Behaveslike:win32.irc-backdoor/backdoor.irc.snyd.a

oply · June 2008

Hello everyboddy,

can u guys helpe me plz. If got a llittle problem with my PC. :wacko:

Yesterday i found this virus from on my pc (bitdefender) BehavesLike:Win32.IRC-Backdoor

bitdefender couldn't delete it and move it. so wat do i need to do to get hem of my PC ?

this info i found about it:

Backdoor.IRC.Snyd.A

( Backdoor.Win32.Breplibot.b (Kaspersky) Troj/Stinx-E (Sophos) W32/Brepibot virus (McAfee) )

Ausbreitung : low

Schaden : medium

Size: 10,240 bytes

Entdeckt : 2005 Nov 09

SYMPTOMS:

It is virtually impossible for a normal user to detect presence of any files hidden by Sony DRM Software. See technical description below.

Prior to 10 Nov 2005 this malware was detected as BehavesLike:Win32.IRC-Backdoor proactively

TECHNICAL DESCRIPTION:

This is an IRC backdoor that was spammed in an e-mail withe the following body:

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly.

Can you check over the format and get back to us with your approval or any changes?

If the picture is not to your liking then please send a preferred one.

We have attached the photo with the article here.

Kind regards,

Jamie Andrews

Editor

www.TotalBusiness.co.uk

**********************************************

The Professional Development Institute

And the attachment: Article+Photos.exe

The backdoor uses the Sony DRM copy protection system in order to hide its presence in the system.

When executed it does the following actions:

- It copies itself as:

%sysdir%\ $sys$drv.exe

- It adds the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ $sys$drv with value

%sysdir%\ $sys$drv.exe

and

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ $sys$drv with value

%sysdir%\ $sys$drv.exe

- It drops and executes the following files:

%TEMP%\******.bat and

%TEMP%\yyy.bat where ****** and yyy are two random numbers.

******.bat tryes to disable firewall checking for the $sys$drv.exe

yyy.bat waits for the trojan to end and deletes it.

- It connects to one of 5 hardcoded IRC servers on port 8080.

- It waits for a small list of posible commands on channel #sony

The backdoor contains the following string: „SonyEnabled”

plz help me

thank u

AndreiASM · June 2008

Please attach some samples, archived, protected with the password infected, to a new post.

Thank you.

oply · June 2008

u mean this?

<System>=>C:\WINDOWS\ehSched.exe (memory dump) Infected: BehavesLike:Win32.IRC-Backdoor

<System>=>C:\WINDOWS\ehSched.exe (memory dump) Disinfection failed

<System>=>C:\WINDOWS\ehSched.exe (memory dump) Move failed

<System>=>C:\WINDOWS\ehSched.exe (full dump) Infected: BehavesLike:Win32.IRC-Backdoor

<System>=>C:\WINDOWS\ehSched.exe (full dump) Disinfection failed

<System>=>C:\WINDOWS\ehSched.exe (full dump) Move failed

this is wat bitdefender found....

rootkit · June 2008

Yes !

Pack that file in a zip or rar archive protected with the password infected and attach it here !

oply · June 2008

U mean the Whole log? i closed scan shal i do it again?

and how i do that? wat file most pack :wacko: ...

sry im only a kid only can scan protect and a bit work with bit defender... but pack logs?

sry about that....

oply · June 2008

here u got the file

pass: infected

/applications/core/interface/file/attachment.php?id=2183" data-fileid="2183" rel="">Infected.zip

rootkit · June 2008

Thank you for the sample!

The guys from the LAB will take a look

Post here a HijackThis log !

Instructions: http://forum.bitdefender.com/index.php?showtopic=5668

oply · June 2008

Thank you for the sample!

The guys from the LAB will take a look

Post here a HijackThis log !

