Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe is infected


  • This topic is locked This topic is locked
71 replies to this topic

#1 pietwijs

pietwijs

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 05 April 2010 - 04:17 AM

(update: oops forgot to ad the attachments)

Every five minutes or so a malicious script stalls my computer. It's C:\WINDOWS\TEMP\PUXX.TMP\SVCHOST.EXE the Puxx* part changes with every event. it's flagged twice. First as status 1027 Generic.dx!qhq then as status 1278 New Malware.j.

* changed directories:
C:\WINDOWS\TEMP\oivw.tmp\svchost.exe
C:\WINDOWS\TEMP\rdtf.tmp\svchost.exe
C:\WINDOWS\TEMP\nvuh.tmp\svchost.exe
C:\WINDOWS\TEMP\nglm.tmp\svchost.exe

I did all the preparation steps but step no1 5 failed. Tried to enable firewall. Got two connections running: 1394 connection and Lan connection. Both seem connected, maybe I should bump one.. When trying to enable firewall I get the message if I want to start the ICS connection. When I say yes it doesn't work (can't start Windows Firewall... Ics...)

When the script is active the computer stops. I can't do anything for a few moments. You can imagine this is pretty annoying.

Now to make things even worse worse... while I was making the Gmer Log and this post my complete system failed and reboted out of nothing. I was doing more things at once (I always am) so a lot of information went missing. Ouch...

I really hope you can help me stabalise my machine. Reinstalling windows isn't my speciality so I would have to bring my whole system to someone else to do that.

Thanks again...

Pete

_________________DDS log_________________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by Windows Home at 9:54:57,51 on ma 05-04-2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.3455.2150 [GMT 2:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\notepad.exe
H:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [YVIBBBHA8C] c:\windows\temp\Vx0.exe
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256933947960
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli manvrfgu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\window~1\applic~1\mozilla\firefox\profiles\5vdq6nzn.default\
FF - prefs.js: browser.startup.homepage - hxxp://symbaloo.com/nl
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 66632]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-9-17 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-9-17 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-9-17 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-9-17 168776]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 12872]

=============== Created Last 30 ================

2010-04-05 07:54:24 0 ----a-w- c:\documents and settings\windows home\defogger_reenable
2010-04-03 15:51:24 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-03 15:51:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-03 15:51:13 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-01 20:36:52 91648 -c--a-w- c:\windows\system32\dllcache\kswdmcap.ax
2010-04-01 20:36:52 91648 ----a-w- c:\windows\system32\kswdmcap.ax
2010-04-01 20:36:52 28672 -c--a-w- c:\windows\system32\dllcache\vidcap.ax
2010-04-01 20:36:52 28672 ----a-w- c:\windows\system32\vidcap.ax
2010-04-01 20:36:52 0 d-----w- c:\windows\OvtCam
2010-04-01 20:36:51 61952 -c--a-w- c:\windows\system32\dllcache\kstvtune.ax
2010-04-01 20:36:51 61952 ----a-w- c:\windows\system32\kstvtune.ax
2010-04-01 20:36:51 54272 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-04-01 20:36:51 54272 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-04-01 20:36:51 43008 -c--a-w- c:\windows\system32\dllcache\ksxbar.ax
2010-04-01 20:36:51 43008 ----a-w- c:\windows\system32\ksxbar.ax
2010-04-01 20:32:10 61440 ----a-w- c:\windows\ov519dib.dll
2010-04-01 20:32:10 163072 ----a-w- c:\windows\system32\drivers\ov519vid.sys
2010-04-01 20:32:08 40960 ----a-w- c:\windows\system32\ov519ext.dll
2010-04-01 20:32:08 25211 ----a-w- c:\windows\system32\drivers\ov519cmd.sys
2010-04-01 20:32:08 25099 ----a-w- c:\windows\system32\ov519ext.ax
2010-04-01 20:32:08 16426 ----a-w- c:\windows\system32\ov519usd.dll
2010-04-01 20:32:08 135168 ----a-w- c:\windows\ov519cap.exe
2010-04-01 20:32:07 40960 ----a-w- c:\windows\CleanDev.exe
2010-04-01 20:32:07 36099 ----a-w- c:\windows\amcap.exe
2010-03-23 12:15:07 0 d--h--r- c:\documents and settings\windows home\Onlangs geopend
2010-03-22 14:04:39 5226742298 ----a-w- C:\opening2.avi
2010-03-11 19:01:50 3356 ----a-w- c:\windows\system32\wbem\Outlook_01cac14d4e3948a0.mof
2010-03-08 08:40:32 293376 ------w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-04-04 07:18:17 536740 ----a-w- c:\windows\system32\perfh013.dat
2010-04-04 07:18:17 102956 ----a-w- c:\windows\system32\perfc013.dat
2010-04-03 18:59:08 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-02-25 06:20:23 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 9:56:11,06 ===============

Attached Files


Edited by pietwijs, 05 April 2010 - 09:16 AM.


BC AdBot (Login to Remove)

 


#2 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 05 April 2010 - 09:53 AM

Another update. Just today in the last couple of hours about 100 fake directories were made. Each with their own notification in my running virusscan program (mcafee).

Furthermore My outlook is now also stalling. I can't reply to messages or write a new email message. I really hope someone outthere has the ability to help me with this most irritating and unpleasant problem..

THANKS!

#3 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 05 April 2010 - 10:50 AM

Updating again as ystem stil works.

Does this have anything to do wit the problem

LSA: Notification Packages = scecli manvrfgu.dll

I'm getting rundll error now every 20 to 30 seconds:

An error has occured while laoding c:/windows/manvrfgu.dll

illegit acces to memory location (I'm translating this last 2 lines)

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:38 PM

Posted 05 April 2010 - 11:05 AM

Hi pietwijs,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#5 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 05 April 2010 - 12:55 PM

Wow, that was kinda scary. My computer actually beeping came as a suprise. Seeing all that stuff going on in your screen an all the things the system does, it's a real question of trust.

I got a few errors during the proces. The first at the install fase. Telling me te download a new copy of combofix because the downloaded copy was altered? I think I clicked it away to soon. COuldn't see what it actually read.

Last error came after completion of the log. Also went away pretty soon. Something about nog being able to acces a directory? It finally produced a log though.

Thanks again for your time and effort Farbar

-------- the log

ComboFix 10-04-04.01 - Windows Home 05-04-2010 19:35:51.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.3455.2655 [GMT 2:00]
Gestart vanuit: h:\downloads\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Nieuw herstelpunt werd aangemaakt
* Aanwezig AV is actief

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Menu Start\Cool Edit Pro 2.0 .lnk
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

.
(((((((((((((((((((( Bestanden Gemaakt van 2010-03-05 to 2010-04-05 ))))))))))))))))))))))))))))))
.

2010-04-05 17:35 . 2006-10-18 00:31 105472 ----a-r- c:\windows\system32\drivers\nvata_2.sys
2010-04-03 15:51 . 2010-04-05 16:08 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-03 15:51 . 2010-04-05 16:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-03 15:51 . 2010-04-03 15:51 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-02 10:05 . 2010-04-02 10:05 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-01 20:37 . 2008-04-13 22:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-04-01 20:36 . 2010-04-01 20:36 -------- d-----w- c:\windows\OvtCam
2010-04-01 20:36 . 2008-04-14 20:32 54272 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-04-01 20:36 . 2008-04-14 20:32 54272 ----a-w- c:\windows\system32\vfwwdm32.dll
2010-04-01 20:32 . 2003-05-06 16:00 61440 ----a-w- c:\windows\ov519dib.dll
2010-04-01 20:32 . 2003-05-06 16:00 163072 ----a-w- c:\windows\system32\drivers\ov519vid.sys
2010-04-01 20:32 . 2003-09-25 15:00 135168 ----a-w- c:\windows\ov519cap.exe
2010-04-01 20:32 . 2003-05-06 16:00 40960 ----a-w- c:\windows\system32\ov519ext.dll
2010-04-01 20:32 . 2003-05-06 16:00 25211 ----a-w- c:\windows\system32\drivers\ov519cmd.sys
2010-04-01 20:32 . 2003-05-06 16:00 16426 ----a-w- c:\windows\system32\ov519usd.dll
2010-04-01 20:32 . 2003-06-02 21:35 40960 ----a-w- c:\windows\CleanDev.exe
2010-04-01 20:32 . 2003-05-06 16:00 36099 ----a-w- c:\windows\amcap.exe
2010-03-23 12:15 . 2010-04-05 17:18 -------- d--h--r- c:\documents and settings\Windows Home\Onlangs geopend
2010-03-12 18:16 . 2010-03-12 18:16 52224 ----a-w- c:\documents and settings\Windows Home\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-09 17:06 . 2010-03-09 17:06 -------- d-----r- c:\documents and settings\NetworkService\Favorieten
2010-03-08 08:40 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 17:45 . 2009-11-01 21:10 -------- d-----w- c:\documents and settings\Windows Home\Application Data\Dropbox
2010-04-04 07:51 . 2010-01-27 21:33 -------- d-----r- c:\program files\Skype
2010-04-04 07:18 . 2008-04-15 12:00 536740 ----a-w- c:\windows\system32\perfh013.dat
2010-04-04 07:18 . 2008-04-15 12:00 102956 ----a-w- c:\windows\system32\perfc013.dat
2010-04-03 18:59 . 2009-10-30 20:48 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-04-02 10:04 . 2009-11-04 08:35 -------- d-----w- c:\program files\LimeWire
2010-04-01 23:59 . 2009-11-30 23:11 225864 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-01 23:13 . 2009-03-21 12:29 117760 ----a-w- c:\documents and settings\Windows Home\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-01 20:32 . 2008-09-17 20:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-28 08:43 . 2009-11-04 08:36 -------- d-----w- c:\documents and settings\Windows Home\Application Data\LimeWire
2010-03-23 18:27 . 2010-01-27 21:33 -------- d-----w- c:\documents and settings\Windows Home\Application Data\Skype
2010-03-23 12:43 . 2009-11-01 20:41 -------- d-----w- c:\documents and settings\Windows Home\Application Data\CoreFTP
2010-03-23 08:51 . 2010-01-27 21:40 -------- d-----w- c:\documents and settings\Windows Home\Application Data\skypePM
2010-02-28 08:02 . 2010-02-27 09:52 -------- d-----w- c:\program files\Nitro PDF
2010-02-27 09:57 . 2010-02-27 09:55 -------- d-----w- c:\documents and settings\Windows Home\Application Data\PrimoPDF
2010-02-26 16:09 . 2009-11-01 21:10 91696 ----a-w- c:\documents and settings\Windows Home\Application Data\Dropbox\bin\Uninstall.exe
2010-02-26 16:09 . 2010-02-26 16:09 13264416 ----a-w- c:\documents and settings\Windows Home\Application Data\Dropbox\cache\Dropbox-update-0.7.110.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\documents and settings\Windows Home\Application Data\Dropbox\bin\Dropbox.exe
2010-02-25 06:20 . 2008-04-15 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 22:41 . 2008-09-17 20:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-27 21:40 . 2010-01-27 21:40 56 ---ha-w- c:\windows\system32\ezsidmv.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Windows Home\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Windows Home\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Windows Home\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-30 7634944]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-03 5650240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]

c:\documents and settings\Windows Home\Menu Start\Programma's\Opstarten\
Dropbox.lnk - c:\documents and settings\Windows Home\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-07 19:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^PCzapper Media Manager.lnk]
path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\PCzapper Media Manager.lnk
backup=c:\windows\pss\PCzapper Media Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Windows Home^Menu Start^Programma's^Opstarten^Dropbox.lnk]
path=c:\documents and settings\Windows Home\Menu Start\Programma's\Opstarten\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Windows Home^Menu Start^Programma's^Opstarten^LimeWire On Startup.lnk]
path=c:\documents and settings\Windows Home\Menu Start\Programma's\Opstarten\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 11:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 03:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 20:33 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-30 22:35 1622016 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2009-06-25 14:12 1414144 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 17:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-09-27 06:20 16844800 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 11:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 03:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-23 22:41 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mpc-hc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Windows Home\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [28-5-2008 10:33 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28-5-2008 10:33 66632]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28-5-2008 10:33 12872]
.
.
------- Bijkomende Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
FF - ProfilePath - c:\documents and settings\Windows Home\Application Data\Mozilla\Firefox\Profiles\5vdq6nzn.default\
FF - prefs.js: browser.startup.homepage - hxxp://symbaloo.com/nl
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS VERWIJDERD - - - -

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-Steam - c:\program files\Steam\Steam.exe



**************************************************************************
scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden:

**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:10,28,27,cb,17,80,a5,4a,7a,fa,a8,c3,6a,c7,32,58,65,46,f2,de,5c,
50,5e,1f,46,9a,9f,c2,ee,a4,a6,9f,ff,e9,06,44,b5,5a,36,10,19,c9,c7,73,0b,3d,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\hľÇ|    ĄĽÇ|¨Ľ9~*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:10,28,27,cb,17,80,a5,4a,7a,fa,a8,c3,6a,c7,32,58,65,46,f2,de,5c,
50,5e,1f,46,9a,9f,c2,ee,a4,a6,9f,ff,e9,06,44,b5,5a,36,10,19,c9,c7,73,0b,3d,\
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3212)
c:\documents and settings\Windows Home\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_dut.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Voltooingstijd: 2010-04-05 19:49:29 - machine werd herstart
ComboFix-quarantined-files.txt 2010-04-05 17:49

Pre-Run: 213.143.605.248 bytes beschikbaar
Post-Run: 213.431.267.328 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - A382550523991AC762168FF0BAE9267A


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:38 PM

Posted 05 April 2010 - 01:14 PM

Well done. thumbup2.gif

Click on this link--> virustotal

Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

c:\windows\amcap.exe

If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

#7 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 06 April 2010 - 12:53 AM

Bestand amcap.exe ontvangen op 2010.04.06 05:50:13 (UTC)
Huidig status: Laden ... In wachtrij Wachtende Aan het scannen Einde NIET GEVONDEN GESTOPT
Resultaat: 0/39 (0%)
Server informatie laden...
Je bestand is in de wachtrij geplaatst, plaats: ___.
De gemiddelde starttijd ligt tussen ___ en ___ .
Laat dit venster open tijdens het scannen.
De scanner die je bestand aan het verwerken was is gestopt, gelieve enkele seconden te wachten terwijl we proberen je resultaat te herstellen.
Indien u meer dan 5 minuten wachten dient U uw bestand opnieuw in te sturen.
Je bestand word op dit moment gescand door VirusTotal,
De resultaten worden weergegeven zodra ze beschikbaar zijn.
Geformatteerd Geformatteerd
Resultaten afdrukken Resultaten afdrukken
Je bestand is vervallen of bestaat niet.
De dienst is momenteel gestopt, je bestand staat in de wachtrij (plaats: ) voor een onbekende tijd.

Je kan deze pagina open houden en wachten (automatische refresh) of je kan je e-mailadres hieronder invullen en op "Aanvraag verzenden" klikken zodat je de resultaten per mail ontvangt.
E-mail:

