 Menu TemplatePack 1
"{43E39830-1826-415D-8BAE-86845787B54B}" = Nero Vision
"{43FBAB46-5969-4200-9958-1FF81FEE506F}" = Nero 10 Movie ThemePack 1
"{4442AB48-DEC4-4B39-B067-1F75BF8017E7}" = Creative Centrale
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5454083B-1308-4485-BF17-111000038701}" = Grand Theft Auto: Episodes from Liberty City
"{5454083B-1308-4485-BF17-1110000D8301}" = Grand Theft Auto IV
"{55A369BE-C40B-4699-99AD-0563A9D9C237}" = ArcSoft VideoImpression 1.6
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{579BA58C-F33D-4970-9953-B94B43768AC3}" = Grand Theft Auto IV
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{595A3116-40BB-4E0F-A2E8-D7951DA56270}" = NeroExpress
"{5C648FDB-0138-4619-B66E-230EF53E8E2C}" = De Sims™ 2 Tiener Accessoires
"{5E8E1294-7951-6DA9-10F1-C877871346F3}" = Skins
"{60451544-C17E-4057-9273-5F10176472BD}" = Creative ZEN X-Fi Video Converter
"{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}" = Nero CoverDesigner
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6FEC9863-5EF2-4A07-9D0B-CA81B47E3F59}" = Windows Live Photo Gallery
"{70F19404-B96C-4EBB-AD2B-3574F8736197}" = Nero 10 Movie ThemePack 2
"{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}" = RollerCoaster Tycoon 2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{7748AC8C-18E3-43BB-959B-088FAEA16FB2}" = Nero StartSmart
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{797703D4-461B-4BC9-AACA-292917F3A47F}" = ArcSoft PhotoImpression
"{7C4C5B40-43E1-4890-AD50-E1E8F8446D5F}" = Microsoft Antimalware Service NL-NL Language Pack
"{7E1FBCB0-500C-4A0D-AC9C-B1B76E75666B}" = Windows Live aanmeldhulp
"{826F3B4F-C597-AF1D-4CB1-2F441BE8E2BF}" = ccc-core-static
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{859B9BCA-5376-4566-9F88-C6C9DAA7A925}" = Microsoft Security Client NL-NL Language Pack
"{86604C06-DA30-425E-AECE-47304FE81C45}" = Creative Software Update
"{87B20692-9E9D-FAE0-76C7-E75E3CC7B0D1}" = Catalyst Control Center Graphics Full Existing
"{87F6C83D-F949-4d14-B5CB-DC8C75F8932D}" = De Sims™ 2 Vrije Tijd
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{8ED35B48-AFBD-4F32-8271-2257AD8B907E}_is1" = Grand Theft Auto IV - Episodes From Liberty City
"{8FB1B528-E260-451E-9B55-E9152F94B80B}" = Microsoft Games for Windows - LIVE Redistributable
"{90120000-0010-0413-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (Dutch) 12
"{90120000-0015-0413-0000-0000000FF1CE}" = Microsoft Office Access MUI (Dutch) 2007
"{90120000-0015-0413-0000-0000000FF1CE}_ENTERPRISE_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0413-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Dutch) 2007
"{90120000-0016-0413-0000-0000000FF1CE}_ENTERPRISE_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0413-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Dutch) 2007
"{90120000-0018-0413-0000-0000000FF1CE}_ENTERPRISE_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0413-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Dutch) 2007
"{90120000-0019-0413-0000-0000000FF1CE}_ENTERPRISE_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0413-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Dutch) 2007
"{90120000-001A-0413-0000-0000000FF1CE}_ENTERPRISE_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0413-0000-0000000FF1CE}" = Microsoft Office Word MUI (Dutch) 2007
"{90120000-001B-0413-0000-0000000FF1CE}_ENTERPRISE_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0413-0000-0000000FF1CE}" = Microsoft Office Proof (Dutch) 2007
"{90120000-001F-0413-0000-0000000FF1CE}_ENTERPRISE_{D66D5A44-E480-4BA4-B4F2-C554F6B30EBB}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0413-0000-0000000FF1CE}" = Microsoft Office Proofing (Dutch) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0413-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Dutch) 2007
"{90120000-0044-0413-0000-0000000FF1CE}_ENTERPRISE_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0413-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Dutch) 2007
"{90120000-006E-0413-0000-0000000FF1CE}_ENTERPRISE_{89C8E56A-90D8-4598-B0E6-EB28F6270E07}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0413-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Dutch) 2007
"{90120000-00A1-0413-0000-0000000FF1CE}_ENTERPRISE_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0413-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Dutch) 2007
"{90120000-00BA-0413-0000-0000000FF1CE}_ENTERPRISE_{DC387AA5-94A6-4920-B004-D59846526D81}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{92146419-AE44-4C8B-A48B-0ABB1B5EC026}" = Nero 10 Menu TemplatePack 3
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96ED4B78-300E-4033-AE6C-C115CEB4DF07}" = Nero 10 ClipartPack
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C244239-ED8E-40f1-937F-51C706CD2160}" = De Sims™ 2 Deluxe
"{9CDBC303-3EED-40b0-8E41-A7C65AA96C26}" = De Sims 2 Glamour - Accessoires
"{A1C962E2-2426-49C6-A38B-9A07E40D607C}" = Microsoft Games for Windows - LIVE
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A209525B-3377-43F4-B886-32F6B6E7356F}" = Nero WaveEditor
