Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows and McAfee firewall fail


  • This topic is locked This topic is locked
10 replies to this topic

#1 Evitano

Evitano

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 05 September 2012 - 09:31 AM

Since 1 month i'm experiencing problems with both McAfee firewall as windows firewall. Im currently running windows 7, SP1 and McAfee Antivirus plus. When im trying to turn McAfee firewall on it immediately turns off again. Windows firewall is down as well. When Im trying to start it thru services.msc i get the errorcode 1075. When started up thru Control Panel I get the errorcode 80070433.
A month ago I had an issue where a mcafee window kept popping up saying it detected trojans. Unfortunately i didnt write down which of what trojans they were. Since i detected the problem with the firewall later on I didn't see an immediate relationship. So, i first uninstalled McAfee and reinstalled in order to get the firewall up and running. Logs probably will be uninstalled as well as I cant seem to find them in order to trace back the trojan which was removed by mcafee. Ive tried to manually start up the firewall services but that didn't help. Ive scanned my drive with Stinger, GetSusp, Superantispyware, TDSSKiller,Malwarebytes Free and CCE. Nothing really harmful has been found although CCE reported a problem with GLobal winlogon

Cleanup results
Global WINLOGON SYSCHANGE Repair OK

Global HOSTS SYSCHANGE Repair OK

HitmanPro finally says its zeroacces. I've downloaded the rootkitremover but that turned up nothing. Malwarebytes showed up some with nothing new.

With Mcafee Virtual Technician it gives a few problems with the registry keys.
I've tried Mcafee support but no luck sp far in finding a solution.
Maybe you guys can help me.

This is my Hijjack log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:24:40, on 5-9-2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16448)
Boot mode: Normal

Running processes:
C:\Users\Ivo\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Synology Data Replicator 3\Backup.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Users\Ivo\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\Users\Ivo\AppData\Local\Akamai\netsession_win.exe
C:\Users\Ivo\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Users\Ivo\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
c:\PROGRA~2\mcafee\SITEAD~1\saui.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_4_402_265.exe
C:\Users\Ivo\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.archol.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\Ivo\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Data Replicator 3] "C:\Program Files (x86)\Synology Data Replicator 3\Backup.exe" /MIN
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\Ivo\AppData\Local\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
O4 - HKCU\..\Run: [googletalk] C:\Users\Ivo\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-365817166-3822867551-2538953537-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-365817166-3822867551-2538953537-1003\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: Dropbox.lnk = Ivo\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: Locate32 Autorun.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {6E718D87-6909-4FCE-92D4-EDCB2F725727} (Navigram Control) - http://www.navigram.com/engine/v1026/Navigram.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B17CB3E9-C0FE-4444-AD96-7EC11B789E46}: Domain = archol.nl
O17 - HKLM\System\CCS\Services\Tcpip\..\{B17CB3E9-C0FE-4444-AD96-7EC11B789E46}: NameServer = 192.168.1.6 192.168.1.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2EE0A20-C362-4E33-83BA-141C6C250F75}: NameServer = 192.168.1.1
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~2\mcafee\msc\mcsniepl.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Autodesk Content Service - Unknown owner - C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe
O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update-service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: SynoDrService - Unknown owner - C:\Program Files (x86)\Synology Data Replicator 3\SynoDrServicex64.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 15526 bytes

Edited by hamluis, 05 September 2012 - 09:36 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:06 PM

Posted 05 September 2012 - 10:35 AM

Please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Evitano

Evitano
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 09 September 2012 - 11:24 AM

okay, thanks for helping Catbyte. Ive done the Farbar recovery toolscan and here are the logs:

FRST.log:
Scan result of Farbar Recovery Scan Tool (x64) Version: 08-09-2012
Ran by SYSTEM at 09-09-2012 17:19:51
Running from F:\
Windows 7 Enterprise (X64) OS Language: Dutch Standard
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin [611712 2010-08-14] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [41944 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [640480 2012-07-30] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1527896 2012-06-21] (McAfee, Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\Ivo\...\Run: [Google Update] "C:\Users\Ivo\AppData\Local\Google\Update\GoogleUpdate.exe" /c [133104 2010-08-28] (Google Inc.)
HKU\Ivo\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" [152872 2007-06-27] (Nero AG)
HKU\Ivo\...\Run: [Data Replicator 3] "C:\Program Files (x86)\Synology Data Replicator 3\Backup.exe" /MIN [11571200 2010-03-03] (Synology Inc.)
HKU\Ivo\...\Run: [Akamai NetSession Interface] "C:\Users\Ivo\AppData\Local\Akamai\netsession_win.exe" [4440896 2012-08-10] (Akamai Technologies, Inc.)
HKU\Ivo\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Ivo\...\Run: [AdobeBridge] [x]
HKU\Ivo\...\Run: [googletalk] C:\Users\Ivo\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart [3739648 2007-01-01] (Google)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [462920 2012-07-03] (Malwarebytes Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.6 192.168.1.8
Tcpip\..\Interfaces\{E2EE0A20-C362-4E33-83BA-141C6C250F75}: [NameServer]192.168.1.1