Antivirus Versie Laatst geŘpdatet Resultaat
a-squared 4.5.0.50 2010.04.06 -
AhnLab-V3 5.0.0.2 2010.04.05 -
AntiVir 7.10.6.25 2010.04.05 -
Antiy-AVL 2.0.3.7 2010.04.02 -
Authentium 5.2.0.5 2010.04.06 -
Avast 4.8.1351.0 2010.04.05 -
Avast5 5.0.332.0 2010.04.05 -
AVG 9.0.0.787 2010.04.05 -
BitDefender 7.2 2010.04.06 -
CAT-QuickHeal 10.00 2010.04.06 -
ClamAV 0.96.0.3-git 2010.04.06 -
Comodo 4513 2010.04.06 -
DrWeb 5.0.2.03300 2010.04.06 -
eSafe 7.0.17.0 2010.04.01 -
eTrust-Vet 35.2.7410 2010.04.06 -
F-Prot 4.5.1.85 2010.04.05 -
F-Secure 9.0.15370.0 2010.04.06 -
Fortinet 4.0.14.0 2010.04.04 -
GData 19 2010.04.06 -
Ikarus T3.1.1.80.0 2010.04.06 -
Jiangmin 13.0.900 2010.04.06 -
Kaspersky 7.0.0.125 2010.04.06 -
McAfee-GW-Edition 6.8.5 2010.04.05 -
Microsoft 1.5605 2010.04.06 -
NOD32 5002 2010.04.05 -
Norman 6.04.10 2010.04.05 -
nProtect 2009.1.8.0 2010.04.05 -
Panda 10.0.2.2 2010.04.05 -
PCTools 7.0.3.5 2010.04.06 -
Prevx 3.0 2010.04.06 -
Rising 22.42.01.03 2010.04.06 -
Sophos 4.52.0 2010.04.06 -
Sunbelt 6142 2010.04.06 -
Symantec 20091.2.0.41 2010.04.06 -
TheHacker 6.5.2.0.254 2010.04.05 -
TrendMicro 9.120.0.1004 2010.04.06 -
VBA32 3.12.12.4 2010.04.05 -
ViRobot 2010.4.6.2262 2010.04.06 -
VirusBuster 5.0.27.0 2010.04.05 -
Extra informatie
File size: 36099 bytes
MD5...: 2d076d6c1a7e7f1a3040cf1d398128b0
SHA1..: fb3be2428a68665ea46aba0fbeff810705ade225
SHA256: 6222f57b8dd478aeb8d2227dee33a8430d9c0125f8a352f6040fb57e1ff6cf71
ssdeep: 768:Pm0u6M5t4WCbYPzM+EJ3WRp0l8NJmwwct5:I6at4WCbOzM+EJ3WRp88TL
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4e10
timedatestamp.....: 0x352bef5c (Wed Apr 08 21:42:52 1998)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x408c 0x4200 6.11 9ed64fde9a0b3d83cd096aa36fee648d
.rdata 0x6000 0x168e 0x1800 5.19 ac9fd5b65866d6b809e23a868c4f4c19
.data 0x8000 0xacc 0x200 0.41 4bcbd8ab5e7b29dad2468e2fff774b82
.rsrc 0x9000 0x6000 0x2103 2.16 c3187fca575bcb59e0c5a787370403f1

( 10 imports )
> comdlg32.dll: GetOpenFileNameA
> MSACM32.dll: acmFormatChooseA, acmMetrics
> MSVCRT.dll: __p__fmode, _XcptFilter, exit, _controlfp, _except_handler3, __set_app_type, _initterm, __p__commode, _adjust_fdiv, __setusermatherr, _exit, atof, sprintf, atol, _ftol, __getmainargs, __p__acmdln
> WINMM.dll: timeGetTime
> KERNEL32.dll: WideCharToMultiByte, GlobalLock, GlobalHandle, lstrcatA, GetStartupInfoA, GetModuleHandleA, CreateFileA, GetFileSize, CloseHandle, GetFullPathNameA, LoadLibraryA, GetProcAddress, FreeLibrary, MulDiv, GetDiskFreeSpaceA, lstrlenA, lstrcpyA, GetProfileIntA, GetProfileStringA, WriteProfileStringA, MultiByteToWideChar, GlobalFree, GlobalUnlock, GlobalAlloc, OpenFile, lstrcpynA
> USER32.dll: TranslateMessage, PeekMessageA, DefWindowProcA, DispatchMessageA, wsprintfA, GetAsyncKeyState, CheckMenuItem, EnableMenuItem, EndPaint, BeginPaint, PostQuitMessage, MoveWindow, GetSystemMetrics, GetClientRect, SetWindowPos, GetWindowRect, InvalidateRect, SetTimer, KillTimer, AppendMenuA, RemoveMenu, GetSubMenu, GetMenu, DialogBoxParamA, PostMessageA, MessageBoxA, WaitMessage, EndDialog, UpdateWindow, EnableWindow, MessageBeep, SetFocus, GetDlgItem, SetDlgItemInt, GetDlgItemInt, SetDlgItemTextA, IsCharAlphaNumericA, IsCharAlphaA, GetDlgItemTextA, CheckDlgButton, IsDlgButtonChecked, GetSysColor, LoadStringA, GetWindowLongA, GetWindowTextA, LoadAcceleratorsA, RegisterClassA, GetDC, ReleaseDC, CreateWindowExA, ShowWindow, SetWindowTextA, wvsprintfA, LoadCursorA, LoadIconA, TranslateAcceleratorA
> GDI32.dll: SetBkColor, CreateFontA, SetTextColor, SelectObject, GetStockObject, ExtTextOutA, CreateSolidBrush, DeleteObject, PatBlt, GetTextMetricsA
> ole32.dll: CoInitialize, CoTaskMemFree, CoCreateInstance, CoUninitialize, CoTaskMemAlloc
> OLEPRO32.DLL: -
> OLEAUT32.dll: -

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (53.9%)
Win32 Executable MS Visual C++ (generic) (23.7%)
Windows Screen Saver (8.2%)
Win32 Executable Generic (5.3%)
Win32 Dynamic Link Library (generic) (4.7%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#8 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 06 April 2010 - 12:56 AM

Thanks again farbar. I wonder if the amcap has got anything to do with the problem. I forgot to mention (I clicked them away almost instantly and thought they were popups or something) but I think some pages are automatically being loaded in my browser. doesn't happen often though, but every now and then. Hope that helps.

Looking forward to your solution. with kind regards en vriendelijke groeten

#9 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 06 April 2010 - 01:13 AM

Yep it's definitely not me. I was trying to use outlook when a few sites popped up it finally came to this one: Removed link by farbar


started via:Removed link by farbar

Outlook is also still out. I can read mail, but I can't send or forward it.. And I really need to be sending some (I work at home)

Edited by farbar, 06 April 2010 - 05:01 AM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:38 PM

Posted 06 April 2010 - 05:09 AM

I removed the links from your post. We don't want users to click those links if the links are bad or spam related.

When you run ComboFix McAfee was also running. McAfee might have removed some ComboFix components or interfered with proper working of ComboFix. We might need to run Combofix later on. There is an atapi.sys suspicious file on the GMER log, ComboFix neither reports disinfection of that file nor list it as it suppose to do.
  1. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    CODE
    @echo off
    mbr.exe -t
    ping 1.1.1.1 -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: dirlook.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

  2. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#11 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 06 April 2010 - 09:38 AM

Oops..my bad.. good call concerning the links. Didn't think of that.

Here's the log from the batfile, there's a link in it so I put two $-symbols in there so it's unclickable.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http:$//ww$w.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B228AC8]<<
kernel: MBR read successfully
user & kernel MBR OK

I'm gonna run the malwarebytes program now


#12 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 06 April 2010 - 09:59 AM

This is the mallware log. I did the quick scan. But without results I'm afraid:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Databaseversie: 3960

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6-4-2010 16:45:25
mbam-log-2010-04-06 (16-45-25).txt

Scantype: Snelle scan
Objecten gescand: 107436
Verstreken tijd: 5 minuut/minuten, 23 seconde(n)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 0
Registerwaarden ge´nfecteerd: 0
Registerdata ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 0

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Registerdata ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Mappen ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Bestanden ge´nfecteerd:
(Geen kwaadaardige objecten gedetecteerd)

Edited by pietwijs, 06 April 2010 - 10:00 AM.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:38 PM

Posted 06 April 2010 - 10:25 AM

  1. We are going to run this special tool.
    • Please download TDSSKiller.zip and save it to your desktop.
    • Extract the zip file to your desktop.
    • Make sure TDSSKiller.exe is not in a folder.
      The exe file should be placed on the desktop, it looks like
    • Go to Start => Run copy and paste the follwing command in the Run box and click enter:

      "%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v
    • When it finished press any key to continue.
    • Let reboot if needed.
    • Please post the report.txt created on your desktop.

  2. Reboot your computer after running TDSSKiller. After reboot double-click look.bat from previous post once more to run it. Post the log please.


#14 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 06 April 2010 - 10:31 AM

Hey Farbar, Because i'm getting a bit stressed about the not being able to send mail and because the irritating security popup every five minutes makes it hard for me to work it took some time to do a search all search. I think the problem started about a week ago (maybe less) but I found a program that was installed ont he 31 of march:
spuninst.exe with the: spmsg.dll I have no idea what it's for. But hoped it may help you. It was downloaded in a sub directory of the SoftwareDistribution directory. After that directory appeared every day or so a new directory is made with a funny name: {972ce4c6-7e08-4474-a285-3208198ce6fd} or 9482F4B4-E343-43B6-B170-9A65BC822C77
they appear in mozilla and other directories.

Well hope it helps...



#15 pietwijs

pietwijs
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:07:38 AM

Posted 06 April 2010 - 10:32 AM

aha see you've got more work for me. I'm on it! Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users