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5460871-42FF-45CD-A634-01C755E9CEA1}" = ArcSoft PhotoBase 3
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A7A34FC9-DF24-4A36-00AD-D4EFE94CC116}" = SimCity 4 Deluxe
"{A804B134-F03D-4EFD-9BC0-DCD257AA1B22}" = Hitman Blood Money
"{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}" = ImagXpress
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1043-7B44-A94000000001}" = Adobe Reader 9.4.3 - Nederlands
"{AFEA06C9-0FA4-410A-8CCD-9846682845DD}" = TRUST 750 LCD POWERC@M ZOOM
"{B1AD83A0-DC92-41E3-B111-E9472349768C}" = RollerCoaster Tycoon 2: Wacky Worlds
"{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}" = DolbyFiles
"{B2EC4A38-B545-4A00-8214-13FE0E915E6D}" = Advertising Center
"{B3C7CA81-27EB-11D4-A59C-00E02C071F5C}" = Adobe ActiveShare 1.5
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B78120A0-CF84-4366-A393-4D0A59BC546C}" = Menu Templates - Starter Kit
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B89933C8-E38D-44BE-B3DB-96657D11338F}" = Hooligans - Storm over Europe
"{BA1E1AFD-D1F2-4C52-88C3-186FC5E61604}" = RollerCoaster Tycoon 2
"{BA26FFA5-6D47-47DB-BE56-34C357B5F8CC}" = De Sims™ 3 Wereldavonturen
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}" = Nero ControlCenter
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = De Sims™ 3
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C151CE54-E7EA-4804-854B-F515368B0798}" = AMD Processor Driver
"{C20C2630-B3A7-44BA-BDD0-31E256AE490E}" = Windows Live Call
"{C29769BE-BEDF-DC9E-67A9-5E7AEFF039CF}" = CCC Help English
"{C5A7CB6C-E76D-408F-BA0E-85605420FE9D}" = SoundTrax
"{C740289B-FC90-D938-8317-1FFEBF7C04DB}" = Catalyst Control Center Graphics Previews Common
"{CAEB2BE8-EF9E-4BFE-8165-3B54B62AF6CF}" = Windows Live Family Safety
"{CC38A00D-7EED-46CE-9281-D1D97B81F22A}" = Windows Live Messenger
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D025A639-B9C9-417D-8531-208859000AF8}" = NeroBurningROM
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D417C96A-FCC7-4590-A1BB-FAF73F5BC98E}" = GTA San Andreas
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}" = De Sims™ 2 Seizoenen
"{E0F07676-2C60-4465-A727-20DE3BFCABAC}" = Tony Hawks Pro Skater 4
"{E34F703A-1C9D-4B1F-ABBE-D7E8800B860D}" = Windows Live Sync
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E498385E-1C51-459A-B45F-1721E37AA1A0}" = Movie Templates - Starter Kit
"{E712C273-7564-4C8E-AA59-0FA19BC35117}" = Nero 10 Menu TemplatePack 2
"{E8A80433-302B-4FF1-815D-FCC8EAC482FF}" = Nero Installer
"{EB5A3E9D-91CF-4C97-B816-72DE0625ACA3}" = Windows Live Essentials
"{EBBB1DEF-8878-4CB8-BC0D-1196B30E7527}" = 1503 A.D.
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{EF1394D4-9FB6-4F1F-9A09-20FF3033AE14}" = Tony Hawk's Underground 2
"{EF72E0A5-57E8-471F-837E-82BB19771363}" = REALTEK RTL8185 Wireless LAN Driver and Utility
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F248ADFA-64E0-4b03-8A83-059078BED6A0}" = De Sims™ 2 Op Reis
"{F30A8BF7-288C-57C0-357E-6D67BB694682}" = Catalyst Control Center Graphics Full New
"{F54543CF-EC73-D847-1780-84A6420EA229}" = Catalyst Control Center Graphics Light
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"All ATI Software" = ATI - Software Uninstall Utility
"ANNO 1602 - Gold Edition" = ANNO 1602 - Gold Edition
"ATI Display Driver" = ATI Display Driver
"AudibleManager" = AudibleManager
"AVI ReComp" = AVI ReComp 1.4.5
"Avisynth" = AviSynth 2.5
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"Creative Centrale" = Creative Centrale
"Creative ZEN X-Fi Video Converter" = Creative ZEN X-Fi Video Converter
"DIVXCodec" = DivX Codec 3.1alpha release
"DVD Flick_is1" = DVD Flick 1.3.0.7
"EADM" = EA Download Manager
"EAX Unified" = EAX Unified
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ffdshow_is1" = ffdshow v1.1.3507 [2010-07-07]
"Football Manager 2009" = Football Manager 2009
"Football Manager 2010" = Football Manager 2010
"GameSpy Arcade" = GameSpy Arcade
"Google Updater" = Google Updater
"HP PrecisionScan LTX" = HP PrecisionScan LTX
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{EF1394D4-9FB6-4F1F-9A09-20FF3033AE14}" = Tony Hawk's Underground 2
"LEGO LOCO" = LEGO LOCO
"LimeWire" = LimeWire 5.5.13
"LimewirePlus Toolbar" = LimewirePlus Toolbar
"Liveupdate4_is1" = Liveupdate4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Marsu-Fix" = Marsu-Fix
"Messenger Plus! Live" = Messenger Plus! Live
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"MP3 Splitter & Joiner Pro_is1" = MP3 Splitter & Joiner Pro 3.48
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroVision!UninstallKey" = Nero Digital
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PowerISO" = PowerISO
"SopCast" = SopCast 2.0.4
"SystemRequirementsLab" = System Requirements Lab
"Tony Hawk's Pro Skater 3®" = Tony Hawk's Pro Skater 3®
"uTorrent" = µTorrent
"WAVSPLIT210_is1" = Wave Splitter 2.10
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Xvid_is1" = Xvid 1.2.1
"ZENX-FI" = Creative ZEN X-Fi-Gebruikershandleiding
"Zylom Games Player Plugin" = Zylom Games Player Plugin