==================== Services ====================

2 0099211347045717mcinstcleanup; C:\Windows\TEMP\009921~1.EXE -cleanup -nolog [827456 2012-01-09] (McAfee, Inc.)
2 Autodesk Content Service; "C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe" [18656 2011-02-02] ()
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 McAfee SiteAdvisor Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [383608 2012-08-24] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [200728 2012-05-11] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [237920 2012-06-22] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [218320 2012-06-22] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [177144 2012-06-22] (McAfee, Inc.)
3 NMIndexingService; "C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe" [279848 2007-06-27] (Nero AG)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [76888 2012-04-10] ()
2 SynoDrService; C:\Program Files (x86)\Synology Data Replicator 3\SynoDrServicex64.exe [404480 2010-01-07] ()

==================== Drivers =================================

1 AsIO; C:\Windows\SysWow64\Drivers\AsIO.sys [13368 2009-04-06] ()
1 AsUpIO; C:\Windows\SysWow64\Drivers\AsUpIO.sys [13368 2009-07-06] ()
3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [69672 2012-06-22] (McAfee, Inc.)
3 HipShieldK; C:\Windows\System32\Drivers\HipShieldK.sys [196440 2012-04-20] (McAfee, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [169320 2012-06-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [300392 2012-06-22] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [513456 2012-06-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [752672 2012-06-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [106112 2012-06-22] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [335784 2012-06-22] (McAfee, Inc.)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-16] ()
1 SASDIFSV; \??\C:\Users\Ivo\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [14920 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Users\Ivo\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [12360 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-08-14] (Duplex Secure Ltd.)
3 mfeavfk01; [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-09-09 17:19 - 2012-09-09 17:19 - 00000000 ____D C:\FRST
2012-09-08 23:28 - 2012-09-09 00:46 - 00000000 ____D C:\Users\Ivo\AppData\Roaming\Azureus
2012-09-08 23:28 - 2012-09-08 23:28 - 00000000 ____D C:\Users\Ivo\.swt
2012-09-08 23:25 - 2012-09-08 23:25 - 00001848 ____A C:\Users\Public\Desktop\Vuze.lnk
2012-09-08 23:25 - 2012-09-08 23:25 - 00000000 ____D C:\Program Files (x86)\Vuze
2012-09-08 23:22 - 2012-09-08 23:22 - 06968784 ____A (Vuze Inc.) C:\Users\Ivo\Downloads\Vuze_Installer.exe
2012-09-08 16:02 - 2012-09-08 16:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-09-07 10:48 - 2012-09-07 10:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-09-07 10:48 - 2012-07-03 12:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-09-05 15:20 - 2012-09-05 15:24 - 00015528 ____A C:\Users\Ivo\Downloads\hijackthis.log
2012-09-05 14:17 - 2012-09-05 14:17 - 00000000 ____D C:\Users\McAfee\AppData\Local\Apple
2012-09-05 14:04 - 2012-09-05 14:04 - 00000000 ____D C:\Users\McAfee\AppData\Roaming\Macromedia
2012-09-05 13:58 - 2012-09-08 19:14 - 00001828 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2012-09-05 13:58 - 2012-04-20 15:40 - 00196440 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\HipShieldK.sys
2012-09-05 13:57 - 2012-09-05 13:57 - 00000000 ____D C:\Program Files\Common Files\McAfee
2012-09-05 13:57 - 2012-09-05 13:57 - 00000000 ____D C:\Program Files (x86)\McAfee.com
2012-09-05 13:57 - 2012-06-22 06:40 - 00069672 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\cfwids.sys
2012-09-05 13:57 - 2012-06-22 06:38 - 00335784 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfewfpk.sys
2012-09-05 13:57 - 2012-06-22 06:37 - 00010288 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeclnk.sys
2012-09-05 13:57 - 2012-06-22 06:36 - 00106112 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mferkdet.sys
2012-09-05 13:57 - 2012-06-22 06:35 - 00513456 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfefirek.sys
2012-09-05 13:57 - 2012-06-22 06:34 - 00300392 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeavfk.sys
2012-09-05 13:56 - 2012-09-07 20:21 - 00000000 ____D C:\Program Files (x86)\McAfee
2012-09-05 13:56 - 2012-09-05 13:58 - 00000000 ____D C:\Program Files\McAfee
2012-09-05 13:56 - 2012-09-05 13:56 - 00000000 ____D C:\Program Files\McAfee.com
2012-09-05 13:43 - 2012-09-05 16:57 - 00000000 ____D C:\Users\All Users\McAfee
2012-09-05 13:43 - 2012-06-22 06:38 - 00177144 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
2012-09-05 13:39 - 2012-09-05 13:39 - 00178264 ____A C:\Users\McAfee\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-05 13:39 - 2012-06-01 13:08 - 04285728 ____A (McAfee, Inc.) C:\Users\McAfee\Documents\McAfeeSetup.exe
2012-09-05 13:38 - 2012-09-05 13:44 - 00000000 ____D C:\Users\McAfee\AppData\Roaming\Adobe
2012-09-05 13:38 - 2012-09-05 13:38 - 00000000 ____D C:\Users\McAfee\AppData\Roaming\Apple Computer