Instructions: http://forum.bitdefender.com/index.php?showtopic=5668

alright thank u

oply · June 2008

ok here u got hjacktis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:10:03, on 8/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\oodag.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe

C:\Program Files\Softwin\BitDefender10\bdagent.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\WINDOWS\system32\oodtray.exe

C:\Program Files\Spector Photo Software\Agent.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Back2zip\Back2zip.exe

C:\WINDOWS\ehSched.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Softwin\BitDefender10\vsserv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAShCut.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"

O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe

O4 - HKLM\..\Run: [ExtraFilmHemmaAgent] "C:\Program Files\Spector Photo Software\Agent.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.3.37.0\OEAddOn.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Windows UDP Control Center] ehSched.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Back2zip.lnk = C:\Program Files\Back2zip\Back2zip.exe

O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe

O4 - Global Startup: Statusvenster.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll

O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-BE/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.spector.be/DesktopModules/Spect...geUploader4.cab

O16 - DPF: {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} (IPSUploader4 Control) - http://as.photoprintit.de/ips-opdata/74914...PSUploader4.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--

End of file - 10729 bytes

AndreiASM · June 2008

Please archive the file C:\WINDOWS\ehSched.exe, protect it with the password infected and upload it to a new post. It isn`t necesarly to do the same thing with log files.

oply · June 2008

Please archive the file C:\WINDOWS\ehSched.exe, protect it with the password infected and upload it to a new post. It isn`t necesarly to do the same thing with log files.

here u go

/applications/core/interface/file/attachment.php?id=2184" data-fileid="2184" rel="">ehSched.zip

rootkit · June 2008

Hmmm...

Do you have Windows XP Media Center ?!

oply · June 2008

Hmmm...

Do you have Windows XP Media Center ?!

i think yes is that at configuration screen media center?

sry for my bad english i talk dutch normaly...

rootkit · June 2008

Oky. This is what you have to do:

-Turn Off System Restore for all hard drives !

-Reboot the PC in Safe Mode and delete the file : C:\WINDOWS\ehSched.exe (do not send it to Recycle Bin, selectthe file and press Shift+Delete)

-Reboot the PC in normal mode.

Your PC may contain viruses, so I suggest you to run ComboFix that will investigate and eliminate all infections it may found (if it has them in its database).

Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.

It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.

At the end ComboFix will generate a log file. Save it and post it here + another HijackThis log !

oply · June 2008

Turn Off System Restore for all hard drives !

-Reboot the PC in Safe Mode

-Reboot the PC in normal mode.

how can i do thos 3 things how do i start up in other mode and how do i turn off system restore

rootkit · June 2008

Disabling System Restore

You should first go into the Control Panel and then double click on the System icon. If you are in the control panel and do not see the System icon, click on the link that says "Switch to classic view" in the upper left hand side of the window. Now you should be able to see the System icon. After you double click on it you should then click on the System Restore tab. If system restore is enabled you will see an image like Figure 1 below.

If you see in the Status section, designated by the green box, that it is Turned off , then system restore is already disabled and you do not have to do anything further. If it is showing that it is monitoring as seen in Figure 1 above, then you should check the checkbox labeled "Turn off System Restore", designated by the red box. You should then click on the Apply button to disable system restore.

Reboot the PC in Safe Mode using the F8 Method

1. Restart your computer.

2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.

3. Select the option for Safe Mode using the arrow keys.

4. Then press enter on your keyboard to boot into Safe Mode.

5. Do whatever tasks you require and when you are done reboot to boot back into normal mode.

oply · June 2008

combo fix log is this

ComboFix 08-06-07.3 - Administrator 2008-06-08 16:22:07.1 - NTFSx86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.794 [GMT 2:00]

Gestart vanuit: C:\Documents and Settings\Administrator\Bureaublad\ComboFix.exe

WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Administrator\Application Data\WeatherDPA

C:\Documents and Settings\Administrator\Application Data\WeatherDPA\Weather\WeatherStartup.xml

C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65

C:\Documents and Settings\All Users\Application Data\ZangoSA

C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA.dat

C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht

C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAEULA.mht

C:\WINDOWS\system32\launcher.exe

C:\WINDOWS\system32\MSINET.oca

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-05-08 to 2008-06-08 ))))))))))))))))))))))))))))))

.

