Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix guidence required. (NL-if possible :))


  • This topic is locked This topic is locked
12 replies to this topic

#1 Archeon

Archeon

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 18 March 2010 - 11:27 AM

Hi,


I was unable to open any of my harddrives by dubble clicking, i could only open them with rightclick explorer.
I received the following error: C:\resycled\boot.com is geen geldige Win32-toepassing

I look for a solution and came out with Combofix, i finished the ComboFix scan and receiced the following log:

ComboFix 10-03-17.07 - Archeon 18/03/2010 16:00:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.31.1043.18.2047.1625 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Archeon\Bureaublad\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Nieuw herstelpunt werd aangemaakt
* Aanwezig AV is actief

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\Archeon\Menu Start\Programma's\videosoft
C:\resycled
c:\resycled\boot.com
c:\windows\system32\drivers\msqpdxixwwwyjk.sys
c:\windows\system32\drivers\msqpdxwfdivpab.sys
c:\windows\system32\drivers\msqpdxwqqpkrow.sys
c:\windows\system32\drivers\msqpdxxmkdvjba.sys
c:\windows\system32\drivers\msqpdxyigkdiuq.sys
c:\windows\system32\drivers\msqpdxytkallhd.sys
c:\windows\system32\msqpdxdxdqjuek.dll
E:\Autorun.inf
E:\resycled
e:\resycled\boot.com
F:\Autorun.inf
F:\resycled
f:\resycled\boot.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_msqpdxserv.sys
-------\Legacy_msqpdxserv.sys


(((((((((((((((((((( Bestanden Gemaakt van 2010-02-18 to 2010-03-18 ))))))))))))))))))))))))))))))
.

2010-03-18 14:33 . 2005-08-18 09:52 93568 ----a-r- c:\windows\system32\drivers\nvata_2.sys
2010-03-09 17:27 . 2010-03-09 17:27 -------- d-----w- c:\documents and settings\Archeon\Application Data\dvdcss
2010-03-06 14:21 . 2010-03-18 12:04 -------- d-----w- c:\documents and settings\Archeon\Tracing
2010-03-06 14:08 . 2010-03-06 14:08 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-06 14:07 . 2010-03-06 14:07 -------- d-----w- c:\program files\Microsoft
2010-03-06 14:07 . 2010-03-06 14:07 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-06 14:07 . 2010-03-06 14:08 -------- d-----w- c:\program files\Windows Live
2010-03-06 14:01 . 2010-03-06 14:01 -------- d-----w- c:\program files\Common Files\Windows Live

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 15:07 . 2007-03-20 19:23 5721888 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-18 14:56 . 2007-03-20 19:23 79616 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-18 14:48 . 2010-03-18 14:49 239104 ----a-w- c:\windows\Internet Logs\xDB157.tmp
2010-03-16 12:53 . 2010-03-16 12:55 1619456 ----a-w- c:\windows\Internet Logs\xDB156.tmp
2010-03-16 12:53 . 2010-03-16 12:55 273408 ----a-w- c:\windows\Internet Logs\xDB155.tmp
2010-03-14 10:14 . 2010-03-14 10:15 1615872 ----a-w- c:\windows\Internet Logs\xDB154.tmp
2010-03-14 10:14 . 2010-03-14 10:15 908288 ----a-w- c:\windows\Internet Logs\xDB153.tmp
2010-03-08 09:42 . 2006-09-29 20:09 -------- d-----w- c:\program files\Eidos Interactive
2010-03-06 17:47 . 2010-03-06 17:47 64497 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2010_03_06_15_21_08_small.dmp.zip
2010-03-06 17:47 . 2010-03-06 17:47 62461 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2010_03_06_15_21_07_small.dmp.zip
2010-03-06 14:20 . 2006-08-15 22:41 65256 ----a-w- c:\documents and settings\Archeon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-06 13:47 . 2010-03-06 13:54 1587712 ----a-w- c:\windows\Internet Logs\xDB152.tmp
2010-03-06 13:46 . 2006-08-15 22:40 4212 ---h--w- c:\windows\system32\zllictbl.dat
2010-03-06 13:14 . 2010-03-06 13:46 60416 ----a-w- c:\windows\Internet Logs\xDB151.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Steam"="c:\program files\valve\steam\steam.exe" [2010-03-05 1217872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"nwiz"="nwiz.exe" [2006-08-11 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"Adobe Photo Downloader"="f:\adobe\3.0\Apps\apdproxy.exe" [2005-07-14 57344]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 919016]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-08 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Archeon\Menu Start\Programma's\Opstarten\
PowerReg Scheduler V3.exe [2007-8-18 225280]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Reader Snelle start.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\World of Warcraft\\WoW-1.11.0-enGB-downloader.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [15/08/2006 22:19 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [8/06/2007 23:51 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [8/06/2007 23:51 5248]
R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [9/05/2005 0:03 16640]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [15/08/2006 22:19 160640]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.thottbot.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 16:07
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2010-03-18 16:08:41
ComboFix-quarantined-files.txt 2010-03-18 15:08

Pre-Run: 2.465.849.344 bytes beschikbaar
Post-Run: 2.948.108.288 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1D01270538285B7BB2A50CBE700D8E44
---------------------------------------------------------------------------------------------------------------------------------------

Can you please tell me if there's anything else that i should do?

Thanks.

Edited by elise025, 18 March 2010 - 12:29 PM.
Since a log is posted, I am moving this from the XP forum to a more appropriate place ~ Elise


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 18 March 2010 - 12:48 PM

Since you requested Dutch help if possible, please let me know if you are able to follow English instructions (you can always ask questions in Dutch or ask for a translation if necessary).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Archeon

Archeon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 18 March 2010 - 01:00 PM

Hi Elise,

No i can follow english instructions.
If you require me to translate my log please let me know.

Thanks.

Edited by Archeon, 18 March 2010 - 01:01 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 18 March 2010 - 01:13 PM

No need to translate the log, I am a native Dutch speaker smile.gif

Please let me know what problems you are still having after running Combofix.

For the record, just one note: Its NOT recommended to run Combofix on your own. This is a pretty powerful tool that can quite some damage on your system. Its intended use is only under guidance of a trained helper.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Archeon

Archeon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 19 March 2010 - 06:57 AM

Elise,


Thanks for the advise, guess i might be lucky that it did not destroy my pc tongue.gif
Atm my initial problem is solved ( my hard drives are opening fine)
I found guidence on how to use Combofix on your website, followed the instructions and posted my log onto this forum as asked in the instructions manual.

So i would only like someone to have a quick look at the log i added and check if everything looks fine, i looked at it but i can't make heads or tails smile.gif.


Regards,

Edited by Archeon, 19 March 2010 - 07:08 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 19 March 2010 - 09:55 AM

Well, to see if anything is left, we need to see a bit more information.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Archeon

Archeon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 19 March 2010 - 01:21 PM

As requested:

OTL.txt:

OTL logfile created on: 19/03/2010 19:17:00 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Archeon\Bureaublad
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000813 | Country: BelgiŰ | Language: NLB | Date Format: d/MM/yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 63,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19,53 Gb Total Space | 0,68 Gb Free Space | 3,49% Space Free | Partition Type: NTFS
Drive D: | 587,15 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive E: | 48,83 Gb Total Space | 2,43 Gb Free Space | 4,97% Space Free | Partition Type: NTFS
Drive F: | 80,68 Gb Total Space | 45,89 Gb Free Space | 56,89% Space Free | Partition Type: NTFS
Drive G: | 550,54 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: Archeon
Current User Name: Archeon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/19 19:16:04 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Archeon\Bureaublad\OTL.exe
PRC - [2010/03/19 17:58:23 | 000,471,664 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Archeon\Local Settings\temp\Google Toolbar\gtb177.tmp.exe
PRC - [2010/03/05 20:07:44 | 001,217,872 | ---- | M] (Valve Corporation) -- C:\Program Files\Valve\Steam\steam.exe
PRC - [2009/09/30 19:58:42 | 000,026,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2007/11/14 16:05:06 | 000,919,016 | ---- | M] (Zone Labs, LLC) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2007/11/14 16:05:06 | 000,075,304 | ---- | M] (Zone Labs, LLC) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2007/09/11 21:09:16 | 000,135,168 | ---- | M] () -- C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
PRC - [2007/06/13 14:24:02 | 001,036,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/10/24 07:45:16 | 000,090,112 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2005/10/18 14:00:10 | 000,241,152 | ---- | M] (ASUSTeK COMPUTER INC.) -- C:\WINDOWS\ATKKBService.exe
PRC - [2005/07/14 15:09:50 | 000,057,344 | ---- | M] (Adobe Systems Incorporated) -- F:\Adobe\3.0\Apps\apdproxy.exe
PRC - [2004/08/22 16:05:02 | 000,081,920 | ---- | M] (DAEMON'S HOME) -- C:\Program Files\D-Tools\daemon.exe


========== Modules (SafeList) ==========

MOD - [2010/03/19 19:16:04 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Archeon\Bureaublad\OTL.exe
MOD - [2006/08/25 16:51:53 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2008/07/09 08:44:10 | 000,026,488 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\spupdsvc.exe -- (spupdsvc)
SRV - [2007/11/14 16:05:06 | 000,075,304 | ---- | M] (Zone Labs, LLC) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2005/10/18 14:00:10 | 000,241,152 | ---- | M] (ASUSTeK COMPUTER INC.) [Auto | Running] -- C:\WINDOWS\ATKKBService.exe -- (ATKKeyboardService)


========== Driver Services (SafeList) ==========

DRV - [2008/03/07 00:02:07 | 000,051,176 | ---- | M] (Zone Labs, LLC) [Kernel | Boot | Running] -- C:\WINDOWS\system32\ZoneLabs\srescan.sys -- (srescan)
DRV - [2007/11/14 16:05:16 | 000,394,952 | ---- | M] (Zone Labs, LLC) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2007/07/19 15:10:28 | 000,127,768 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2007/04/11 15:33:14 | 000,028,688 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2007/04/11 15:33:06 | 000,079,376 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2007/04/11 15:32:58 | 000,036,112 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2007/04/11 15:32:52 | 000,034,832 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007/04/11 15:32:38 | 000,063,248 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2007/04/11 15:32:30 | 000,020,496 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2006/08/11 20:42:42 | 003,958,496 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/02/08 09:26:00 | 000,011,264 | R--- | M] (ASUSTeK Computer Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\EIO.sys -- (EIO)
DRV - [2005/10/26 09:08:26 | 003,786,944 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/10/18 14:01:38 | 000,011,008 | ---- | M] (ASUSTeK COMPUTER INC.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\atkkbnt.sys -- (asuskbnt)
DRV - [2005/08/18 10:52:06 | 000,093,568 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/05/09 00:06:23 | 000,010,240 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvmpu401.sys -- (nvmpu401) Service for NVIDIA® nForce™
DRV - [2005/05/09 00:03:17 | 000,089,856 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2005/05/09 00:03:17 | 000,016,640 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvcchflt.sys -- (nvcchflt)
DRV - [2005/04/05 20:22:30 | 000,012,928 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/04/05 20:22:28 | 000,033,536 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/03/09 14:53:00 | 000,043,008 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/08/22 15:31:48 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\d347prt.sys -- (d347prt)
DRV - [2004/08/22 15:31:10 | 000,155,136 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\d347bus.sys -- (d347bus)
DRV - [2004/08/13 03:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/04 00:08:22 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2004/04/30 08:37:02 | 000,160,640 | ---- | M] ( ) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\a347bus.sys -- (a347bus)
DRV - [2004/04/30 08:33:00 | 000,005,248 | ---- | M] ( ) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\a347scsi.sys -- (a347scsi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.thottbot.com/
IE - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2001/09/07 12:00:00 | 000,000,776 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Help bij koppelingen) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (ST) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O2 - BHO: (MSNToolBandBHO) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\nl\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (MSN) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\nl\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar3.dll (Google Inc.)
O3 - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\..\Toolbar\WebBrowser: (MSN) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\nl\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Photo Downloader] F:\Adobe\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [DAEMON Tools-1033] C:\Program Files\D-Tools\daemon.exe (DAEMON'S HOME)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
O4 - HKU\S-1-5-21-1004336348-2147254105-839522115-1003..\Run: [Steam] c:\program files\valve\steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Windows Live Messenger.lnk = C:\WINDOWS\Installer\{9816B8B8-4B53-4D3D-9235-AD931252001D}\MsblIco.Exe File not found
O4 - Startup: C:\Documents and Settings\Archeon\Menu Start\Programma's\Opstarten\PowerReg Scheduler V3.exe (Leader Technologies)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LockTaskbar = 0
O7 - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1004336348-2147254105-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Plugin Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 195.130.131.131 195.130.130.3
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Archeon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Archeon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/15 22:12:19 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2002/03/18 11:43:43 | 000,000,049 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2002/03/13 17:53:04 | 000,040,960 | R--- | M] () - D:\autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2005/05/19 00:59:05 | 000,000,228 | R--- | M] () - G:\Autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2005/07/06 00:05:52 | 001,019,904 | R--- | M] (Microsoft Corporation) - G:\autorun.exe -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/19 19:15:59 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Archeon\Bureaublad\OTL.exe
[2010/03/19 18:16:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2010/03/19 18:13:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2010/03/19 18:00:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/03/18 18:00:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2010/03/18 17:41:15 | 000,274,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2010/03/18 17:41:15 | 000,017,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2010/03/18 15:33:47 | 000,093,568 | R--- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\drivers\nvata_2.sys
[2010/03/18 15:32:56 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/18 14:13:54 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/18 14:13:54 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/18 14:13:54 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/18 14:13:54 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/18 14:11:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/18 14:09:49 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/03/18 14:09:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/18 13:58:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Archeon\Bureaublad\Combofix
[2010/03/09 18:27:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Archeon\Application Data\dvdcss
[2010/03/06 15:21:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Archeon\Tracing
[2010/03/06 15:08:54 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2010/03/06 15:07:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/03/06 15:07:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documenten\microsoft
[2010/03/06 15:07:36 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2010/03/06 15:07:17 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2010/03/06 15:01:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2007/08/22 18:10:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/06/08 23:51:27 | 000,155,136 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347bus.sys
[2007/06/08 23:51:27 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\d347prt.sys
[2006/08/15 22:19:55 | 000,160,640 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347bus.sys
[2006/08/15 22:19:55 | 000,005,248 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\a347scsi.sys
[2006/08/15 22:18:27 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/08/15 22:18:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[49 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/19 19:16:05 | 006,883,104 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/03/19 19:16:04 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Archeon\Bureaublad\OTL.exe
[2010/03/19 18:23:44 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/19 18:21:34 | 000,000,796 | ---- | M] () -- C:\rollback.ini
[2010/03/19 18:16:22 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/03/19 18:11:59 | 000,000,150 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2010/03/19 18:06:40 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/18 18:57:10 | 000,080,576 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/03/18 18:56:59 | 000,355,092 | -H-- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/03/18 18:56:43 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/18 18:56:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/18 18:55:12 | 000,089,480 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/03/18 18:55:07 | 004,718,592 | -H-- | M] () -- C:\Documents and Settings\Archeon\NTUSER.DAT
[2010/03/18 18:55:07 | 000,000,288 | -HS- | M] () -- C:\Documents and Settings\Archeon\ntuser.ini
[2010/03/18 16:07:12 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/18 15:33:01 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/18 13:59:25 | 003,894,152 | R--- | M] () -- C:\Documents and Settings\Archeon\Bureaublad\ComboFix.exe
[2010/03/18 12:35:01 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/15 17:17:15 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/03/09 14:32:14 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Archeon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/08 10:52:50 | 000,000,900 | ---- | M] () -- C:\Documents and Settings\Archeon\Bureaublad\Blood Omen 2.lnk
[2010/03/07 16:40:24 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2010/03/06 18:39:42 | 000,247,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/06 15:20:56 | 000,065,256 | ---- | M] () -- C:\Documents and Settings\Archeon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/06 15:08:34 | 000,000,956 | ---- | M] () -- C:\Documents and Settings\Archeon\Mijn documenten\Mijn Gedeelde Mappen.lnk
[2010/03/06 14:54:30 | 000,002,345 | ---- | M] () -- C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Windows Live Messenger.lnk
[2010/03/06 14:46:55 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/03/05 20:07:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2010/03/05 20:07:45 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[49 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/19 18:16:21 | 000,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/03/19 18:11:59 | 000,000,150 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2010/03/18 15:33:01 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/03/18 15:32:57 | 000,261,936 | ---- | C] () -- C:\cmldr
[2010/03/18 14:13:54 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/18 14:13:54 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/18 14:13:54 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/18 14:13:54 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/18 14:13:54 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/18 13:59:25 | 003,894,152 | R--- | C] () -- C:\Documents and Settings\Archeon\Bureaublad\ComboFix.exe
[2010/03/08 10:52:50 | 000,000,900 | ---- | C] () -- C:\Documents and Settings\Archeon\Bureaublad\Blood Omen 2.lnk
[2010/03/05 20:07:45 | 000,000,244 | -H-- | C] () -- C:\sqmnoopt12.sqm
[2010/03/05 20:07:45 | 000,000,232 | -H-- | C] () -- C:\sqmdata12.sqm
[2008/10/28 17:40:48 | 000,173,552 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2007/10/19 17:54:36 | 000,000,169 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2007/06/09 01:28:10 | 000,000,280 | ---- | C] () -- C:\WINDOWS\vtmb.ini
[2007/04/23 01:15:29 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/04/23 01:01:47 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2006/10/04 20:16:45 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2006/09/01 20:08:57 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/09/01 19:54:05 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Archeon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/20 04:30:01 | 000,125,694 | ---- | C] () -- C:\Documents and Settings\Archeon\Application Data\Cosmos Prefs
[2006/08/15 23:40:33 | 000,796,584 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
[2006/08/15 22:34:58 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\asfrench.dll
[2006/08/15 22:34:58 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asrussian.dll
[2006/08/15 22:34:58 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\asgerman.dll
[2006/08/15 22:34:58 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\aseng.dll
[2006/08/15 22:34:58 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\askorean.dll
[2006/08/15 22:34:58 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\asjapan.dll
[2006/08/15 22:34:58 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\ASCHT.dll
[2006/08/15 22:34:58 | 000,045,568 | ---- | C] () -- C:\WINDOWS\System32\aschs.dll
[2006/08/15 22:34:58 | 000,010,496 | ---- | C] () -- C:\WINDOWS\System32\ATKOSDMini.DLL
[2006/08/15 22:34:58 | 000,000,018 | ---- | C] () -- C:\WINDOWS\System32\atkid.ini
[2006/08/15 22:30:40 | 000,157,184 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/08/15 22:30:35 | 000,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2006/08/15 22:28:43 | 000,000,269 | R--- | C] () -- C:\WINDOWS\System32\raidmgmt.ini
[2006/08/15 22:28:21 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2006/08/15 22:28:20 | 000,005,549 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2006/08/15 22:28:19 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/08/15 22:22:04 | 000,000,395 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/13 14:05:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/02/13 14:05:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/02/13 14:05:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/02/13 14:05:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/02/13 14:05:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/02/13 14:05:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/02/13 14:05:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004/08/22 16:04:56 | 000,069,120 | ---- | C] () -- C:\WINDOWS\daemon.dll
[2003/04/07 12:10:22 | 000,005,443 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
< End of report >


As requested,

Extras.txt

OTL Extras logfile created on: 19/03/2010 19:17:00 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Archeon\Bureaublad
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000813 | Country: BelgiŰ | Language: NLB | Date Format: d/MM/yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 63,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19,53 Gb Total Space | 0,68 Gb Free Space | 3,49% Space Free | Partition Type: NTFS
Drive D: | 587,15 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive E: | 48,83 Gb Total Space | 2,43 Gb Free Space | 4,97% Space Free | Partition Type: NTFS
Drive F: | 80,68 Gb Total Space | 45,89 Gb Free Space | 56,89% Space Free | Partition Type: NTFS
Drive G: | 550,54 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: Archeon
Current User Name: Archeon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- F:\VLC Media player\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- F:\VLC Media player\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"E:\World of Warcraft\WoW-1.11.0-enGB-downloader.exe" = E:\World of Warcraft\WoW-1.11.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service -- (Zone Labs, LLC)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:ÁTorrent -- ()
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam™
"{10F5387D-1728-423A-A578-B00982CF2646}" = Windows Live Messenger
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1BD6AE96-4742-4498-9D03-9451C7E5A214}" = Windows Live aanmeldhulp
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live - Hulpprogramma voor uploaden
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23D683DD-93C6-48E6-B84E-78B57778F126}" = Oblivion - Construction Set
"{259C0ABB-A3B2-4D70-008F-BF7EE491B70B}" = Need for SpeedÖ Carbon
"{2869F5EA-93C3-48E5-80DF-DB696BC84A91}" = Windows Live Mail
"{2A8F82E8-7B86-4AFD-BFBC-2BA4C2CF52DB}" = Windows Live Call
"{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}" = ASUS Enhanced Display Driver
"{350C9413-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe« Photoshop« Album Starter Edition 3.0
"{562B9CA4-6E52-4F87-ACEC-912FC004F1F0}" = Windows Live Essentials
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7C503E58-B2BC-11D5-978A-0050BA84F5F7}" = Neverwinter Nights
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110413-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Editie 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{974C4B12-4D02-4879-85E0-61C95CC63E9E}" = Fallout 3
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A563C4F4-BE36-4956-BA0B-E02BDD9F70D5}" = Dungeon Siege 2 Broken World
"{AC76BA86-7AD7-1043-7B44-A80000000000}" = Adobe Reader 8 - Nederlands
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"{C4E2A4A7-B623-40CB-8EEA-72F577E49D56}" = Vampire - The Masquerade Bloodlines
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D45EC259-4A19-4656-B588-C2C360DD18EA}" = Half-Life® 2
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E9F81423-211E-46B6-9AE0-38568BC5CF6F}" = Alcohol 120%
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT-uitbreiding voor de wizard Cd branden van Microsoft Windows XP
"{FD052FB9-FE90-4438-B355-15EDC89D8FB1}" = Microsoft Games for Windows - LIVE Redistributable
"7-Zip" = 7-Zip 4.42
"Blood Omen 2" = Blood Omen 2
"Crimsonland_is1" = Crimsonland
"InstallShield_{3C3B2C97-0DAB-482F-9C95-6610827210E3}" = ASUS nVIDIA Driver
"InstallShield_{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"InstallShield_{C4E2A4A7-B623-40CB-8EEA-72F577E49D56}" = Vampire - The Masquerade Bloodlines
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Toolbar" = MSN Toolbar
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NVIDIA Drivers" = NVIDIA Drivers
"Oblivion mod manager_is1" = Oblivion mod manager 1.1.5
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"VLC media player" = VLC media player 0.9.8a
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WinAce Archiver" = WinAce Archiver
"WinAce Archiver 2.0" = WinAce Archiver 2.0
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm Security Suite" = ZoneAlarm Security Suite

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1004336348-2147254105-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"2bfd8a5fdb477580" = WoWgasmic Launcher
"uTorrent" = ÁTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/03/2010 9:10:52 | Computer Name = Archeon | Source = Application Error | ID = 1000
Description = Vastgelopen toepassing: oblivion.exe, versie: 0.1.0.228, vastgelopen
module: oblivion.exe, versie: 0.1.0.228, vastgelopen op: 0x0009332a.

Error - 9/03/2010 8:45:22 | Computer Name = Archeon | Source = Application Error | ID = 1000
Description = Vastgelopen toepassing: bo2.exe, versie: 0.0.0.0, vastgelopen module:
bo2.exe, versie: 0.0.0.0, vastgelopen op: 0x0030e1ee.

Error - 15/03/2010 6:01:24 | Computer Name = Archeon | Source = Application Error | ID = 1000
Description = Vastgelopen toepassing: nfsc.exe, versie: 0.0.0.0, vastgelopen module:
nfsc.exe, versie: 0.0.0.0, vastgelopen op: 0x0029cf41.

Error - 15/03/2010 6:51:44 | Computer Name = Archeon | Source = Application Error | ID = 1000
Description = Vastgelopen toepassing: nfsc.exe, versie: 0.0.0.0, vastgelopen module:
nfsc.exe, versie: 0.0.0.0, vastgelopen op: 0x0029d0fd.

Error - 15/03/2010 8:15:31 | Computer Name = Archeon | Source = Application Error | ID = 1000
Description = Vastgelopen toepassing: nfsc.exe, versie: 0.0.0.0, vastgelopen module:
nfsc.exe, versie: 0.0.0.0, vastgelopen op: 0x0029cf41.

Error - 15/03/2010 9:15:37 | Computer Name = Archeon | Source = Application Error | ID = 1000
Description = Vastgelopen toepassing: nfsc.exe, versie: 0.0.0.0, vastgelopen module:
nfsc.exe, versie: 0.0.0.0, vastgelopen op: 0x0029d0fd.

Error - 15/03/2010 10:09:20 | Computer Name = Archeon | Source = Application Error | ID = 1000
Description = Vastgelopen toepassing: nfsc.exe, versie: 0.0.0.0, vastgelopen module:
nfsc.exe, versie: 0.0.0.0, vastgelopen op: 0x0029cf8f.

Error - 19/03/2010 10:47:02 | Computer Name = Archeon | Source = Application Error | ID = 1000
Description = Vastgelopen toepassing: nfsc.exe, versie: 0.0.0.0, vastgelopen module:
nfsc.exe, versie: 0.0.0.0, vastgelopen op: 0x0029ceb1.

Error - 19/03/2010 11:19:19 | Computer Name = Archeon | Source = crypt32 | ID = 131083
Description = Het uitpakken van een basislijst uit de cab voor automatische updates
is mislukt op <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
met de fout: Een vereist certificaat valt niet binnen de geldigheidsperiode als
gekeken wordt naar de huidige systeemklok of de tijdstempel in het ondertekende
bestand.

Error - 19/03/2010 11:19:19 | Computer Name = Archeon | Source = crypt32 | ID = 131083
Description = Het uitpakken van een basislijst uit de cab voor automatische updates
is mislukt op <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
met de fout: Een vereist certificaat valt niet binnen de geldigheidsperiode als
gekeken wordt naar de huidige systeemklok of de tijdstempel in het ondertekende
bestand.

[ System Events ]
Error - 6/03/2010 9:46:48 | Computer Name = Archeon | Source = W32Time | ID = 39452689
Description = Tijdprovider/NtpClient: er is een onverwachte fout opgetreden tijdens
de DNS-lookup van de handmatig geconfigureerde peer time.windows.com,0x1. NtpClient
probeert een nieuwe DNS-lookup in 15 minuten. De fout is: Er is geprobeerd een socketbewerking
uit te voeren op een onbereikbare host. (0x8007275

Error - 6/03/2010 9:46:48 | Computer Name = Archeon | Source = W32Time | ID = 39452701
Description = De tijdsprovider NtpClient is geconfigureerd om de tijd uit een of
meer tijdsbronnen te halen. Geen van deze bronnen zijn echter toegankelijk. Er worden
geen nieuwe pogingen gedaan gedurende 14 minuten. De tijdservice heeft geen nauwkeurige
tijdsbron.

Error - 6/03/2010 9:46:48 | Computer Name = Archeon | Source = W32Time | ID = 39452689
Description = Tijdprovider/NtpClient: er is een onverwachte fout opgetreden tijdens
de DNS-lookup van de handmatig geconfigureerde peer time.windows.com,0x1. NtpClient
probeert een nieuwe DNS-lookup in 15 minuten. De fout is: Er is geprobeerd een socketbewerking
uit te voeren op een onbereikbare host. (0x8007275

Error - 6/03/2010 9:46:48 | Computer Name = Archeon | Source = W32Time | ID = 39452701
Description = De tijdsprovider NtpClient is geconfigureerd om de tijd uit een of
meer tijdsbronnen te halen. Geen van deze bronnen zijn echter toegankelijk. Er worden
geen nieuwe pogingen gedaan gedurende 15 minuten. De tijdservice heeft geen nauwkeurige
tijdsbron.

Error - 8/03/2010 5:53:25 | Computer Name = Archeon | Source = Cdrom | ID = 262151
Description = Beschadigd blok in apparaat \Device\CdRom0.

Error - 8/03/2010 11:20:08 | Computer Name = Archeon | Source = Windows Update Agent | ID = 16
Description = Kan geen verbinding maken: Windows kan geen verbinding met de service
Automatische updates maken. Hierdoor kunnen updates niet volgens planning worden
gedownload en ge´nstalleerd. Windows gaat door met pogingen om een verbinding tot
stand te brengen.

Error - 10/03/2010 11:20:08 | Computer Name = Archeon | Source = Windows Update Agent | ID = 16
Description = Kan geen verbinding maken: Windows kan geen verbinding met de service
Automatische updates maken. Hierdoor kunnen updates niet volgens planning worden
gedownload en ge´nstalleerd. Windows gaat door met pogingen om een verbinding tot
stand te brengen.

Error - 12/03/2010 11:20:09 | Computer Name = Archeon | Source = Windows Update Agent | ID = 16
Description = Kan geen verbinding maken: Windows kan geen verbinding met de service
Automatische updates maken. Hierdoor kunnen updates niet volgens planning worden
gedownload en ge´nstalleerd. Windows gaat door met pogingen om een verbinding tot
stand te brengen.

Error - 14/03/2010 11:20:10 | Computer Name = Archeon | Source = Windows Update Agent | ID = 16
Description = Kan geen verbinding maken: Windows kan geen verbinding met de service
Automatische updates maken. Hierdoor kunnen updates niet volgens planning worden
gedownload en ge´nstalleerd. Windows gaat door met pogingen om een verbinding tot
stand te brengen.

Error - 16/03/2010 13:38:42 | Computer Name = Archeon | Source = Windows Update Agent | ID = 16
Description = Kan geen verbinding maken: Windows kan geen verbinding met de service
Automatische updates maken. Hierdoor kunnen updates niet volgens planning worden
gedownload en ge´nstalleerd. Windows gaat door met pogingen om een verbinding tot
stand te brengen.


< End of report >

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 19 March 2010 - 01:38 PM

Hello Archeon,

P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a sm÷rgňsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Archeon

Archeon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 22 March 2010 - 07:03 AM

Elise,

Sorry for the delay

Scan results:

Malwarebytes' Anti-Malware 1.44
Database versie: 3888
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

22/03/2010 13:01:15
mbam-log-2010-03-22 (13-01-15).txt

Scan type: Volledige Scan (C:\|E:\|F:\|)
Objecten gescand: 224764
Verstreken tijd: 38 minute(s), 26 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 1
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 4

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
C:\Documents and Settings\Archeon\Bureaublad\Razor1911\Keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\msqpdxdxdqjuek.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinUpdatePatch\patch.exe (Trojan.Wgapatch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinUpdatePatch\twk-winupdatepatch.exe (Trojan.Wgapatch) -> Quarantined and deleted successfully.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 22 March 2010 - 07:22 AM

QUOTE
C:\WINDOWS\system32\WinUpdatePatch\patch.exe (Trojan.Wgapatch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WinUpdatePatch\twk-winupdatepatch.exe (Trojan.Wgapatch) -> Quarantined and deleted successfully.
These two files are an indication you are using a pirated version of Windows. Besides the fact that this is illegal, its not recommended because its a major security vulnerability. Not being able to install all windows updates, leaves you open to malware attacks.

I recommend you purchase a valid license key for windows, or if you want to stay with freeware, you can orientate yourself towards free linux OS's.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Archeon

Archeon
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 23 March 2010 - 03:09 AM

C:\Qoobox\Quarantine\C\autorun.inf.vir Win32/AutoRun.Agent.BE worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxixwwwyjk.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxwfdivpab.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxwqqpkrow.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxxmkdvjba.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxyigkdiuq.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxytkallhd.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\E\autorun.inf.vir INF/Autorun virus deleted - quarantined
C:\Qoobox\Quarantine\F\autorun.inf.vir Win32/AutoRun.Agent.BE worm cleaned by deleting - quarantined
E:\Crimsonland\CrimsonlandSetup.exe a variant of Win32/FenomenGame application cleaned by deleting - quarantined
F:\screensaver PP\nwn\neverwinter_nights_hordes_of_the_underdark_trainer_3.rar probably a variant of Win32/Agent trojan deleted - quarantined
F:\screensaver PP\nwn\neverwinter_nights_hordes_of_the_underdark_trainer_3\trainer\trainer.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined


C:\Qoobox\Quarantine\C\autorun.inf.vir Win32/AutoRun.Agent.BE worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxixwwwyjk.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxwfdivpab.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxwqqpkrow.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxxmkdvjba.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxyigkdiuq.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\msqpdxytkallhd.sys.vir a variant of Win32/Olmarik.FQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\E\autorun.inf.vir INF/Autorun virus deleted - quarantined
C:\Qoobox\Quarantine\F\autorun.inf.vir Win32/AutoRun.Agent.BE worm cleaned by deleting - quarantined
E:\Crimsonland\CrimsonlandSetup.exe a variant of Win32/FenomenGame application cleaned by deleting - quarantined
F:\screensaver PP\nwn\neverwinter_nights_hordes_of_the_underdark_trainer_3.rar probably a variant of Win32/Agent trojan deleted - quarantined
F:\screensaver PP\nwn\neverwinter_nights_hordes_of_the_underdark_trainer_3\trainer\trainer.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 23 March 2010 - 04:14 AM

Hello again,

Looks good!

UPDATE XP
--------------
Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.[/color]


ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete OTL
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,065 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:35 AM

Posted 28 March 2010 - 11:58 AM

Since this issue seems to be resolved, this topic will now be closed.

If you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users