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Fri 08 Apr 2011, 5:32 am

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Fri 08 Apr 2011, 5:37 am

[ System Events ]
Error - 6-4-2011 13:17:21 | Computer Name = MARTIJN | Source = Disk | ID = 262151
Description = Beschadigd blok in apparaat \Device\Harddisk0\D.

Error - 6-4-2011 13:17:39 | Computer Name = MARTIJN | Source = DCOM | ID = 10005
Description = DCOM kreeg foutmelding '%1084' bij het starten van de EventSystem-service
met de argumenten '' om de server {1BE1F766-5536-11D1-B726-00C04FB926AF} te starten

Error - 6-4-2011 13:18:31 | Computer Name = MARTIJN | Source = Service Control Manager | ID = 7026
Description = De volgende opstartstuurprogramma's zijn niet geladen: AmdK8 Fips MpFilter
SCDEmu

Error - 6-4-2011 13:39:44 | Computer Name = MARTIJN | Source = DCOM | ID = 10005
Description = DCOM kreeg foutmelding '%1084' bij het starten van de EventSystem-service
met de argumenten '' om de server {1BE1F766-5536-11D1-B726-00C04FB926AF} te starten

Error - 6-4-2011 13:42:11 | Computer Name = MARTIJN | Source = Service Control Manager | ID = 7009
Description = Time-out (30000 seconden) tijdens het wachten op het verbinden van
deze service: wafdpwpatelvih.

Error - 7-4-2011 12:47:55 | Computer Name = MARTIJN | Source = Service Control Manager | ID = 7009
Description = Time-out (30000 seconden) tijdens het wachten op het verbinden van
deze service: wafdpwpatelvih.

Error - 7-4-2011 12:58:03 | Computer Name = MARTIJN | Source = Microsoft Antimalware | ID = 2001
Description = %%860 heeft een fout aangetroffen bij het bijwerken van handtekeningen.

Nieuwe
handtekeningversie: Vorige handtekeningversie: 1.101.867.0 Updatebron: %%859 Updatefase:
%%852 Bronpad: [You must be registered and logged in to see this link.] Handtekeningtype: %%800 Updatetype: %%803 Gebruiker:
NT AUTHORITY\SYSTEM Huidige engineversie: Vorige engineversie: 1.1.6702.0 Foutcode:
0x80072efe Foutbeschrijving: The connection with the server was terminated abnormally


Error - 7-4-2011 13:09:26 | Computer Name = MARTIJN | Source = Disk | ID = 262151
Description = Beschadigd blok in apparaat \Device\Harddisk0\D.

Error - 7-4-2011 13:09:43 | Computer Name = MARTIJN | Source = DCOM | ID = 10005
Description = DCOM kreeg foutmelding '%1084' bij het starten van de EventSystem-service
met de argumenten '' om de server {1BE1F766-5536-11D1-B726-00C04FB926AF} te starten

Error - 7-4-2011 13:10:37 | Computer Name = MARTIJN | Source = Service Control Manager | ID = 7026
Description = De volgende opstartstuurprogramma's zijn niet geladen: AmdK8 Fips MpFilter
SCDEmu


< End of report >

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Fri 08 Apr 2011, 5:37 am


[ OSession Events ]
Error - 23-6-2009 10:09:22 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 7
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6-11-2009 15:35:11 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 77
seconds with 60 seconds of active time. This session ended with a crash.

Error - 19-11-2009 14:31:20 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 6
seconds with 0 seconds of active time. This session ended with a crash.

Error - 14-12-2009 15:15:17 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 14
seconds with 0 seconds of active time. This session ended with a crash.

Error - 29-4-2010 14:56:51 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 22
seconds with 0 seconds of active time. This session ended with a crash.

Error - 11-8-2010 8:49:55 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6535.5005, Microsoft Office Version: 12.0.6425.1000. This session lasted 13
seconds with 0 seconds of active time. This session ended with a crash.

Error - 12-10-2010 11:12:52 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 95
seconds with 60 seconds of active time. This session ended with a crash.

Error - 4-12-2010 18:22:32 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 20-12-2010 14:03:51 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 26
seconds with 0 seconds of active time. This session ended with a crash.

Error - 29-1-2011 16:38:39 | Computer Name = MARTIJN | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6550.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 21
seconds with 0 seconds of active time. This session ended with a crash.