2008-06-08 15:31 . 2008-06-08 15:38 <DIR> dr-h----- C:\Documents and Settings\Administrator\Onlangs geopend

2008-06-08 15:06 . 2008-06-08 15:06 <DIR> d-------- C:\Program Files\Trend Micro

2008-06-08 00:06 . 2008-06-08 00:06 <DIR> d-------- C:\SpySoapBin

2008-06-08 00:06 . 2008-06-08 00:08 <DIR> d-------- C:\Program Files\SpySoap

2008-06-05 21:37 . 2008-06-05 21:37 <DIR> d-------- C:\Program Files\Back2zip

2008-06-05 21:24 . 2008-06-05 21:24 483,865 --a------ C:\back2zip.zip

2008-06-05 21:11 . 2008-06-07 09:54 <DIR> d-------- C:\DOWNLOAD

2008-05-26 20:45 . 2008-06-05 19:20 <DIR> d-------- C:\Program Files\WarRock

2008-05-26 20:44 . 2008-05-26 20:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield

2008-05-24 15:09 . 2003-07-21 05:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd

2008-05-24 15:09 . 2005-01-04 20:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys

2008-05-23 22:12 . 2008-05-23 22:38 <DIR> d-------- C:\Program Files\Soldier of Fortune II - Double Helix

2008-05-23 21:31 . 2008-05-23 21:31 <DIR> d-------- C:\Program Files\directx

2008-05-14 17:01 . 2008-05-31 18:29 <DIR> d-------- C:\Program Files\Codemasters

2008-05-14 09:54 . 2004-08-04 01:03 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll

2008-05-14 09:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys

2008-05-14 09:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\dllcache\usbscan.sys

2008-05-14 09:54 . 2001-09-06 21:27 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

2008-05-14 03:29 . 2008-05-14 03:29 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll

2008-05-13 21:07 . 2008-05-13 21:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\bang

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-08 14:18 81,984 ----a-w C:\WINDOWS\system32\bdod.bin

2008-06-08 13:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Xfire

2008-06-07 16:31 --------- d-----w C:\Program Files\Cheat Engine

2008-06-07 07:58 --------- d-----w C:\Program Files\BoontyGames

2008-06-06 19:28 --------- d-----w C:\Program Files\GameSpy Arcade

2008-06-06 19:22 --------- d-----w C:\Program Files\Microsoft Games

2008-06-05 17:15 --------- d-----w C:\Program Files\EndlessOnline

2008-06-05 04:56 --------- d-s---w C:\Program Files\Xfire

2008-06-03 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-05-30 19:08 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-05-30 19:08 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2008-05-28 10:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Mijn Battle for Middle-earth bestanden

2008-05-27 18:48 --------- d-----w C:\Program Files\Windows Live Safety Center

2008-05-26 18:45 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-23 17:23 --------- d-----w C:\Program Files\doom 3

2008-05-14 07:56 --------- d-----w C:\Program Files\Spector Photo Software

2008-05-12 09:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip

2008-04-30 19:55 --------- d-----w C:\Program Files\Wolfenstein - Enemy Territory

2008-04-30 07:30 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Xfire

2008-04-30 07:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire

2008-04-27 10:28 5,632 ----a-w C:\WINDOWS\system32\BReWErS.dll

2008-04-19 17:18 --------- d-----w C:\Program Files\Bethesda Softworks

2008-04-18 04:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\U3

2008-04-16 13:57 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe

2008-04-14 17:46 22,328 ----a-w C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys

2008-04-12 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Activision

2008-04-12 18:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Activision

2008-04-12 18:45 --------- d-----w C:\Program Files\Activision

2008-03-25 04:51 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:51 621,344 ------w C:\WINDOWS\system32\dllcache\mswstr10.dll

2008-03-25 04:51 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-25 04:51 183,072 ------w C:\WINDOWS\system32\dllcache\msjint40.dll

2008-03-20 08:01 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-20 08:01 1,846,016 ------w C:\WINDOWS\system32\dllcache\win32k.sys