2012-09-05 13:38 - 2012-09-05 13:38 - 00000000 ____D C:\Users\McAfee\AppData\Local\Adobe
2012-09-05 13:37 - 2012-09-09 16:08 - 00001118 ____A C:\Windows\setupact.log
2012-09-05 13:37 - 2012-09-06 20:54 - 00041024 ____A C:\Windows\PFRO.log
2012-09-05 13:37 - 2012-09-05 13:37 - 00000020 ___SH C:\Users\McAfee\ntuser.ini
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 __SHD C:\Users\McAfee\Sjablonen
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 __SHD C:\Users\McAfee\Netwerkprinteromgeving
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 __SHD C:\Users\McAfee\Mijn documenten
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 __SHD C:\Users\McAfee\Menu Start
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 __SHD C:\Users\McAfee\Documents\Mijn video's
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 __SHD C:\Users\McAfee\Documents\Mijn muziek
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 __SHD C:\Users\McAfee\Documents\Mijn afbeeldingen
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 __SHD C:\Users\McAfee\AppData\Local\Geschiedenis
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 ____D C:\Users\McAfee\AppData\Local\VirtualStore
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 ____D C:\users\McAfee
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 ____A C:\Windows\setuperr.log
2012-09-05 13:37 - 2010-08-13 23:17 - 00000000 ____D C:\Users\McAfee\AppData\Local\Microsoft Help
2012-09-05 12:26 - 2012-09-05 12:26 - 00000000 ____D C:\Users\All Users\SUPERAntiSpyware.com
2012-09-05 12:23 - 2010-06-29 14:31 - 10863320 ____A C:\Users\Ivo\Documents\SAS_8115.COM
2012-09-05 12:21 - 2012-06-20 10:50 - 01832544 ____A (McAfee, Inc.) C:\Users\Ivo\Documents\MCPR.exe
2012-09-05 12:17 - 2009-04-21 20:02 - 01079296 ____A (ADDPCs) C:\Users\Ivo\Documents\tempCleaner.exe
2012-09-05 12:05 - 2012-09-05 12:05 - 00000000 ____D C:\Program Files (x86)\Citrix
2012-08-29 12:59 - 2012-08-29 12:59 - 00103784 ____A C:\Users\Ivo\GoToAssistDownloadHelper.exe
2012-08-29 12:59 - 2012-08-29 12:59 - 00000000 ____D C:\Users\Ivo\AppData\Local\Citrix
2012-08-29 10:10 - 2012-08-29 10:10 - 00347424 ____A (Microsoft Corporation) C:\Users\Ivo\Downloads\MicrosoftFixit.WindowsFirewall.RNP.32269662224100328.1.1.Run.exe
2012-08-28 10:17 - 2012-08-28 10:17 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Ivo\Downloads\tdsskiller(1).exe
2012-08-28 08:44 - 2012-08-28 08:44 - 00388608 ____A (Trend Micro Inc.) C:\Users\Ivo\Downloads\HijackThis.exe
2012-08-27 22:23 - 2012-08-27 22:23 - 01805736 ____A (Symantec Corporation) C:\Users\Ivo\Downloads\FixZeroAccess(1).exe
2012-08-27 22:18 - 2012-08-27 22:18 - 00000000 ____D C:\Program Files\HitmanPro
2012-08-27 22:15 - 2012-08-27 22:15 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-08-27 21:59 - 2012-08-27 22:15 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-08-27 21:59 - 2012-08-27 21:59 - 08864168 ____A (SurfRight B.V.) C:\Users\Ivo\Downloads\HitmanPro36_x64.exe
2012-08-27 19:37 - 2012-08-27 19:37 - 00000000 ____A C:\extensions.sqlite
2012-08-26 14:58 - 2012-08-26 14:58 - 00000039 ___RH C:\Users\Ivo\Downloads\stinger.opt
2012-08-26 14:50 - 2012-08-26 14:50 - 00016200 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-08-26 14:49 - 2012-08-26 14:58 - 00000000 ____D C:\Program Files (x86)\stinger
2012-08-26 14:49 - 2012-08-26 14:49 - 09873000 ____A (McAfee Inc.) C:\Users\Ivo\Downloads\stinger.exe
2012-08-26 08:56 - 2012-08-26 08:56 - 00000821 ____A C:\Windows\System32\Drivers\etc\hosts.ccebak
2012-08-26 08:56 - 2012-08-26 08:56 - 00000000 ____D C:\CCE_Quarantine
2012-08-25 22:04 - 2012-08-25 22:04 - 00000065 ___RH C:\Users\Ivo\Downloads\GetSusp.opt
2012-08-25 21:05 - 2012-08-25 21:05 - 07837117 ____N C:\Users\Ivo\Downloads\gsusp_CB1F8FAC1C8D_082512_220554.zip
2012-08-25 20:36 - 2012-08-25 21:05 - 00003786 ____A C:\Users\Ivo\Downloads\GetSusp.xml
2012-08-25 20:35 - 2012-08-25 20:35 - 01507432 ____A (McAfee Inc.) C:\Users\Ivo\Downloads\GetSusp.exe
2012-08-25 20:33 - 2012-08-25 20:33 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Ivo\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-25 20:32 - 2012-08-25 20:32 - 00000000 ____D C:\Users\Ivo\Downloads\cce_2.5.242177.201_x64
2012-08-25 20:31 - 2012-08-25 20:31 - 00000000 ____D C:\Users\Ivo\Downloads\CCE
2012-08-25 20:30 - 2012-08-25 20:30 - 25543261 ____A C:\Users\Ivo\Downloads\cce_2.5.242177.201_x64.zip
2012-08-25 20:05 - 2012-08-25 20:05 - 00475752 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\rootkitremover.exe
2012-08-25 19:40 - 2012-08-25 19:40 - 00526800 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\MVTInstaller(2).exe
2012-08-22 17:17 - 2012-08-22 17:17 - 04841960 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\McAfeeSetup.exe
2012-08-22 16:57 - 2012-08-22 16:57 - 03178400 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\MCPR.exe
2012-08-22 16:56 - 2012-08-22 16:56 - 00526800 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\MVTInstaller(1).exe
2012-08-22 13:03 - 2012-08-22 13:03 - 00000000 ____D C:\Users\Ivo\AppData\Roaming\McAfee
2012-08-22 13:01 - 2012-08-22 13:01 - 00526800 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\MVTInstaller.exe
2012-08-22 08:53 - 2012-08-22 08:53 - 00000000 ____D C:\Windows\Sun
2012-08-21 13:50 - 2012-08-21 13:50 - 00677376 ____A C:\Users\Ivo\Downloads\MicrosoftFixit50687.msi
2012-08-21 12:59 - 2012-08-21 12:59 - 00000000 ____D C:\Users\Ivo\AppData\Roaming\SUPERAntiSpyware.com
2012-08-21 12:57 - 2012-08-21 12:57 - 19276808 ____A (SUPERAntiSpyware.com) C:\Users\Ivo\Downloads\SUPERAntiSpyware.exe
2012-08-21 12:57 - 2012-08-21 12:57 - 00001229 ____A C:\Users\Ivo\Desktop\win7_firewall.zip
2012-08-21 12:54 - 2012-08-21 12:54 - 00000000 ____D C:\TDSSKiller_Quarantine
2012-08-21 12:48 - 2012-08-21 12:49 - 00347424 ____A (Microsoft Corporation) C:\Users\Ivo\Downloads\MicrosoftFixit.wu.Run.exe
2012-08-21 12:46 - 2012-08-21 12:47 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Ivo\Downloads\tdsskiller.exe
2012-08-21 12:46 - 2012-08-21 12:46 - 18777219 ____A C:\Users\Ivo\Downloads\msert.exe
2012-08-19 16:04 - 2012-08-19 16:06 - 03528419 ____A C:\Users\Ivo\Downloads\Foto's open dag Bandkeramiek 18 aug. 2012.zip
2012-08-19 13:15 - 2012-09-05 15:19 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-08-19 13:15 - 2012-08-19 13:15 - 01805736 ____A (Symantec Corporation) C:\Users\Ivo\Downloads\FixZeroAccess.exe
2012-08-15 09:15 - 2012-06-29 05:55 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-08-15 09:15 - 2012-06-29 05:09 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-08-15 09:15 - 2012-06-29 04:56 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-08-15 09:15 - 2012-06-29 04:49 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-08-15 09:15 - 2012-06-29 04:49 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-08-15 09:15 - 2012-06-29 04:48 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-08-15 09:15 - 2012-06-29 04:47 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-08-15 09:15 - 2012-06-29 04:45 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-08-15 09:15 - 2012-06-29 04:44 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-08-15 09:15 - 2012-06-29 04:43 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-08-15 09:15 - 2012-06-29 04:42 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-08-15 09:15 - 2012-06-29 04:40 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-08-15 09:15 - 2012-06-29 04:39 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-08-15 09:15 - 2012-06-29 04:35 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-08-15 09:15 - 2012-06-29 01:52 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-08-15 09:15 - 2012-06-29 01:27 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-08-15 09:15 - 2012-06-29 01:16 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-08-15 09:15 - 2012-06-29 01:09 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-08-15 09:15 - 2012-06-29 01:09 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-08-15 09:15 - 2012-06-29 01:08 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-08-15 09:15 - 2012-06-29 01:07 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-08-15 09:15 - 2012-06-29 01:06 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-08-15 09:15 - 2012-06-29 01:04 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-08-15 09:15 - 2012-06-29 01:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-08-15 09:15 - 2012-06-29 01:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-08-15 09:15 - 2012-06-29 01:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-08-15 09:15 - 2012-06-29 01:00 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-08-15 09:15 - 2012-06-29 00:57 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-08-15 09:09 - 2012-07-18 19:15 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-08-15 09:09 - 2012-07-04 23:16 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-08-15 09:09 - 2012-07-04 23:13 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-08-15 09:09 - 2012-07-04 23:13 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-08-15 09:09 - 2012-07-04 22:16 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-08-15 09:09 - 2012-07-04 22:14 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-08-15 09:09 - 2012-05-05 09:36 - 00503808 ____A (Microsoft Corporation) C:\Windows\System32\srcore.dll
2012-08-15 09:09 - 2012-05-05 08:46 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2012-08-15 09:09 - 2012-02-11 07:43 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2012-08-15 09:09 - 2012-02-11 07:36 - 00559104 ____A (Microsoft Corporation) C:\Windows\System32\spoolsv.exe
2012-08-15 09:09 - 2012-02-11 07:36 - 00067072 ____A (Microsoft Corporation) C:\Windows\splwow64.exe
2012-08-15 09:09 - 2012-02-11 06:43 - 00492032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2012-08-15 09:08 - 2012-05-14 06:26 - 00956928 ____A (Microsoft Corporation) C:\Windows\System32\localspl.dll
2012-08-15 09:00 - 2009-08-19 22:50 - 00024416 ___RA (Adobe Systems Inc.) C:\Windows\System32\AdobePDFUI.dll
2012-08-13 22:30 - 2012-08-13 22:30 - 00000000 ____D C:\Users\Ivo\AppData\Roaming\Malwarebytes
2012-08-13 22:30 - 2012-08-13 22:30 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-08-13 22:22 - 2012-08-13 22:22 - 02322184 ____A (ESET) C:\Users\Ivo\Downloads\esetsmartinstaller_enu.exe


==================== 3 Months Modified Files ================================

2012-09-09 16:15 - 2010-08-13 21:37 - 01668923 ____A C:\Windows\WindowsUpdate.log
2012-09-09 16:13 - 2012-04-01 14:22 - 00000940 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-09 16:10 - 2009-07-14 10:12 - 00746298 ____A C:\Windows\System32\perfh013.dat
2012-09-09 16:10 - 2009-07-14 10:12 - 00153504 ____A C:\Windows\System32\perfc013.dat
2012-09-09 16:10 - 2009-07-14 06:13 - 01672146 ____A C:\Windows\System32\PerfStringBackup.INI
2012-09-09 16:08 - 2012-09-05 13:37 - 00001118 ____A C:\Windows\setupact.log
2012-09-09 15:24 - 2011-03-28 21:49 - 00001050 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-09 15:24 - 2010-08-28 12:55 - 00001058 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-365817166-3822867551-2538953537-1001UA.job
2012-09-09 11:54 - 2011-12-03 10:50 - 00000512 ____A C:\Windows\Tasks\Web.AliveUpdateTask.job
2012-09-09 11:38 - 2011-03-28 21:49 - 00001046 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-09 11:34 - 2010-08-28 12:55 - 00001006 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-365817166-3822867551-2538953537-1001Core.job
2012-09-08 23:25 - 2012-09-08 23:25 - 00001848 ____A C:\Users\Public\Desktop\Vuze.lnk
2012-09-08 23:22 - 2012-09-08 23:22 - 06968784 ____A (Vuze Inc.) C:\Users\Ivo\Downloads\Vuze_Installer.exe
2012-09-08 19:14 - 2012-09-05 13:58 - 00001828 ____A C:\Users\Public\Desktop\McAfee AntiVirus Plus.lnk
2012-09-07 09:55 - 2009-07-14 05:45 - 00016640 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-07 09:55 - 2009-07-14 05:45 - 00016640 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-07 09:41 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-06 20:54 - 2012-09-05 13:37 - 00041024 ____A C:\Windows\PFRO.log
2012-09-05 15:24 - 2012-09-05 15:20 - 00015528 ____A C:\Users\Ivo\Downloads\hijackthis.log
2012-09-05 15:19 - 2012-08-19 13:15 - 00027256 ____A (Symantec Corporation) C:\Windows\System32\Drivers\FixZeroAccess.sys
2012-09-05 13:39 - 2012-09-05 13:39 - 00178264 ____A C:\Users\McAfee\AppData\Local\GDIPFONTCACHEV1.DAT
2012-09-05 13:37 - 2012-09-05 13:37 - 00000020 ___SH C:\Users\McAfee\ntuser.ini
2012-09-05 13:37 - 2012-09-05 13:37 - 00000000 ____A C:\Windows\setuperr.log
2012-09-03 21:25 - 2010-08-16 20:27 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.xtr
2012-09-03 21:25 - 2010-08-16 18:38 - 00283304 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2012-09-03 21:25 - 2010-08-16 18:38 - 00280904 ____A C:\Windows\SysWOW64\PnkBstrB.ex0
2012-08-29 12:59 - 2012-08-29 12:59 - 00103784 ____A C:\Users\Ivo\GoToAssistDownloadHelper.exe
2012-08-29 10:10 - 2012-08-29 10:10 - 00347424 ____A (Microsoft Corporation) C:\Users\Ivo\Downloads\MicrosoftFixit.WindowsFirewall.RNP.32269662224100328.1.1.Run.exe
2012-08-28 10:17 - 2012-08-28 10:17 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Ivo\Downloads\tdsskiller(1).exe
2012-08-28 09:48 - 2012-05-21 21:40 - 00030208 ____A C:\Users\Ivo\Desktop\adressen.xls
2012-08-28 09:07 - 2012-05-21 21:40 - 00038460 ____A C:\Users\Ivo\AppData\Roaming\Microsoft Excel 97-2003.ADR
2012-08-28 08:44 - 2012-08-28 08:44 - 00388608 ____A (Trend Micro Inc.) C:\Users\Ivo\Downloads\HijackThis.exe
2012-08-27 22:23 - 2012-08-27 22:23 - 01805736 ____A (Symantec Corporation) C:\Users\Ivo\Downloads\FixZeroAccess(1).exe
2012-08-27 22:15 - 2012-08-27 22:15 - 00012872 ____A (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2012-08-27 21:59 - 2012-08-27 21:59 - 08864168 ____A (SurfRight B.V.) C:\Users\Ivo\Downloads\HitmanPro36_x64.exe
2012-08-27 19:37 - 2012-08-27 19:37 - 00000000 ____A C:\extensions.sqlite
2012-08-27 19:29 - 2009-07-14 06:08 - 00032630 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-26 15:08 - 2012-04-01 14:22 - 00696520 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-26 15:08 - 2011-05-18 08:22 - 00073416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-26 14:58 - 2012-08-26 14:58 - 00000039 ___RH C:\Users\Ivo\Downloads\stinger.opt
2012-08-26 14:50 - 2012-08-26 14:50 - 00016200 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-08-26 14:49 - 2012-08-26 14:49 - 09873000 ____A (McAfee Inc.) C:\Users\Ivo\Downloads\stinger.exe
2012-08-26 08:56 - 2012-08-26 08:56 - 00000821 ____A C:\Windows\System32\Drivers\etc\hosts.ccebak
2012-08-25 22:04 - 2012-08-25 22:04 - 00000065 ___RH C:\Users\Ivo\Downloads\GetSusp.opt
2012-08-25 21:05 - 2012-08-25 21:05 - 07837117 ____N C:\Users\Ivo\Downloads\gsusp_CB1F8FAC1C8D_082512_220554.zip
2012-08-25 21:05 - 2012-08-25 20:36 - 00003786 ____A C:\Users\Ivo\Downloads\GetSusp.xml
2012-08-25 20:35 - 2012-08-25 20:35 - 01507432 ____A (McAfee Inc.) C:\Users\Ivo\Downloads\GetSusp.exe
2012-08-25 20:35 - 2011-03-27 20:22 - 01692338 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-25 20:33 - 2012-08-25 20:33 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Ivo\Downloads\mbam-setup-1.62.0.1300.exe
2012-08-25 20:30 - 2012-08-25 20:30 - 25543261 ____A C:\Users\Ivo\Downloads\cce_2.5.242177.201_x64.zip
2012-08-25 20:05 - 2012-08-25 20:05 - 00475752 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\rootkitremover.exe
2012-08-25 19:40 - 2012-08-25 19:40 - 00526800 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\MVTInstaller(2).exe
2012-08-22 17:17 - 2012-08-22 17:17 - 04841960 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\McAfeeSetup.exe
2012-08-22 16:57 - 2012-08-22 16:57 - 03178400 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\MCPR.exe
2012-08-22 16:56 - 2012-08-22 16:56 - 00526800 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\MVTInstaller(1).exe
2012-08-22 13:01 - 2012-08-22 13:01 - 00526800 ____A (McAfee, Inc.) C:\Users\Ivo\Downloads\MVTInstaller.exe
2012-08-22 09:09 - 2010-10-25 18:45 - 00000294 ____A C:\Windows\Tasks\Synology Data Replicator 3-Workstation-Ivo.job
2012-08-21 13:50 - 2012-08-21 13:50 - 00677376 ____A C:\Users\Ivo\Downloads\MicrosoftFixit50687.msi
2012-08-21 12:57 - 2012-08-21 12:57 - 19276808 ____A (SUPERAntiSpyware.com) C:\Users\Ivo\Downloads\SUPERAntiSpyware.exe
2012-08-21 12:57 - 2012-08-21 12:57 - 00001229 ____A C:\Users\Ivo\Desktop\win7_firewall.zip
2012-08-21 12:49 - 2012-08-21 12:48 - 00347424 ____A (Microsoft Corporation) C:\Users\Ivo\Downloads\MicrosoftFixit.wu.Run.exe
2012-08-21 12:47 - 2012-08-21 12:46 - 02212440 ____A (Kaspersky Lab ZAO) C:\Users\Ivo\Downloads\tdsskiller.exe
2012-08-21 12:46 - 2012-08-21 12:46 - 18777219 ____A C:\Users\Ivo\Downloads\msert.exe
2012-08-19 16:06 - 2012-08-19 16:04 - 03528419 ____A C:\Users\Ivo\Downloads\Foto's open dag Bandkeramiek 18 aug. 2012.zip
2012-08-19 13:15 - 2012-08-19 13:15 - 01805736 ____A (Symantec Corporation) C:\Users\Ivo\Downloads\FixZeroAccess.exe
2012-08-15 09:51 - 2009-07-14 05:45 - 03232240 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-15 09:10 - 2010-08-13 22:03 - 62134624 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-08-13 22:22 - 2012-08-13 22:22 - 02322184 ____A (ESET) C:\Users\Ivo\Downloads\esetsmartinstaller_enu.exe
2012-08-07 20:40 - 2012-08-07 20:40 - 00347424 ____A (Microsoft Corporation) C:\Users\Ivo\Downloads\MicrosoftFixit.WindowsFirewall.RNP.33267799011239293.1.1.Run.exe
2012-07-25 20:53 - 2012-07-25 20:52 - 03878112 ____A C:\Users\Ivo\Downloads\battlelog-web-plugins-1.122.0-retail-prod(1).exe
2012-07-23 21:18 - 2012-07-23 21:18 - 03878112 ____A C:\Users\Ivo\Downloads\battlelog-web-plugins-1.122.0-retail-prod.exe
2012-07-23 20:58 - 2012-07-23 20:57 - 10440576 ____N C:\Users\Ivo\Desktop\overzicht sites.ai
2012-07-23 09:11 - 2009-07-14 03:34 - 00000478 ____A C:\Windows\win.ini
2012-07-22 17:46 - 2012-07-22 17:46 - 00790822 ____A C:\Users\Ivo\Downloads\IMAG0050.jpg.zip
2012-07-18 19:15 - 2012-08-15 09:09 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-04 23:16 - 2012-08-15 09:09 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\netapi32.dll
2012-07-04 23:13 - 2012-08-15 09:09 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\browser.dll
2012-07-04 23:13 - 2012-08-15 09:09 - 00059392 ____A (Microsoft Corporation) C:\Windows\System32\browcli.dll
2012-07-04 22:16 - 2012-08-15 09:09 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\netapi32.dll
2012-07-04 22:14 - 2012-08-15 09:09 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\browcli.dll
2012-07-03 12:46 - 2012-09-07 10:48 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-29 05:55 - 2012-08-15 09:15 - 17809920 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-29 05:09 - 2012-08-15 09:15 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-29 04:56 - 2012-08-15 09:15 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-29 04:49 - 2012-08-15 09:15 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-29 04:49 - 2012-08-15 09:15 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-29 04:48 - 2012-08-15 09:15 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-29 04:47 - 2012-08-15 09:15 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-29 04:45 - 2012-08-15 09:15 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-29 04:44 - 2012-08-15 09:15 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-29 04:43 - 2012-08-15 09:15 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-29 04:42 - 2012-08-15 09:15 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-29 04:40 - 2012-08-15 09:15 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-29 04:39 - 2012-08-15 09:15 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-29 04:35 - 2012-08-15 09:15 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-29 01:52 - 2012-08-15 09:15 - 12317184 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-29 01:27 - 2012-08-15 09:15 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-29 01:16 - 2012-08-15 09:15 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-29 01:09 - 2012-08-15 09:15 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-29 01:09 - 2012-08-15 09:15 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-29 01:08 - 2012-08-15 09:15 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-29 01:07 - 2012-08-15 09:15 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-29 01:06 - 2012-08-15 09:15 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-29 01:04 - 2012-08-15 09:15 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-29 01:04 - 2012-08-15 09:15 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-29 01:01 - 2012-08-15 09:15 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-29 01:01 - 2012-08-15 09:15 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-29 01:00 - 2012-08-15 09:15 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-29 00:57 - 2012-08-15 09:15 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-22 06:40 - 2012-09-05 13:57 - 00069672 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\cfwids.sys
2012-06-22 06:38 - 2012-09-05 13:57 - 00335784 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfewfpk.sys
2012-06-22 06:38 - 2012-09-05 13:43 - 00177144 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe
2012-06-22 06:37 - 2012-09-05 13:57 - 00010288 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeclnk.sys
2012-06-22 06:36 - 2012-09-05 13:57 - 00106112 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mferkdet.sys
2012-06-22 06:36 - 2012-02-22 12:29 - 00752672 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfehidk.sys
2012-06-22 06:35 - 2012-09-05 13:57 - 00513456 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfefirek.sys
2012-06-22 06:34 - 2012-09-05 13:57 - 00300392 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeavfk.sys
2012-06-22 06:34 - 2012-02-22 12:29 - 00169320 ____A (McAfee, Inc.) C:\Windows\System32\Drivers\mfeapfk.sys
2012-06-20 15:06 - 2012-06-20 15:06 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk
2012-06-20 10:50 - 2012-09-05 12:21 - 01832544 ____A (McAfee, Inc.) C:\Users\Ivo\Documents\MCPR.exe
2012-06-12 18:03 - 2012-04-16 20:34 - 00001014 ____A C:\Users\Ivo\Desktop\Dropbox.lnk


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-09-05 16:04:42

==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 4094.02 MB
Available physical RAM: 3438.51 MB
Total Pagefile: 4092.17 MB
Available Pagefile: 3429.26 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions ============================

1 Drive c: () (Fixed) (Total:931.41 GB) (Free:233.67 GB) NTFS
3 Drive f: () (Removable) (Total:0.49 GB) (Free:0.49 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (Door systeem gereserveerd) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Schfnr. Status Grootte Vrij Dyn GPT
-------- ------------- ------- ------- --- ---
Schf 0 Online 931 GB 0 B
Schf 1 Online 504 MB 0 B
Schf 2 Geen medium 0 B 0 B



Last Boot: 2012-09-06 19:34

==================== End Of Log =============================

SEARCH.log:

Farbar Recovery Scan Tool (x64) Version: 08-09-2012
Ran by SYSTEM at 2012-09-09 18:11:21
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

====== End Of Search ======

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:06 PM

Posted 09 September 2012 - 12:46 PM

Please run the following:


  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    Posted Image
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    Posted Image
  • Next click on the ShortcutsFix
    Posted Image
  • another report will be created on your desktop.

Please post: All RKreport.txt text files located on your desktop.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Evitano

Evitano
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 09 September 2012 - 02:34 PM

Allright, it is showing up zeroacces although i thought i got rid of the bastard. BTW Roguekiller shows up in McAfeeSiteadvisor as malicious software (i used the link you provided).
Here are the 3 logs:

RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ivo [Admin rights]
Mode : Scan -- Date : 09/09/2012 21:18:17

Bad processes : 0

Registry Entries : 10
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Ivo\AppData\Local\{8ea5ce0d-ef5e-295d-9bfe-8fc38d5e8fe5}\n.) -> FOUND

Particular Files / Folders:

Driver : [NOT LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost

MBR Check:

+++++ PhysicalDrive0: Volume0 +++++
--- User ---
[MBR] d4b54b9deb6f597f02acb4f62af9df45
[BSP] dc2514c910a2b3865e84841287b06ebc : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953765 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: USB 2.0 Flash Disk USB Device +++++
--- User ---
[MBR] 4baeb5ce60d5b764384c3ecbcc8b9a93
[BSP] e36700405562334576851284eac24bfb : Standard MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 504 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ivo [Admin rights]
Mode : Remove -- Date : 09/09/2012 21:20:56

Bad processes : 0

Registry Entries : 8
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Ivo\AppData\Local\{8ea5ce0d-ef5e-295d-9bfe-8fc38d5e8fe5}\n.) -> REPLACED (C:\Windows\system32\shell32.dll)

Particular Files / Folders:

Driver : [NOT LOADED]

Infection : ZeroAccess

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost

MBR Check:

+++++ PhysicalDrive0: Volume0 +++++
--- User ---
[MBR] d4b54b9deb6f597f02acb4f62af9df45
[BSP] dc2514c910a2b3865e84841287b06ebc : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 953765 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: USB 2.0 Flash Disk USB Device +++++
--- User ---
[MBR] 4baeb5ce60d5b764384c3ecbcc8b9a93
[BSP] e36700405562334576851284eac24bfb : Standard MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 504 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt



RogueKiller V8.0.2 [08/31/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Ivo [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/09/2012 21:27:12

Bad processes : 0

Driver : [NOT LOADED]

File attributes restored:
Desktop: Success 1 / Fail 0
Quick launch: Success 4 / Fail 0
Programs: Success 11 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 340 / Fail 0
My documents: Success 13 / Fail 13
My favorites: Success 0 / Fail 0
My pictures: Success 95 / Fail 0
My music: Success 1840 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 159 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\CdRom1 -- 0x5 --> Skipped
[G:] \Device\HarddiskVolume3 -- 0x2 --> Restored

Infection :

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:06 PM

Posted 09 September 2012 - 02:47 PM

It likes to hide


please run the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Evitano

Evitano
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 10 September 2012 - 12:24 AM

Ok, Malwarebytes came up with nothing. ESET a few but they are keymakers i didn't use


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Databaseversie: v2012.09.09.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Ivo :: WORKSTATION [administrator]

9-9-2012 21:52:17
mbam-log-2012-09-09 (21-52-17).txt

Scantype: Snelle scan
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 236272
Verstreken tijd: 6 minuut/minuten, 47 seconde(n)

Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

(einde)

ESETSCAN
C:\Utliz\ADOBE.CREATIVE.SUITE.4.MASTER.COLLECTON.DD.MULTILANGUAGE-ISO\Crack\disable_activation.cmd BAT/HostsChanger.A application
C:\Utliz\Ahead.Nero.v7.10.1.0.Incl.Keymaker-EMBRACE\e-an7101.zip a variant of Win32/Keygen.DS application
C:\Utliz\Ahead.Nero.v7.10.1.0.Incl.Keymaker-EMBRACE\keygen.exe a variant of Win32/Keygen.DS application
C:\Utliz\Ahead.Nero.v7.10.1.0.Incl.Keymaker-EMBRACE\e-an7101\keygen.exe a variant of Win32/Keygen.DS application
C:\Utliz\AUTODESK.AUTOCAD.V2012.WIN64-ISO\acad2012_x64.iso Win32/Keygen.BL application

Edited by Evitano, 10 September 2012 - 02:34 AM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:06 PM

Posted 10 September 2012 - 10:14 AM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Utliz\ADOBE.CREATIVE.SUITE.4.MASTER.COLLECTON.DD.MULTILANGUAGE-ISO\Crack\disable_activation.cmd 
C:\Utliz\Ahead.Nero.v7.10.1.0.Incl.Keymaker-EMBRACE\e-an7101.zip 
C:\Utliz\Ahead.Nero.v7.10.1.0.Incl.Keymaker-EMBRACE\keygen.exe 
C:\Utliz\Ahead.Nero.v7.10.1.0.Incl.Keymaker-EMBRACE\e-an7101\keygen.exe 
C:\Utliz\AUTODESK.AUTOCAD.V2012.WIN64-ISO\acad2012_x64.iso 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Evitano

Evitano
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 10 September 2012 - 01:41 PM

Hello Catbyte,
Today an enigineer of McAfee remotely swiped my computer and cleaned it for zeroaccess and other rootkits. Now my firewall is up and running again, both windows and firewall. I have no idea of what he did but he promised me the pc is clean now. Now i don't know if i still have to follow your last directions. Like to hear your thoughts on that.
If not, i would like to thank you for your help and patience.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:06 PM

Posted 10 September 2012 - 02:09 PM

he wouldn't have done much as the main infection was already neutralized

Your BITS registry key was likely missing as this infection targets that as well as the registry key for the firewall, so he likely replaced those, the Farbar Service Scanner would have showed those entries.

I would remove those files ESET identified

The mini tool box was to see if you have any outdated programs that need updated as older versions of programs are often vulnerable to exploitation.

It's up to you if you want to continue

If not I can close the thread

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:06 PM

Posted 20 September 2012 - 05:53 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users