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Fri 08 Apr 2011, 5:44 am


Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Fri 08 Apr 2011, 5:49 am

ok, I uploaded the 2nd log. I'm sorry for all the confusion, but this was the only way. The right order for the 2nd log is: post 5-6-9-8-7.
Some parts are in Dutch, feel free to ask me for a translation, if you have any problems with it.

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Belahzur on Fri 08 Apr 2011, 12:22 pm

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O33 - MountPoints2\{4d42fc7a-99ce-11dd-aeaa-0018e74ca16a}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe
    O33 - MountPoints2\{4d42fc7a-99ce-11dd-aeaa-0018e74ca16a}\Shell\open\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe
    O33 - MountPoints2\{84db80f5-7503-11dd-98a3-806d6172696f}\Shell - "" = AutoRun
    O33 - MountPoints2\{84db80f5-7503-11dd-98a3-806d6172696f}\Shell\AutoRun\command - "" = D:\Setup.exe
    O33 - MountPoints2\{c9c85dc5-adc3-11dd-aed5-0018e74ca16a}\Shell\AutoRun\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe
    O33 - MountPoints2\{c9c85dc5-adc3-11dd-aed5-0018e74ca16a}\Shell\open\command - "" = G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe
    O33 - MountPoints2\{e262ce48-ee33-11de-b191-0018e74ca16a}\Shell\AutoRun\command - "" = F:\__STICKYDRIVE\StickyDrive.exe
    [2011-04-06 19:42:17 | 000,327,743 | ---- | C] () -- C:\WINDOWS\System32\drivers\str.sys


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Sat 09 Apr 2011, 4:41 am

========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4d42fc7a-99ce-11dd-aeaa-0018e74ca16a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4d42fc7a-99ce-11dd-aeaa-0018e74ca16a}\ not found.
File C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4d42fc7a-99ce-11dd-aeaa-0018e74ca16a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4d42fc7a-99ce-11dd-aeaa-0018e74ca16a}\ not found.
File C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{84db80f5-7503-11dd-98a3-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84db80f5-7503-11dd-98a3-806d6172696f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{84db80f5-7503-11dd-98a3-806d6172696f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{84db80f5-7503-11dd-98a3-806d6172696f}\ not found.
File D:\Setup.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9c85dc5-adc3-11dd-aed5-0018e74ca16a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c9c85dc5-adc3-11dd-aed5-0018e74ca16a}\ not found.
File G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9c85dc5-adc3-11dd-aed5-0018e74ca16a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c9c85dc5-adc3-11dd-aed5-0018e74ca16a}\ not found.
File G:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svsys.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e262ce48-ee33-11de-b191-0018e74ca16a}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e262ce48-ee33-11de-b191-0018e74ca16a}\ not found.
File F:\__STICKYDRIVE\StickyDrive.exe not found.
C:\WINDOWS\system32\drivers\str.sys moved successfully.

OTL by OldTimer - Version 3.2.22.3 log created on 04082011_193310

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Belahzur on Sat 09 Apr 2011, 8:05 am

Hello.