2008-03-09 11:09 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

REGEDIT4

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]

"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 13:53 171464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Snelkoppeling naar eigenschappenvenster voor High Definition Audio"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 21:15 344064]

"FRYMXINS"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [ ]

"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2005-04-08 11:08 73728]

"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 15:21 94208]

"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [2007-10-23 21:13 290816]

"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]

"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]

"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-18 12:40 57393]

"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-18 12:53 40960]

"SetDefPrt"="C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 18:02 49152]

"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 17:42 933888]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]

"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]

"ExtraFilmHemmaAgent"="C:\Program Files\Spector Photo Software\Agent.exe" [2006-10-03 10:40 323584]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 10:03 110592 C:\WINDOWS\system32\bthprops.cpl]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:03 15360]

C:\Documents and Settings\Administrator\Menu Start\Programma's\Opstarten\

Back2zip.lnk - C:\Program Files\Back2zip\Back2zip.exe [2008-06-05 21:37:32 535552]

Xfire.lnk - C:\Program Files\Xfire\Xfire.exe [2008-05-14 03:29:28 3007824]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\

Statusvenster.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2007-10-24 20:33:42 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"AllowLegacyWebView"= 1 (0x1)

"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.ACDV"= ACDV.dll

"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Activision\\X-Men Legends 2\\XMen2.exe"=

"C:\\Program Files\\Croteam\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"=

"C:\\Program Files\\Ubisoft\\Pacific Fighters\\pf.exe"=

"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth\\game.dat"=

"C:\\Program Files\\EA GAMES\\The Battle for Middle-earth\\patchget.dat"=

"C:\\Program Files\\Electronic Arts\\Need for Speed Carbon\\NFSC.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.exe"=

"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.EXE"=

"C:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=

"C:\\Program Files\\Infogrames\\Line of Sight - Vietnam\\Vietnam.exe"=

"C:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRESX.EXE"=

"C:\\Program Files\\BoontyGames\\Don t Get Angry 2\\DA2.exe"=

"C:\\WINDOWS\\system32\\dplaysvr.exe"=

"C:\\Program Files\\doom 3\\Doom3.exe"=

"C:\\Program Files\\THQ\\Titan Quest\\Titan Quest.exe"=

"C:\\Program Files\\THQ\\Titan Quest Immortal Throne\\Tqit.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\City Interactive\\America's Secret Operations\\System\\Combat.exe"=

"C:\\Documents and Settings\\Administrator\\Application Data\\GarageGames\\IAPlayer\\products\\7000\\install\\Zap.exe"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\Soldier of Fortune II - Double Helix\\SoF2MP.exe"=

"C:\\Program Files\\Microsoft Games\\Age of Empires\\Empires.exe"=

"C:\\Program Files\\Microsoft Games\\Halo\\Halo.exe"=

"C:\\Program Files\\LimeWire\\LimeWire.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\Documents and Settings\\Administrator\\Application Data\\GarageGames\\IAPlayer\\products\\5000\\install\\ScrewjumperPC.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Xfire\\Xfire.exe"=

S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2008-01-06 11:00]

S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]

\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{276cc37c-a1c3-11dc-89c4-001635a7c1a1}]

\Shell\AutoRun\command - J:\LaunchU3.exe

*Newly Created Service* - CATCHME

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-08 16:24:23

Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

Voltooingstijd: 2008-06-08 16:25:00

ComboFix-quarantined-files.txt 2008-06-08 14:24:54

Pre-Run: 36,100,444,160 bytes beschikbaar

Post-Run: 36,101,386,240 bytes beschikbaar

179 --- E O F --- 2008-05-28 20:52:48

now hjackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:29:35, on 8/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\oodag.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE

C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe

C:\Program Files\Softwin\BitDefender10\bdagent.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\WINDOWS\system32\oodtray.exe

C:\Program Files\Spector Photo Software\Agent.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Back2zip\Back2zip.exe

C:\Program Files\Xfire\Xfire.exe

C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe

C:\Program Files\Softwin\BitDefender10\vsserv.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE