Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Smart HDD


  • Please log in to reply
8 replies to this topic

#1 MargrietPark

MargrietPark

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 06 May 2012 - 06:11 AM

Hello,
My laptop is infected with the Smart HDD malware, and I followed your Remove Smart HDD Uninstall Guide to the letter (Rkill, TDSS, Malwarebytes, Unhide, Secunia), but to no avail. When I restarted my computer, it just showed up again. When I used Rkill to stop it again, the log said:

Processes terminated by Rkill or while it was running:

C:\ProgramData\oqbYvkXMskaGyIT.exe
C:\ProgramData\tFIaSpq2Bo9b2O.exe

Then, when I ran another Malwarebytes quick scan, and a scan on these particular files in my ProgramData folder, it came up empty handed, saying it did not detect any malware. Also, when I searched for these files in my C: drive using in Windows Explorer, it did not find them, even though I was looking right at them; they are still there, in the ProgramData folder.

I've attached the attach.txt and the ark.txt file and below is the DDS.txt.

Thanks for helping out!!

Margriet


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.0
Run by Margriet at 10:13:51 on 2012-05-06
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1033.18.2045.906 [GMT 2:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\sttray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Margriet\Desktop\Defogger.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/ig
uSearch Bar = Preserve
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120119181941.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [oqbYvkXMskaGyIT.exe] c:\programdata\oqbYvkXMskaGyIT.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\margriet\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: rivm.nl\webmail
Trusted Zone: rivm.nl\webmail03
Trusted Zone: rivm.nl\webmail04
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://webmail03.rivm.nl/dwa85W.cab
DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/canvasx.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn1-rw.maastrichtuniversity.nl/CACHE/stc/3/binaries/vpnweb.cab
DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} - hxxps://webmail03.rivm.nl/dwa85W.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webmail03.rivm.nl/dwa7W.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 212.54.40.25 212.54.35.25
TCP: Interfaces\{498DE9B9-FB7A-473F-9CE9-53060D6EE99C} : DhcpNameServer = 212.54.40.25 212.54.35.25
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\margriet\appdata\roaming\mozilla\firefox\profiles\mw85zetg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R0 firedrv;Generic OHCILynx-1394 (intek);c:\windows\system32\drivers\firedrv.sys [2007-8-9 103528]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-3-13 464176]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2011-10-16 64880]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-10-16 165680]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-22 21504]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-10-16 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-10-16 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-10-16 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-10-16 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-10-16 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-10-16 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-16 150856]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-3-30 1295416]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-3-30 681016]
R2 SftService;SoftThinks Agent Service;c:\program files\dell datasafe local backup\SftService.exe [2010-11-24 689472]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-10-9 493248]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-16 57600]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-6 40776]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-10-16 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-10-16 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-16 338176]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-4 257696]
S3 G Data Tuner Service;G Data Tuner Service;c:\program files\g data\totalcare\avktuner\avktunerservice.exe --> c:\program files\g data\totalcare\avktuner\AVKTunerService.exe [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-16 87656]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 129976]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-9-22 21504]
S3 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-05-06 07:29:58 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-05 21:18:33 772552 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-05-05 19:19:09 -------- d--h--w- c:\users\margriet\appdata\local\Secunia PSI (BETA)
2012-05-05 19:18:44 -------- d-----w- c:\program files\Secunia
2012-05-05 10:01:52 -------- d--h--w- c:\users\margriet\appdata\roaming\Malwarebytes
2012-05-05 10:01:44 -------- d-----w- c:\programdata\Malwarebytes
2012-05-05 10:01:43 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-05 10:01:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-04 21:41:30 221696 ----a-w- c:\programdata\tFIaSpq2Bo9b2O.exe
2012-05-04 21:30:43 300544 ----a-w- c:\programdata\oqbYvkXMskaGyIT.exe
2012-05-04 07:44:18 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-25 09:43:50 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-25 09:43:45 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-25 09:43:45 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-04-20 18:39:09 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2012-04-11 07:32:22 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-11 07:32:22 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 07:00:55 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2012-05-05 21:16:43 687560 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-05 13:37:21 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-14 15:45:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-13 14:12:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47:57 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-07 09:02:40 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
============= FINISH: 10:16:09.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:36 PM

Posted 06 May 2012 - 09:42 AM

Hi MargrietPark and welcome to Bleeping Computer!

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image


#3 MargrietPark

MargrietPark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 06 May 2012 - 02:07 PM

Hello,
Thank you for replying so fast! I have downloaded and executed the ComboFix, and after rebooting I no longer get the warnings. There is one thing that still concerns me though: in the task bar on the bottom left I noticed there are now two iTunes icons. However, when I scroll over one of them, it doesn't say 'iTunes' but 'Data_Recovery', just like when I scrolled over the icon in the task bar of the malware before it was removed... Can this still be a trace of harmfulness?

The ComboFix window did not come up with the log by itself. I waited and waited for the window to close, but since it said it would only take seconds, and that the log could also be found at C:/combofix.txt, I decided to try and locate it myself. I found it together with a bunch of other files in a ComboFix directory on C: . Then the ComboFix window gave me the following error:

SED: can't read cachelog: no such file or directory

Attached is the log of the ComboFix as I found it..

ComboFix 12-05-06.03 - Margriet 05/06/2012 19:37:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1033.18.2045.812 [GMT 2:00]
Gestart vanuit: C:\Users\Margriet\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}


(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))


C:\ProgramData\oqbYvkXMskaGyIT.exe
C:\ProgramData\PCDr\5907\Downloads\15fc9c67-6e4d-42b6-b215-fee7bb01b1c7.dll
C:\ProgramData\tFIaSpq2Bo9b2O
C:\ProgramData\tFIaSpq2Bo9b2O.exe
C:\Users\Margriet\McApBHO.exe
C:\Windows\system32\UNWISE.EXE
D:\AUTORUN.INF


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_usnjsvc


(((((((((((((((((((( Bestanden Gemaakt van 2012-04-06 to 2012-05-06 ))))))))))))))))))))))))))))))


2012-05-06 17:51:01 . 2012-05-06 17:57:22 -------- d-----w- C:\Users\Margriet\AppData\Local\temp
2012-05-06 17:51:01 . 2012-05-06 17:51:01 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-05-05 19:19:09 . 2012-05-05 19:19:09 -------- d--h--w- C:\Users\Margriet\AppData\Local\Secunia PSI (BETA)
2012-05-05 19:18:44 . 2012-05-05 19:18:44 -------- d-----w- C:\Program Files\Secunia
2012-05-05 10:01:52 . 2012-05-05 10:01:52 -------- d--h--w- C:\Users\Margriet\AppData\Roaming\Malwarebytes
2012-05-05 10:01:44 . 2012-05-05 10:01:44 -------- d-----w- C:\ProgramData\Malwarebytes
2012-05-05 10:01:43 . 2012-05-05 10:01:46 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2012-05-05 10:01:43 . 2012-04-04 13:56:40 22344 ----a-w- C:\Windows\system32\drivers\mbam.sys
2012-04-25 09:43:50 . 2012-04-25 09:43:53 -------- d-----w- C:\Program Files\Mozilla Maintenance Service
2012-04-25 09:43:45 . 2012-04-25 09:43:45 157352 ----a-w- C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-25 09:43:45 . 2012-04-25 09:43:45 129976 ----a-w- C:\Program Files\Mozilla Firefox\maintenanceservice.exe
2012-04-20 18:39:09 . 2009-08-19 21:50:31 22872 ----a-r- C:\Windows\system32\AdobePDFUI.dll
2012-04-11 07:33:53 . 2012-02-28 01:58:29 141112 ----a-w- C:\Program Files\Internet Explorer\sqmapi.dll
2012-04-11 07:33:52 . 2012-02-28 01:08:19 194048 ----a-w- C:\Program Files\Internet Explorer\IEShims.dll
2012-04-11 07:33:50 . 2012-02-28 01:13:13 678912 ----a-w- C:\Program Files\Internet Explorer\iedvtool.dll
2012-04-11 07:33:31 . 2012-02-29 13:32:37 12800 ----a-w- C:\Windows\system32\drivers\fs_rec.sys
2012-04-11 07:00:55 . 2012-03-01 11:01:50 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
.


((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

2012-05-05 21:16:44 . 2012-05-05 21:18:33 772552 ----a-w- C:\Windows\system32\npDeployJava1.dll
2012-05-05 21:16:43 . 2010-05-15 07:29:22 687560 ----a-w- C:\Windows\system32\deployJava1.dll
2012-05-05 13:37:21 . 2012-05-04 07:44:18 419488 ----a-w- C:\Windows\system32\FlashPlayerApp.exe
2012-05-05 13:37:21 . 2011-10-23 17:58:13 70304 ----a-w- C:\Windows\system32\FlashPlayerCPLApp.cpl
2012-03-06 06:39:00 . 2012-04-11 07:32:22 3602816 ----a-w- C:\Windows\system32\ntkrnlpa.exe
2012-03-06 06:39:00 . 2012-04-11 07:32:22 3550080 ----a-w- C:\Windows\system32\ntoskrnl.exe
2012-02-29 15:11:45 . 2012-04-11 07:33:31 5120 ----a-w- C:\Windows\system32\wmi.dll
2012-02-29 15:11:42 . 2012-04-11 07:33:31 172032 ----a-w- C:\Windows\system32\wintrust.dll
2012-02-29 15:09:53 . 2012-04-11 07:33:31 157696 ----a-w- C:\Windows\system32\imagehlp.dll
2012-02-28 01:18:55 . 2012-04-11 07:33:52 1799168 ----a-w- C:\Windows\system32\jscript9.dll
2012-02-28 01:11:21 . 2012-04-11 07:33:50 1427456 ----a-w- C:\Windows\system32\inetcpl.cpl
2012-02-28 01:11:07 . 2012-04-11 07:33:52 1127424 ----a-w- C:\Windows\system32\wininet.dll
2012-02-28 01:03:16 . 2012-04-11 07:33:53 2382848 ----a-w- C:\Windows\system32\mshtml.tlb
2012-02-14 15:45:30 . 2012-03-14 04:37:19 219648 ----a-w- C:\Windows\system32\d3d10_1core.dll
2012-02-14 15:45:30 . 2012-03-14 04:37:18 160768 ----a-w- C:\Windows\system32\d3d10_1.dll
2012-02-13 14:12:08 . 2012-03-14 04:37:19 1172480 ----a-w- C:\Windows\system32\d3d10warp.dll
2012-02-13 13:47:57 . 2012-03-14 04:37:18 683008 ----a-w- C:\Windows\system32\d2d1.dll
2012-02-13 13:44:40 . 2012-03-14 04:37:19 1068544 ----a-w- C:\Windows\system32\DWrite.dll
2012-02-07 09:02:40 . 2012-02-07 09:02:40 1070352 ----a-w- C:\Windows\system32\MSCOMCTL.OCX
2012-04-25 09:43:44 . 2012-01-18 12:43:00 97208 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))


*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09:36 460784]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 07:33:09 125952]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 07:33:39 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 00:35:28 857648]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-03-21 19:33:52 1548288]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 10:37:04 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 10:22:16 221184]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 15:10:26 184320]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-06 20:37:30 303104]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
"AdobeAAMUpdater-1.0"="C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 01:44:40 500208]
"AdobeCS5ServiceManager"="C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 20:10:47 402432]
"SwitchBoard"="C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 11:37:14 517096]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-03-27 03:40:55 40376]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-03-26 07:00:48 640440]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 19:28:32 59240]
"mcui_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2011-11-22 16:18:26 1318816]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-05-10 09:01:00 36864]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2009-06-16 09:27:34 13793824]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2009-06-16 09:27:34 92704]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 12:41:07 37296]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2012-03-27 03:09:24 421736]

C:\Users\Margriet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2009-5-24 3656]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Secunia PSI Tray.lnk - C:\Program Files\Secunia\PSI\psi_tray.exe [2012-3-30 562232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 13:37:22 257696]


--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

Inhoud van de 'Gedeelde Taken' map

2012-05-06 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04 07:44:18 . 2012-05-05 13:37:22]

2012-04-30 C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
- C:\Program Files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40:52 . 2012-04-13 05:40:52]

2012-05-06 C:\Windows\Tasks\SystemToolsDailyTest.job
- C:\Program Files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40:52 . 2012-04-13 05:40:52]


------- Bijkomende Scan -------

uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: rivm.nl\webmail
Trusted Zone: rivm.nl\webmail03
Trusted Zone: rivm.nl\webmail04
TCP: DhcpNameServer = 212.54.40.25 212.54.35.25
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://webmail03.rivm.nl/dwa85W.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn1-rw.maastrichtuniversity.nl/CACHE/stc/3/binaries/vpnweb.cab
FF - ProfilePath - C:\Users\Margriet\AppData\Roaming\Mozilla\Firefox\Profiles\mw85zetg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 0

- - - - ORPHANS VERWIJDERD - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-DellSupportCenter - C:\Program Files\Dell Support Center\bin\sprtcmd.exe
HKCU-Run-oqbYvkXMskaGyIT.exe - C:\ProgramData\oqbYvkXMskaGyIT.exe
HKLM-Run-DellSupportCenter - C:\Program Files\Dell Support Center\bin\sprtcmd.exe
AddRemove-HASP HL Device Driver - C:\Windows\System32\UNWISE.EXE



**************************************************************************
scannen van verborgen processen ...

Attached Files


Edited by Gammo, 07 May 2012 - 09:23 AM.


#4 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:36 PM

Posted 07 May 2012 - 09:26 AM

That seems to have fixed the infection.

I'd like you to run one more scan to confirm the malware is completely gone.

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image


#5 MargrietPark

MargrietPark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 07 May 2012 - 01:22 PM

Hello
I ran malwarebytes and it did find another something in the registry. After removing, I immediately restarted the laptop when requested to do so.
I still have the suspicious looking iTunes icon in my task bar, saying 'Data recovery' when I scroll over it..

Computer seems to work ok so far, although I'm not using it much because I don't quite trust it yet!

Here is the MBAM log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.07.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Margriet :: MARGRIET-PC [administrator]

5/7/2012 7:19:05 PM
mbam-log-2012-05-07 (19-19-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200298
Time elapsed: 12 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|oqbYvkXMskaGyIT.exe (Rogue.Agent.SA) -> Data: C:\ProgramData\oqbYvkXMskaGyIT.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#6 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:36 PM

Posted 07 May 2012 - 04:21 PM

We need to create an OTL Report
Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image


#7 MargrietPark

MargrietPark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 08 May 2012 - 12:36 PM

OK, I ran OTL, it stalled when it just started for about half a minute, then automatically continued. Then I discovered I hadn't checked the 'scan all users' box, so after it finished, I ran it again with the box checked. Same thing happened with the stalling.

I have no idea whether all this is relevant information to you, just trying to be complete. Anyway, here is OTL.txt from the second time I ran the scan, please let me know if you also need the first one:

OTL logfile created on: 5/8/2012 7:20:46 PM - Run 1
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Users\Margriet\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 55.30% Memory free
4.23 Gb Paging File | 2.94 Gb Available in Paging File | 69.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 99.18 Gb Total Space | 15.26 Gb Free Space | 15.39% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.66 Gb Free Space | 56.56% Space Free | Partition Type: NTFS

Computer Name: MARGRIET-PC | User Name: Margriet | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/05/08 19:08:07 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Margriet\Desktop\OTL(1).exe
PRC - [2012/03/30 12:26:16 | 001,295,416 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2012/03/30 12:26:14 | 000,681,016 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe
PRC - [2012/03/30 12:26:12 | 000,562,232 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2012/03/26 09:00:48 | 000,640,440 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2011/11/22 18:18:26 | 001,318,816 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/10/18 15:32:30 | 000,150,856 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2011/10/18 15:28:34 | 000,160,608 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/10/18 15:28:18 | 000,166,288 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/08/20 16:53:08 | 000,689,472 | ---- | M] (SoftThinks SAS) -- C:\Program Files\Dell DataSafe Local Backup\SftService.exe
PRC - [2010/01/15 14:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/10/09 17:07:20 | 000,493,248 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
PRC - [2009/04/11 08:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/05/10 11:01:00 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2007/04/16 17:10:26 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2007/04/03 16:18:08 | 001,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2007/03/15 13:09:36 | 000,460,784 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2007/03/06 22:38:28 | 000,090,112 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/03/06 22:37:30 | 000,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\sttray.exe
PRC - [2006/11/05 12:22:16 | 000,221,184 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
PRC - [2006/11/05 11:55:48 | 000,010,752 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe


========== Modules (No Company Name) ==========

MOD - [2012/04/11 09:26:16 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\48302596a8c8f2ab396b3be518dbd800\System.Web.ni.dll
MOD - [2012/02/16 16:39:28 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\5c3bfd69e0c268baff0d169e11a6a784\System.Runtime.Remoting.ni.dll
MOD - [2012/02/16 15:33:38 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\c50133cb67d7c013fa31e1ffb942060b\System.ni.dll
MOD - [2011/10/16 10:07:18 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\b6632a8b2f276a8e31f5b0f6b2006cd1\mscorlib.ni.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/08/16 18:06:04 | 000,141,312 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2007/03/21 21:33:50 | 000,065,536 | ---- | M] () -- C:\Windows\System32\bcmwlrmt.dll
MOD - [2006/11/05 11:58:44 | 000,516,096 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\LayoutDll9.dll
MOD - [2006/11/05 11:28:18 | 004,587,520 | R--- | M] () -- C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\ROXIPP41.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\G Data\TotalCare\AVKTuner\AVKTunerService.exe -- (G Data Tuner Service)
SRV - [2012/05/05 15:37:22 | 000,257,696 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/04/25 11:43:45 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/03/30 12:26:16 | 001,295,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\psia.exe -- (Secunia PSI Agent)
SRV - [2012/03/30 12:26:14 | 000,681,016 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2011/10/18 15:32:30 | 000,150,856 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2011/10/18 15:28:34 | 000,160,608 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/10/18 15:28:18 | 000,166,288 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/06/23 15:22:58 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/08/20 16:53:08 | 000,689,472 | ---- | M] (SoftThinks SAS) [Auto | Running] -- C:\Program Files\Dell DataSafe Local Backup\SftService.exe -- (SftService)
SRV - [2010/07/28 22:23:12 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/07/26 16:00:24 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper) getPlus®
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2010/01/15 14:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/10/09 17:07:20 | 000,493,248 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- (vpnagent)
SRV - [2008/12/01 11:59:52 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/01/19 09:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/04/03 16:18:08 | 001,516,584 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/03/19 13:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2007/03/06 22:38:28 | 000,090,112 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lgusbmodem.sys -- (USBModem)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lgusbdiag.sys -- (UsbDiag)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lgusbbus.sys -- (usbbus)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\Capt9052.sys -- (SQTECH9052)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (mfeavfk01)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/05/06 20:32:22 | 000,031,744 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2011/12/16 16:19:54 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\psi_mf.sys -- (PSI)
DRV - [2011/10/15 14:16:16 | 000,464,176 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/10/15 14:16:16 | 000,338,176 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/10/15 14:16:16 | 000,180,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/10/15 14:16:16 | 000,165,680 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2011/10/15 14:16:16 | 000,121,256 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/10/15 14:16:16 | 000,087,656 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/10/15 14:16:16 | 000,064,880 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/10/15 14:16:16 | 000,059,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/10/15 14:16:16 | 000,057,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2009/10/09 16:50:48 | 000,020,152 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vpnva.sys -- (vpnva)
DRV - [2009/06/16 15:59:00 | 009,768,640 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/10/10 18:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/09/17 15:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/08/09 14:41:28 | 000,103,528 | ---- | M] (intek (Darmstadt)) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\firedrv.sys -- (firedrv) Generic OHCILynx-1394 (intek)
DRV - [2007/05/03 12:21:08 | 000,029,056 | ---- | M] (Service & Quality Technology.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Capt905c.sys -- (SQTECH905C)
DRV - [2007/04/03 16:17:08 | 000,306,295 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/03/06 22:38:52 | 000,323,584 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/03/06 04:45:00 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2007/02/25 13:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2007/01/31 13:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 14:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/11/27 09:48:46 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/27 09:48:44 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/27 09:48:44 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/22 11:01:48 | 000,693,760 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\hardlock.sys -- (Hardlock)
DRV - [2006/11/21 14:25:44 | 000,045,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/02 09:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 09:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/11/01 19:50:00 | 000,128,104 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\WimFltr.sys -- (WimFltr)
DRV - [2006/10/05 18:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/05 02:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7DANL


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=SPC2&o=15000&src=crm&q={searchTerms}&locale=en_NL
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7DDNL_en-GB&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..\SearchScopes\{C4D8E380-7CF1-48C3-B867-58C842BA0213}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.0: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}: C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2010/07/28 20:51:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/02/23 11:40:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2012/05/07 19:52:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/04/25 11:43:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012/01/18 14:44:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Margriet\AppData\Roaming\Mozilla\Extensions
[2012/05/02 20:03:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Margriet\AppData\Roaming\Mozilla\Firefox\Profiles\mw85zetg.default\extensions
[2012/05/05 23:20:15 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/04/25 11:43:44 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/15 20:21:13 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/15 20:21:13 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/05/06 19:56:30 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120119181941.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter File not found
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter File not found
O4 - Startup: C:\Users\Margriet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..Trusted Domains: rivm.nl ([webmail] https in Trusted sites)
O15 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..Trusted Domains: rivm.nl ([webmail03] https in Trusted sites)
O15 - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..Trusted Domains: rivm.nl ([webmail04] https in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} https://webmail03.rivm.nl/dwa85W.cab (IBM Lotus iNotes 8.5 Control)
O16 - DPF: {28B66320-9687-4B13-8757-36F901887AB5} http://foto.hema.nl/ips-opdata/layout/hema/objects/canvasx.cab (CanvasX Class)
O16 - DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} http://foto.hema.nl/ips-opdata/layout/hema/objects/jordan.cab (JordanUploader Class)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} https://vpn1-rw.maastrichtuniversity.nl/CACHE/stc/3/binaries/vpnweb.cab (Cisco AnyConnect VPN Client Web Control)
O16 - DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} https://webmail03.rivm.nl/dwa85W.cab (IBM Lotus iNotes 8.5 Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 10.4.0)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 1.7.0_04)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Java Plug-in 1.7.0_04)
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} https://webmail03.rivm.nl/dwa7W.cab (Domino Web Access 7 Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 212.54.40.25 212.54.35.25
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{498DE9B9-FB7A-473F-9CE9-53060D6EE99C}: DhcpNameServer = 212.54.40.25 212.54.35.25
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/08 19:08:00 | 000,595,456 | ---- | C] (OldTimer Tools) -- C:\Users\Margriet\Desktop\OTL(1).exe
[2012/05/07 20:04:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2012/05/07 19:16:25 | 010,063,000 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Margriet\Desktop\mbam-setup-1.61.0.1400.exe
[2012/05/06 19:56:58 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/05/06 19:51:01 | 000,000,000 | ---D | C] -- C:\Users\Margriet\AppData\Local\temp
[2012/05/06 19:33:56 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/05/06 19:33:56 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/05/06 19:33:56 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/05/06 19:33:43 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/05/06 19:33:41 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/05/06 19:33:31 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/06 19:29:23 | 004,485,787 | R--- | C] (Swearware) -- C:\Users\Margriet\Desktop\ComboFix.exe
[2012/05/06 10:23:27 | 000,000,000 | ---D | C] -- C:\Users\Margriet\Desktop\gmer
[2012/05/06 10:13:27 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Margriet\Desktop\dds.scr
[2012/05/05 21:19:09 | 000,000,000 | ---D | C] -- C:\Users\Margriet\AppData\Local\Secunia PSI (BETA)
[2012/05/05 21:18:44 | 000,000,000 | ---D | C] -- C:\Program Files\Secunia
[2012/05/05 21:01:29 | 002,815,744 | ---- | C] (Secunia) -- C:\Users\Margriet\Desktop\PSI3BetaSetup.exe
[2012/05/05 20:48:29 | 000,399,264 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\Margriet\Desktop\unhide.exe
[2012/05/05 12:01:52 | 000,000,000 | ---D | C] -- C:\Users\Margriet\AppData\Roaming\Malwarebytes
[2012/05/05 12:01:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/05/05 12:01:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/05/05 12:01:43 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/05/05 12:01:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/05/05 11:56:13 | 010,063,024 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Margriet\Desktop\mbam-setup.exe
[2012/05/05 11:49:07 | 002,075,184 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Margriet\Desktop\killer.com
[2012/05/04 23:41:59 | 000,000,000 | ---D | C] -- C:\Users\Margriet\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Recovery
[2012/04/25 11:43:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla
[2012/04/25 11:43:50 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/04/18 08:34:44 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Support Center

========== Files - Modified Within 30 Days ==========

[2012/05/08 19:08:07 | 000,595,456 | ---- | M] (OldTimer Tools) -- C:\Users\Margriet\Desktop\OTL(1).exe
[2012/05/08 18:56:29 | 000,000,506 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2012/05/08 18:56:08 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/05/08 18:55:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/08 16:39:18 | 000,003,696 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/08 16:39:14 | 000,003,696 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/07 19:46:04 | 000,032,156 | ---- | M] () -- C:\ProgramData\nvModes.001
[2012/05/07 19:45:51 | 2145,583,104 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/07 19:44:25 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/05/07 19:18:27 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/07 19:16:37 | 010,063,000 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Margriet\Desktop\mbam-setup-1.61.0.1400.exe
[2012/05/06 19:56:30 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/05/06 19:29:42 | 004,485,787 | R--- | M] (Swearware) -- C:\Users\Margriet\Desktop\ComboFix.exe
[2012/05/06 10:22:12 | 000,294,216 | ---- | M] () -- C:\Users\Margriet\Desktop\gmer.zip
[2012/05/06 10:20:58 | 000,302,592 | ---- | M] () -- C:\Users\Margriet\Desktop\2qgvitjq.exe
[2012/05/06 10:13:28 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Margriet\Desktop\dds.scr
[2012/05/06 10:12:10 | 000,000,000 | ---- | M] () -- C:\Users\Margriet\defogger_reenable
[2012/05/06 10:11:17 | 000,050,477 | ---- | M] () -- C:\Users\Margriet\Desktop\Defogger.exe
[2012/05/06 09:24:31 | 000,000,000 | ---- | M] () -- C:\ProgramData\-tFIaSpq2Bo9b2O
[2012/05/06 09:09:40 | 000,000,633 | ---- | M] () -- C:\Users\Margriet\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
[2012/05/05 21:21:01 | 000,000,901 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/05/05 21:02:07 | 002,815,744 | ---- | M] (Secunia) -- C:\Users\Margriet\Desktop\PSI3BetaSetup.exe
[2012/05/05 20:48:30 | 000,399,264 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\Margriet\Desktop\unhide.exe
[2012/05/05 11:56:56 | 010,063,024 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Margriet\Desktop\mbam-setup.exe
[2012/05/05 11:49:07 | 002,075,184 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Margriet\Desktop\killer.com
[2012/05/05 11:37:46 | 001,008,141 | ---- | M] () -- C:\Users\Margriet\Desktop\iExplore.exe
[2012/05/05 09:38:57 | 000,595,996 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/05/05 09:38:56 | 000,104,070 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/05/05 09:27:08 | 000,032,156 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2012/05/04 23:42:02 | 000,000,609 | ---- | M] () -- C:\Users\Margriet\Desktop\Data_Recovery.lnk
[2012/05/04 12:50:58 | 000,199,680 | ---- | M] () -- C:\Users\Margriet\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/05/04 09:43:35 | 000,000,680 | ---- | M] () -- C:\Users\Margriet\AppData\Local\d3d9caps.dat
[2012/05/03 10:20:18 | 000,752,282 | ---- | M] () -- C:\Users\Margriet\Documents\Nanotoxicology.enl
[2012/04/30 10:28:08 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2012/04/27 23:13:06 | 002,476,926 | ---- | M] () -- C:\Users\Margriet\Desktop\Rainbow.eps
[2012/04/20 20:08:15 | 248,793,087 | ---- | M] () -- C:\Windows\MEMORY.DMP

========== Files Created - No Company Name ==========

[2012/05/06 19:33:56 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/05/06 19:33:56 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/05/06 19:33:56 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/05/06 19:33:56 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/05/06 19:33:56 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/05/06 10:22:10 | 000,294,216 | ---- | C] () -- C:\Users\Margriet\Desktop\gmer.zip
[2012/05/06 10:20:55 | 000,302,592 | ---- | C] () -- C:\Users\Margriet\Desktop\2qgvitjq.exe
[2012/05/06 10:12:10 | 000,000,000 | ---- | C] () -- C:\Users\Margriet\defogger_reenable
[2012/05/06 10:11:14 | 000,050,477 | ---- | C] () -- C:\Users\Margriet\Desktop\Defogger.exe
[2012/05/06 09:09:40 | 000,000,633 | ---- | C] () -- C:\Users\Margriet\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
[2012/05/05 21:21:01 | 000,000,901 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
[2012/05/05 21:21:01 | 000,000,864 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
[2012/05/05 21:08:37 | 2145,583,104 | -HS- | C] () -- C:\hiberfil.sys
[2012/05/05 21:05:57 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/05 14:22:01 | 000,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2012/05/05 14:22:01 | 000,001,737 | ---- | C] () -- C:\Users\Public\Desktop\McAfee Internet Security.lnk
[2012/05/05 14:22:01 | 000,001,719 | ---- | C] () -- C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
[2012/05/05 14:22:01 | 000,001,666 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2012/05/05 14:22:01 | 000,001,666 | ---- | C] () -- C:\Users\Margriet\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2012/05/05 14:22:01 | 000,001,282 | ---- | C] () -- C:\Users\Public\Desktop\Verzoek of wijziging voorlopige aanslag 2012.lnk
[2012/05/05 14:22:01 | 000,001,198 | ---- | C] () -- C:\Users\Public\Desktop\Aangifte inkomstenbelasting 2011.lnk
[2012/05/05 14:22:01 | 000,001,198 | ---- | C] () -- C:\Users\Public\Desktop\Aangifte inkomstenbelasting 2010.lnk
[2012/05/05 14:22:01 | 000,001,142 | ---- | C] () -- C:\Users\Public\Desktop\Kinderopvangtoeslag 2011.lnk
[2012/05/05 14:22:01 | 000,000,945 | ---- | C] () -- C:\Users\Margriet\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/05/05 14:22:01 | 000,000,930 | ---- | C] () -- C:\Users\Public\Desktop\R 2.11.1.lnk
[2012/05/05 14:22:01 | 000,000,872 | ---- | C] () -- C:\Users\Margriet\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/05/05 14:22:01 | 000,000,848 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012/05/05 14:22:01 | 000,000,258 | ---- | C] () -- C:\Users\Margriet\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2012/05/05 14:22:01 | 000,000,240 | ---- | C] () -- C:\Users\Margriet\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2012/05/05 14:22:01 | 000,000,213 | ---- | C] () -- C:\Users\Margriet\Application Data\Microsoft\Internet Explorer\Quick Launch\Monitor settings.lnk
[2012/05/05 11:38:38 | 001,008,141 | ---- | C] () -- C:\Users\Margriet\Desktop\iExplore.exe
[2012/05/04 23:42:06 | 000,000,000 | ---- | C] () -- C:\ProgramData\-tFIaSpq2Bo9b2O
[2012/05/04 23:42:02 | 000,000,609 | ---- | C] () -- C:\Users\Margriet\Desktop\Data_Recovery.lnk
[2012/05/04 09:44:22 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2012/04/27 23:02:52 | 002,476,926 | ---- | C] () -- C:\Users\Margriet\Desktop\Rainbow.eps
[2012/04/18 08:34:55 | 000,000,564 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2012/04/18 08:34:53 | 000,000,506 | ---- | C] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2012/01/03 00:46:14 | 000,000,736 | ---- | C] () -- C:\Windows\DigimaxMaster.INI
[2012/01/03 00:22:19 | 000,032,156 | ---- | C] () -- C:\ProgramData\nvModes.001
[2012/01/03 00:22:09 | 000,032,156 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2010/11/20 14:32:44 | 000,000,740 | ---- | C] () -- C:\Windows\ODBC.INI

========== LOP Check ==========

[2009/07/24 21:46:03 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\Advanced Chemistry Development
[2012/04/14 18:15:26 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\Belastingdienst
[2010/07/29 09:37:47 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/05/28 09:54:13 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\EndNote
[2010/11/21 18:19:40 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\GARMIN
[2009/12/17 11:03:07 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\LG Electronics
[2008/05/14 23:03:20 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\Nokia
[2008/05/14 23:22:04 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\PC Suite
[2011/05/25 11:04:19 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\PCDr
[2008/01/19 10:16:33 | 000,000,000 | ---D | M] -- C:\Users\Margriet\AppData\Roaming\tmp
[2012/04/30 10:28:08 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2012/05/07 19:44:30 | 000,032,562 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/05/08 18:56:29 | 000,000,506 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\Margriet\Desktop\Cyrus:Roxio EMC Stream

< End of report >

#8 MargrietPark

MargrietPark
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 08 May 2012 - 12:39 PM

OTL Extras logfile created on: 5/8/2012 7:20:46 PM - Run 1
OTL by OldTimer - Version 3.2.42.3 Folder = C:\Users\Margriet\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.10 Gb Available Physical Memory | 55.30% Memory free
4.23 Gb Paging File | 2.94 Gb Available in Paging File | 69.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 99.18 Gb Total Space | 15.26 Gb Free Space | 15.39% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.66 Gb Free Space | 56.56% Space Free | Partition Type: NTFS

Computer Name: MARGRIET-PC | User Name: Margriet | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3375708600-1371752053-1193405594-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{B226CC0E-C909-47BC-8F4E-8A8D2E839A1D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{F626DA9F-E81B-4003-BBEE-CDD26179350E}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{15FA1E3C-6A62-4EE7-84C7-4187077BB1D6}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dms\clmsservice.exe |
"{165DDC24-DFB5-46F2-BD7D-395EFDF92520}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{514F845A-F5AD-441E-A4F4-3CB879595957}" = dir=in | app=c:\program files\windows live\messenger\livecall.exe |
"{570923A9-9E54-4CAD-A8F0-2DD3812325F3}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dmp\clbrowserengine.exe |
"{59C05248-986A-4D58-B666-03AF687F9593}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{65F5C40C-7AA0-48D8-9690-CAD5E42A0DC9}" = dir=in | app=c:\program files\dell\mediadirect\pcmservice.exe |
"{67FA9213-3974-4F2A-85FA-FB2570088600}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{784AEA77-72F9-471A-9923-A3EB28158C11}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{7EEA770A-1DBB-4905-8903-9BB885E781F0}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{8B1DA0D4-278C-418A-BAE9-1A2E2A2D1ED1}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{8DA8B1DC-4CA6-4F12-A65A-CCCF26C59C71}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{8DDC58EB-C811-4E33-AFB6-BF5C11D95F47}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{9164E3FD-4E2D-48F3-869A-3A6788DAFD5D}" = dir=in | app=c:\program files\dell\mediadirect\powercinema.exe |
"{95A4A3D3-3380-477D-BEE5-2B4B297133C4}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{9B4D77E2-BC2A-4E59-BB67-F995E12B36A5}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{CACA8EA3-186C-4E1E-A5E1-F16D9BECD040}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{EA1F7203-0EF5-4864-9604-6B3512D2C9BF}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"TCP Query User{AA8C8DC2-129E-4291-945C-43D0E09A1A81}C:\program files\skype\phone\skype.exe" = protocol=6 | dir=in | app=c:\program files\skype\phone\skype.exe |
"UDP Query User{CE76D7C2-C0E1-4BA6-8CBD-F878A74E5890}C:\program files\skype\phone\skype.exe" = protocol=17 | dir=in | app=c:\program files\skype\phone\skype.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0090A87C-3E0E-43D4-AA71-A71B06563A4A}" = Dell Support Center
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0ED7EE95-6A97-47AA-AD73-152C08A15B04}" = Dell DataSafe Local Backup
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}" = Dell System Customization Wizard
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes
"{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java™ 7 Update 4
"{2A6355EB-273D-4368-9DB6-FB99EBA9FABD}" = Cisco AnyConnect VPN Client
"{2ECDE974-69D9-47A9-9EB0-10EC49F8468A}" = PASW Statistics 17.0
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{50163332-D890-4919-A619-BEB6F7065EFE}" = AVT FirePackage
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{53C020C2-8C1A-11D9-8BDE-F66BAD1E3F3A}" = EndNote 9.0.1 Volume License Edition
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet
"{80B70B4B-C90C-4938-A956-76F5021DE412}" = Cisco DART
"{83d96ed0-98aa-4515-8ddc-816f3efdd104}" = DB CIF Cam
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{86B3F2D6-AC2B-4E88-8AE1-F2F77F781B0C}" = EndNote X3
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{A066194B-DC8F-449A-8E0F-B57BDD3A2072}" = SyncToy 2.1 (x86)
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A9668246-FB70-4103-A1E3-66C9BC2EFB49}" = Dell DataSafe Local Backup - Support Software
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-1033-F400-7760-000000000004}_951" = Adobe Acrobat 9.5.1 - CPSID_83708
"{AC76BA86-1033-F400-7760-000000000004}{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{C49067A8-8212-4A82-A4D9-1519701644F0}" = Citrix Presentation Server Client - Web Only
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}" = Cisco Systems VPN Client 5.0.00.0340
"{CDC08463-9303-4BF1-BF8C-E1A2ECEE3248}" = Adobe Creative Suite 5 Web Premium
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D3A80508-CD83-4CA3-8671-914A1BC78B61}" = Microsoft Sync Framework 2.0 Provider Services (x86) ENU
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}" = PL-2303 USB-to-Serial
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{F9766AC1-1461-1033-B862-DF8FE1C033BE}" = Adobe InDesign CS5
"{FF63121D-91C6-42CC-B341-F1AA729728E7}" = Microsoft Sync Framework 2.0 Core Components (x86) ENU
"3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"Aangifte inkomstenbelasting 2007" = Aangifte inkomstenbelasting 2007
"Aangifte inkomstenbelasting 2008" = Aangifte inkomstenbelasting 2008
"Aangifte inkomstenbelasting 2009" = Aangifte inkomstenbelasting 2009
"Aangifte inkomstenbelasting 2010" = Aangifte inkomstenbelasting 2010
"Aangifte inkomstenbelasting 2011" = Aangifte inkomstenbelasting 2011
"ACDLabs in C__Program_Files_ACDFREE12_" = ACD/Labs Software in C:\Program Files\ACDFREE12\
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CBF192A85B624E32B8D19ADEEF2DCFC5BC3AA73A" = Windows Driver Package - Nokia Modem (03/05/2008 3.7)
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"Dell Support Center" = Dell Support Center
"DELL Webcam Center" = DELL Webcam Center
"DELL Webcam Manager" = DELL Webcam Manager
"HASP HL Device Driver" = HASP HL Device Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Kinderopvangtoeslag 2008" = Kinderopvangtoeslag 2008
"Kinderopvangtoeslag 2009" = Kinderopvangtoeslag 2009
"Kinderopvangtoeslag 2010" = Kinderopvangtoeslag 2010
"Kinderopvangtoeslag 2011" = Kinderopvangtoeslag 2011
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 12.0 (x86 en-US)" = Mozilla Firefox 12.0 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSC" = McAfee Internet Security
"NVIDIA Drivers" = NVIDIA Drivers
"R for Windows 2.11.1_is1" = R for Windows 2.11.1
"ResearchSoft Direct Export Helper" = ResearchSoft Direct Export Helper
"Secunia PSI" = Secunia PSI (3.0.0.0006)
"SynTPDeinstKey" = Dell Touchpad
"Verzoek of wijziging voorlopige aanslag 2009" = Verzoek of wijziging voorlopige aanslag 2009
"Verzoek of wijziging voorlopige aanslag 2010" = Verzoek of wijziging voorlopige aanslag 2010
"Verzoek of wijziging voorlopige aanslag 2012" = Verzoek of wijziging voorlopige aanslag 2012
"Verzoek voorlopige teruggaaf 2008" = Verzoek voorlopige teruggaaf 2008
"WinRAR archiver" = WinRAR

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#9 Gammo

Gammo

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:36 PM

Posted 09 May 2012 - 11:29 AM

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    SRV - File not found [On_Demand | Stopped] -- C:\Program Files\G Data\TotalCare\AVKTuner\AVKTunerService.exe -- (G Data Tuner Service)
    IE - HKU\S-1-5-21-3375708600-1371752053-1193405594-1000\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=SPC2&o=15000&src=crm&q={searchTerms}&locale=en_NL
    [2012/05/06 09:24:31 | 000,000,000 | ---- | M] () -- C:\ProgramData\-tFIaSpq2Bo9b2O
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done






Your logs appear to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. ^_^

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files
Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall
You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated
It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Google Chrome and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these.

The WOT add-on will nicely help to enhance your security, no matter which web browser you use. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.
  • A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful
Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?
If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Gammo :cool:

Posted Image

Please post the final results, good or bad. We like to know!
My help is always free, but if I have helped you, please consider making a donation to help me continue the fight against malware! Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users