  • Download combofix from here
    Link 1

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Sun 10 Apr 2011, 9:13 pm

ComboFix 11-04-09.01 - Martijn van Vegchel 10-04-2011 11:48:01.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2047.1487 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Martijn van Vegchel\Bureaublad\Combo-Fix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Martijn van Vegchel\Application Data\Adobe\plugs
c:\documents and settings\Martijn van Vegchel\Application Data\Adobe\shed
c:\documents and settings\Martijn van Vegchel\Application Data\E2F33F3C66B80EE0F02FF4AA88BAD25B
c:\documents and settings\Martijn van Vegchel\Application Data\E2F33F3C66B80EE0F02FF4AA88BAD25B\enemies-names.txt
c:\documents and settings\Martijn van Vegchel\Application Data\E2F33F3C66B80EE0F02FF4AA88BAD25B\local.ini
c:\documents and settings\Martijn van Vegchel\Application Data\E2F33F3C66B80EE0F02FF4AA88BAD25B\lsrslt.ini
c:\documents and settings\Martijn van Vegchel\WINDOWS
C:\ErrLog.txt
c:\windows\fix.exe
c:\windows\system32\Dll.dll
c:\windows\system32\drivers\str.sys
c:\windows\system32\shimg.dll
c:\windows\system32\tmp.tmp . . . . konden niet verwijderd worden
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-03-10 to 2011-04-10 ))))))))))))))))))))))))))))))
.
.
2011-04-10 10:02 . 2011-04-10 10:02 0 ----a-w- c:\windows\system32\tmp.tmp
2011-04-08 17:38 . 2011-04-08 17:38 31744 ----a-w- c:\windows\system32\mykwddjp.dll
2011-04-08 17:33 . 2011-04-08 17:33 -------- d-----w- C:\_OTL
2011-04-07 17:38 . 2011-04-07 17:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-07 17:31 . 2011-04-07 17:31 491008 ----a-w- c:\windows\system32\devprov.dll
2011-04-07 17:31 . 2011-04-07 17:31 -------- d-----w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413
2011-04-07 17:31 . 2011-04-07 17:31 564736 ----a-w- c:\windows\system32\dbgqueue.exe
2011-04-06 15:43 . 2011-04-06 15:43 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC3A6F91-8333-4FB1-8CCB-5C6968B1EC2F}\MpKsleaa1a22c.sys
2011-04-05 18:41 . 2011-03-15 04:05 6792528 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC3A6F91-8333-4FB1-8CCB-5C6968B1EC2F}\mpengine.dll
2011-04-04 19:59 . 2011-04-04 19:59 -------- d-----w- c:\documents and settings\Administrator.MARTIJN
2011-04-03 17:11 . 2011-04-03 17:11 -------- d-----r- c:\documents and settings\NetworkService\Favorieten
2011-04-03 15:18 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-03 15:18 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-03 15:17 . 2011-04-06 17:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-03 15:12 . 2011-04-03 15:12 -------- d-----w- c:\documents and settings\Martijn van Vegchel\Application Data\Malwarebytes
2011-04-03 15:12 . 2011-04-03 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-30 17:27 . 2011-03-30 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-03-12 10:28 . 2011-03-12 10:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 10:28 . 2011-03-12 10:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2011-03-06 11:58 6792528 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-13 09:54 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP3e51.tmp
2011-03-10 09:40 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP51f8.tmp
2011-03-10 09:38 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5515.tmp
2011-03-10 09:35 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP44aa.tmp
2011-03-06 11:48 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP48ff.tmp
2011-03-06 11:45 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4323.tmp
2011-03-05 11:38 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP417d.tmp
2011-03-04 13:39 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4834.tmp
2011-03-04 13:37 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4b22.tmp
2011-03-04 13:33 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP43ee.tmp
2011-03-02 18:02 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4287.tmp
2011-02-28 18:00 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5786.tmp
2011-02-28 17:58 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4064.tmp
2011-02-27 10:34 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5880.tmp
2011-02-26 18:03 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP690a.tmp
2011-02-26 18:01 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5989.tmp
2011-02-25 13:27 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5c58.tmp
2011-02-25 13:26 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP565d.tmp
2011-02-09 13:54 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 16:11 . 2011-02-27 11:00 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2008-08-28 11:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-08-28 11:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 441344 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-19 20:51 . 2009-12-07 19:24 1080 ----a-w- c:\windows\AUTOLNCH.REG
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}"= "c:\program files\LimewirePlus\tbLime.dll" [2007-11-08 1502232]
.
[HKEY_CLASSES_ROOT\clsid\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]
2007-11-08 10:11 1502232 ----a-w- c:\program files\LimewirePlus\tbLime.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}"= "c:\program files\LimewirePlus\tbLime.dll" [2007-11-08 1502232]
.
[HKEY_CLASSES_ROOT\clsid\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{47E161A0-F4BA-41DD-A17B-D2EB26AD6A02}"= "c:\program files\LimewirePlus\tbLime.dll" [2007-11-08 1502232]
.
[HKEY_CLASSES_ROOT\clsid\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 39408]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 16384512]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Martijn van Vegchel\Menu Start\Programma's\Opstarten\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-7-29 503808]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
REALTEK RTL8185 Wireless LAN Utility.lnk - c:\program files\Realtek\RTL8185 Wireless LAN Utility\RtWLan.exe [2008-12-8 843776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\devprov.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mykwddjp.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\LimeWire Plus\\LimeWire.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Grand Theft Auto IV - Episodes From Liberty City\\EFLC.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\dbgqueue.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"39903:TCP"= 39903:TCP:UTorrent
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28-9-2008 15:46 717296]
R2 dbgqueue.exe;Dbgqueue;c:\windows\system32\dbgqueue.exe [7-4-2011 19:31 564736]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [8-12-2008 21:16 38144]
S0 oiaw;oiaw;c:\windows\system32\drivers\orfhjrt.sys --> c:\windows\system32\drivers\orfhjrt.sys [?]
S0 tlxdgd;tlxdgd;c:\windows\system32\drivers\kapf.sys --> c:\windows\system32\drivers\kapf.sys [?]
S1 MpKsla006b7a0;MpKsla006b7a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC3A6F91-8333-4FB1-8CCB-5C6968B1EC2F}\MpKsla006b7a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC3A6F91-8333-4FB1-8CCB-5C6968B1EC2F}\MpKsla006b7a0.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23-10-2009 19:17 133104]
S2 wafdpwpatelvih;wafdpwpatelvih;"c:\docume~1\MARTIJ~1\LOCALS~1\Temp\DAT3DF.tmp.exe" --SERVICE --> c:\docume~1\MARTIJ~1\LOCALS~1\Temp\DAT3DF.tmp.exe [?]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [21-5-2008 13:42 64000]
S3 Dual Mode;Dual Mode Video Capture;c:\windows\system32\drivers\CoachVc.sys [22-10-2008 14:59 44928]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19-2-2010 13:37 517096]
.
Inhoud van de 'Gedeelde Taken' map
.
2010-06-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-MARTIJN-Martijn van Vegchel.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-16 01:44]
.
2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-04-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-29 18:53]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 17:17]
.
2011-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 17:17]
.
2011-04-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26]
.
.
------- Bijkomende Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\[You must be registered and logged in to see this link.]
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Martijn van Vegchel\Application Data\Mozilla\Firefox\Profiles\57g4lc25.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS VERWIJDERD - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Steam - c:\program files\Steam\Steam.exe
HKCU-Run-RGSC - c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
AddRemove-Football Manager 2009 - c:\program files\Sports Interactive\Football Manager 2009\Uninstall_Football Manager 2009\Uninstall Football Manager 2009.exe
AddRemove-{1A2A15C2-6780-49c1-B296-503230E9DE00} - c:\program files\EA GAMES\De Sims 2 Villa en Tuin Accessoires\EAUninstall.exe
AddRemove-{5C648FDB-0138-4619-B66E-230EF53E8E2C} - c:\program files\EA GAMES\De Sims 2 Tiener Accessoires\EAUninstall.exe
AddRemove-{87F6C83D-F949-4d14-B5CB-DC8C75F8932D} - c:\program files\EA GAMES\De Sims 2 Vrije Tijd\EAUninstall.exe
AddRemove-{9C244239-ED8E-40f1-937F-51C706CD2160} - c:\program files\EA GAMES\De Sims 2 Deluxe\EAUninstall.exe
AddRemove-{9CDBC303-3EED-40b0-8E41-A7C65AA96C26} - c:\program files\EA GAMES\De Sims 2 Glamour - Accessoires\EAUninstall.exe
AddRemove-{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06} - c:\program files\EA GAMES\De Sims 2 Seizoenen\EAUninstall.exe
AddRemove-{F248ADFA-64E0-4b03-8A83-059078BED6A0} - c:\program files\EA GAMES\De Sims 2 Op Reis\EAUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-04-10 12:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-527237240-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:04,c8,1a,24,a2,8e,46,e8,d1,a3,fb,58,8d,54,36,b1,e0,2b,a8,e2,d4,be,17,
cd,eb,5a,17,a4,20,b3,b8,d4,3f,09,93,a2,83,d1,da,53,f2,a1,cb,82,62,47,1a,01,\
"??"=hex:69,2c,cb,6a,86,f8,3f,c0,ac,4d,2c,79,44,83,d7,d6
.
[HKEY_USERS\S-1-5-21-436374069-527237240-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:cf,f5,37,b8,4c,b2,5d,81,85,d4,58,45,a4,2b,cf,b1,c7,8c,5a,c0,36,
3c,99,c5,a3,ec,65,7b,1b,10,1e,9c,4c,b8,d9,d8,fc,48,f7,5e,c5,89,05,4e,4d,26,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'winlogon.exe'(892)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(948)
c:\program files\Bonjour\mdnsNSP.dll
.
- - - - - - - > 'explorer.exe'(832)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Voltooingstijd: 2011-04-10 12:10:22 - machine werd herstart
ComboFix-quarantined-files.txt 2011-04-10 10:10
.
Pre-Run: 30.610.681.856 bytes beschikbaar
Post-Run: 51.296.235.520 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 589E54DD7B5236B0E797274D264A1558

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Belahzur on Mon 11 Apr 2011, 1:19 am

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    File::
    c:\windows\system32\mykwddjp.dll
    c:\windows\system32\devprov.dll
    c:\windows\system32\dbgqueue.exe

    DirLook::
    c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413

    Rootkit::
    c:\windows\system32\tmp.tmp

    Registry::
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "AppInit_DLLs"=-
    "AppInit_DLLs"=""
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\dbgqueue.exe"=-

    Driver::
    dbgqueue.exe
    oiaw
    tlxdgd
    wafdpwpatelvih

    Reboot::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Mon 11 Apr 2011, 2:49 am

ComboFix 11-04-09.01 - Martijn van Vegchel 10-04-2011 17:33:22.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2047.1471 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Martijn van Vegchel\Bureaublad\Combo-Fix.exe
gebruikte Opdracht switches :: c:\documents and settings\Martijn van Vegchel\Bureaublad\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\windows\system32\dbgqueue.exe"
"c:\windows\system32\devprov.dll"
"c:\windows\system32\mykwddjp.dll"
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dbgqueue.exe
c:\windows\system32\devprov.dll
c:\windows\system32\tmp.tmp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DBGQUEUE.EXE
-------\Legacy_WAFDPWPATELVIH
-------\Service_dbgqueue.exe
-------\Service_oiaw
-------\Service_tlxdgd
-------\Service_wafdpwpatelvih
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-03-10 to 2011-04-10 ))))))))))))))))))))))))))))))
.
.
2011-04-10 15:25 . 2011-04-10 15:25 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{020E03A9-0F33-4F80-9085-EEABD735E207}\MpKslb5360113.sys
2011-04-10 12:29 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{020E03A9-0F33-4F80-9085-EEABD735E207}\mpengine.dll
2011-04-08 17:33 . 2011-04-08 17:33 -------- d-----w- C:\_OTL
2011-04-07 17:38 . 2011-04-07 17:38 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-07 17:31 . 2011-04-07 17:31 -------- d-----w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413
2011-04-04 19:59 . 2011-04-04 19:59 -------- d-----w- c:\documents and settings\Administrator.MARTIJN
2011-04-03 17:11 . 2011-04-03 17:11 -------- d-----r- c:\documents and settings\NetworkService\Favorieten
2011-04-03 15:18 . 2010-12-20 16:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-03 15:18 . 2010-12-20 16:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-03 15:17 . 2011-04-06 17:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-03 15:12 . 2011-04-03 15:12 -------- d-----w- c:\documents and settings\Martijn van Vegchel\Application Data\Malwarebytes
2011-04-03 15:12 . 2011-04-03 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-30 17:27 . 2011-03-30 17:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-03-12 10:28 . 2011-03-12 10:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-03-12 10:28 . 2011-03-12 10:28 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2011-03-06 11:58 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-13 09:54 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP3e51.tmp
2011-03-10 09:40 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP51f8.tmp
2011-03-10 09:38 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5515.tmp
2011-03-10 09:35 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP44aa.tmp
2011-03-06 11:48 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP48ff.tmp
2011-03-06 11:45 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4323.tmp
2011-03-05 11:38 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP417d.tmp
2011-03-04 13:39 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4834.tmp
2011-03-04 13:37 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4b22.tmp
2011-03-04 13:33 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP43ee.tmp
2011-03-02 18:02 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4287.tmp
2011-02-28 18:00 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5786.tmp
2011-02-28 17:58 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP4064.tmp
2011-02-27 10:34 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5880.tmp
2011-02-26 18:03 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP690a.tmp
2011-02-26 18:01 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5989.tmp
2011-02-25 13:27 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP5c58.tmp
2011-02-25 13:26 . 2008-08-28 13:17 102400 ----a-w- c:\windows\DUMP565d.tmp
2011-02-09 13:54 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:54 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 16:11 . 2011-02-27 11:00 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2008-08-28 11:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-08-28 11:37 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 12:00 441344 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-19 20:51 . 2009-12-07 19:24 1080 ----a-w- c:\windows\AUTOLNCH.REG
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413 ----
.
2011-04-07 17:32 . 2011-04-07 17:32 33 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\names\3305.mov.nms
2011-04-07 17:32 . 2011-04-07 17:32 30 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\names\3306.torrent.nms
2011-04-07 17:32 . 2011-04-07 17:32 32 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\names\3307.torrent.nms
2011-04-07 17:32 . 2011-04-07 17:32 28 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\names\3302.zip.nms
2011-04-07 17:32 . 2011-04-07 17:32 55 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\names\3303.zip.nms
2011-04-07 17:32 . 2011-04-07 17:32 11752 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\names\3304.mov.kws
2011-04-07 17:32 . 2011-04-07 17:32 54 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\names\3304.mov.nms
2011-04-07 17:32 . 2011-04-07 17:32 6122193 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\templates\3305.mov
2011-04-07 17:32 . 2011-04-07 17:32 4632478 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\templates\3304.mov
2011-04-07 17:32 . 2011-04-07 17:32 1257 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\templates\3306.torrent
2011-04-07 17:32 . 2011-04-07 17:32 1377 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\templates\3307.torrent
2011-04-07 17:32 . 2011-04-07 17:32 1500984 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\templates\3303.zip
2011-04-07 17:32 . 2011-04-07 17:32 5278 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\WebCache.net
2011-04-07 17:32 . 2011-04-07 17:32 1347139 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\templates\3302.zip
2011-04-07 17:32 . 2011-04-07 17:32 2 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\.version
2011-04-07 17:32 . 2011-04-07 17:32 8942 ----a-w- c:\windows\system32\9982200BE46FE419835E2AAEDF4DC413\conf\GnuCache.net
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}"= "c:\program files\LimewirePlus\tbLime.dll" [2007-11-08 1502232]
.
[HKEY_CLASSES_ROOT\clsid\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]
2007-11-08 10:11 1502232 ----a-w- c:\program files\LimewirePlus\tbLime.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}"= "c:\program files\LimewirePlus\tbLime.dll" [2007-11-08 1502232]
.
[HKEY_CLASSES_ROOT\clsid\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{47E161A0-F4BA-41DD-A17B-D2EB26AD6A02}"= "c:\program files\LimewirePlus\tbLime.dll" [2007-11-08 1502232]
.
[HKEY_CLASSES_ROOT\clsid\{47e161a0-f4ba-41dd-a17b-d2eb26ad6a02}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 39408]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-20 16384512]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Martijn van Vegchel\Menu Start\Programma's\Opstarten\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-7-29 503808]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
REALTEK RTL8185 Wireless LAN Utility.lnk - c:\program files\Realtek\RTL8185 Wireless LAN Utility\RtWLan.exe [2008-12-8 843776]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\LimeWire Plus\\LimeWire.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Grand Theft Auto IV - Episodes From Liberty City\\EFLC.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"39903:TCP"= 39903:TCP:UTorrent
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28-9-2008 15:46 717296]
R1 MpKslb5360113;MpKslb5360113;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{020E03A9-0F33-4F80-9085-EEABD735E207}\MpKslb5360113.sys [10-4-2011 17:25 28752]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [8-12-2008 21:16 38144]
S1 MpKsla006b7a0;MpKsla006b7a0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC3A6F91-8333-4FB1-8CCB-5C6968B1EC2F}\MpKsla006b7a0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC3A6F91-8333-4FB1-8CCB-5C6968B1EC2F}\MpKsla006b7a0.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23-10-2009 19:17 133104]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [21-5-2008 13:42 64000]
S3 Dual Mode;Dual Mode Video Capture;c:\windows\system32\drivers\CoachVc.sys [22-10-2008 14:59 44928]
S3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [19-2-2010 13:37 517096]
.
Inhoud van de 'Gedeelde Taken' map
.
2010-06-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-MARTIJN-Martijn van Vegchel.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-16 01:44]
.
2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-04-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-29 18:53]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 17:17]
.
2011-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 17:17]
.
2011-04-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 11:26]
.
.
------- Bijkomende Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\[You must be registered and logged in to see this link.]
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Martijn van Vegchel\Application Data\Mozilla\Firefox\Profiles\57g4lc25.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-04-10 17:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_USERS\S-1-5-21-436374069-527237240-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:04,c8,1a,24,a2,8e,46,e8,d1,a3,fb,58,8d,54,36,b1,e0,2b,a8,e2,d4,be,17,
cd,eb,5a,17,a4,20,b3,b8,d4,3f,09,93,a2,83,d1,da,53,f2,a1,cb,82,62,47,1a,01,\
"??"=hex:69,2c,cb,6a,86,f8,3f,c0,ac,4d,2c,79,44,83,d7,d6
.
[HKEY_USERS\S-1-5-21-436374069-527237240-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:cf,f5,37,b8,4c,b2,5d,81,85,d4,58,45,a4,2b,cf,b1,c7,8c,5a,c0,36,
3c,99,c5,a3,ec,65,7b,1b,10,1e,9c,4c,b8,d9,d8,fc,48,f7,5e,c5,89,05,4e,4d,26,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2644)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\LimewirePlus\tbLime.dll
c:\program files\Microsoft Office\Office12\1043\GrooveIntlResource.dll
c:\program files\Audible\Bin\AudibleExt.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.NLD
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Voltooingstijd: 2011-04-10 17:48:43 - machine werd herstart
ComboFix-quarantined-files.txt 2011-04-10 15:48
ComboFix2.txt 2011-04-10 10:10
.
Pre-Run: 51.236.098.048 bytes beschikbaar
Post-Run: 51.242.315.776 bytes beschikbaar
.
- - End Of File - - E2ECA96C99DBEDE64A496474D3CEC921

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Belahzur on Mon 11 Apr 2011, 3:28 am

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 7
    Java(TM) 6 Update 22
    LimeWire 5.5.13
    LimewirePlus Toolbar
    µTorrent

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Mon 11 Apr 2011, 7:12 am

Here's the log. I decided only to remove Limewire, I don't use it anymore. I need Java and µTorrent, but I won't ignore the update notifactions anymore and be a lot more cautious with the stuff I download via µTorrent.


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=15bc398eb2210249bbbf02996727ab79
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-10 08:02:43
# local_time=2011-04-10 10:02:43 (+0100, West-Europa (zomertijd))
# country="Netherlands"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5891 16776533 42 87 2549 14505375 0 0
# compatibility_mode=8192 67108863 100 0 181 181 0 0
# scanned=291100
# found=22
# cleaned=22
# scan_time=8451
C:\Nero\Nero PhotoShow Express\nero_photoshow_express_5_setup.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Martijn van Vegchel\Application Data\E2F33F3C66B80EE0F02FF4AA88BAD25B\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\Martijn van Vegchel\Application Data\E2F33F3C66B80EE0F02FF4AA88BAD25B\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\dbgqueue.exe.vir a variant of Win32/Kryptik.MLX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\devprov.dll.vir a variant of Win32/Kryptik.MLX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\dll.dll.vir a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP641\A0209361.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP642\A0209562.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP644\A0209816.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP645\A0210075.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP647\A0211284.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP647\A0211303.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP648\A0211503.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP648\A0211512.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP650\A0214553.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP650\A0214566.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP650\A0214574.dll Win32/Lukicsel.S trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP659\A0227875.ini Win32/Adware.AntimalwareDoctor.AE.Gen application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP659\A0227878.dll a variant of Win32/Lukicsel.O trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP660\A0228014.exe a variant of Win32/Kryptik.MLX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP660\A0228015.dll a variant of Win32/Kryptik.MLX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1B797C21-973E-4313-979F-D52634C164A0}\RP662\A0228444.exe Win32/Toolbar.AskSBar application (deleted - quarantined) 00000000000000000000000000000000 C

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Belahzur on Tue 12 Apr 2011, 6:27 am

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 9.4.3 - Nederlands
    Java(TM) 6 Update 7
    Java(TM) 6 Update 22
    LimeWire 5.5.13
    LimewirePlus Toolbar
    µTorrent

Updating Java:

  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 24.
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe that you downloaded to install the newest version.

Then download and install Adobe Reader X

How is the machine running now?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: rootkit.agent

Post by Venlo on Thu 14 Apr 2011, 5:07 am

Hi,

I removed Limewire, I updated Java and I downloaded Adobe Reader X.

I did scan my comptuer again with Malwarebytes, Eset and Microsoft Security Essentials, just to be sure. Malwarebytes did find the following: c:\WINDOWS\system32\gnuhashes.ini (Trojan.Tracur).
It was removed and I couldn't find any virusses after it.

My computer is running normal again. Thanks a lot!

Venlo

Newbie Surfer
Newbie Surfer

Posts : 23
Joined : 2011-04-07
Operating System : Windows XP Service Pack 3

View user profile

Back to top Go down

Re: rootkit.agent

Post by Belahzur on Thu 14 Apr 2011, 9:10 am

No problem, everything okay now?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: rootkit.agent

Post by Sponsored content Today at 12:55 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum