rootkits

[djdanvan]

Beste PCHF,

Ik kon geen updates van Windows binnenhalen plus Explorer deed raar (traag) kreeg een venster " Hostproces voor Windows-services werkt niet meer" code 80072EFE enz...,

De gebruikelijke scanners hun werk laten doen en ook ComboFix Waarvan hieronder het logje plus ook het logje van HJT.

Nu blijkt mijn laptop toch weer behoorlijk te draaien maar wie wil nog eens de logjes doorlopen als het niet gefikst kan of moet worden.

Alvast hartelijk dank

grtn djdnvan

------------------------------------------------------------------------------------

ComboFix 10-08-04.05 - Qforce 05/08/2010 20:11:24.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.32.1043.18.2045.741 [GMT 2:00]

Gestart vanuit: g:\daniels programma's\ComboFix\ComboFix.exe

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\SysWoW32

c:\programdata\SysWoW32\mu1782868360v4

c:\programdata\SysWoW32\mu1782868360v4.kwd

c:\programdata\SysWoW32\mu1782868360v5

c:\programdata\SysWoW32\mu1782868360v5.kwd

c:\programdata\SysWoW32\mu1782868360v6

c:\programdata\SysWoW32\mu1782868360v6.kwd

c:\programdata\SysWoW32\mu1782868360v7

c:\programdata\SysWoW32\mu1782868360v7.kwd

c:\programdata\SysWoW32\wu1782868360v0

c:\programdata\SysWoW32\wu1782868360v0.kwd

c:\programdata\SysWoW32\wu1782868360v1

c:\programdata\SysWoW32\wu1782868360v1.kwd

c:\programdata\SysWoW32\wu1782868360v2

c:\programdata\SysWoW32\wu1782868360v2.kwd

c:\programdata\SysWoW32\wu1782868360v3

c:\programdata\SysWoW32\wu1782868360v3.kwd

c:\users\Qforce\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Translator.url

c:\windows\system32\file_id.diz

c:\windows\system32\GiQGu2a6.dll

c:\windows\system32\Language

c:\windows\system32\Language\Dutch.reg

c:\windows\system32\Language\French.reg

c:\windows\system32\Language\German.reg

c:\windows\system32\Language\Italian.reg

c:\windows\system32\Language\Spanish.reg

c:\windows\system32\Language\Swedish.reg

Besmet exemplaar van c:\windows\system32\drivers\ndis.sys werd aangetroffen en gedesinfecteerd

Hersteld exemplaar van - Kitty had a snack

.

(((((((((((((((((((( Bestanden Gemaakt van 2010-07-05 to 2010-08-05 ))))))))))))))))))))))))))))))

.

2010-08-05 18:27 . 2010-08-05 18:27 -------- d-----w- c:\users\Qforce\AppData\Local\temp

2010-08-05 18:27 . 2010-08-05 18:27 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-08-05 09:53 . 2010-08-05 07:18 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-08-05 07:18 . 2010-08-05 07:18 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-08-05 07:18 . 2010-08-05 07:18 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-08-05 07:13 . 2010-08-05 07:13 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-08-05 07:13 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-08-05 07:11 . 2010-08-05 07:13 -------- d-----w- c:\program files\Lavasoft

2010-08-04 19:21 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

2010-08-04 18:50 . 2010-08-04 18:50 -------- d-----w- c:\users\Qforce\AppData\Roaming\Malwarebytes

2010-08-04 18:48 . 2009-02-11 08:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-04 18:48 . 2009-02-11 08:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-04 18:48 . 2010-08-04 18:48 -------- d-----w- c:\programdata\Malwarebytes

2010-08-04 18:48 . 2010-08-04 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-04 18:30 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-08-04 18:30 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-08-04 18:30 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-08-04 18:30 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-08-04 18:30 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2010-08-04 18:29 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-08-04 18:29 . 2010-08-04 18:29 -------- d-----w- c:\programdata\Alwil Software

2010-08-04 18:29 . 2010-08-04 18:29 -------- d-----w- c:\program files\Alwil Software

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-05 18:16 . 2006-11-02 16:11 67250 ----a-w- c:\windows\system32\perfc013.dat

2010-08-05 18:16 . 2006-11-02 16:11 248552 ----a-w- c:\windows\system32\perfh013.dat

2010-08-05 07:11 . 2008-03-15 15:14 -------- d-----w- c:\programdata\Lavasoft

2010-08-05 07:00 . 2006-11-02 12:37 -------- d-----w- c:\program files\Microsoft Games

2010-08-04 19:37 . 2008-03-17 09:44 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-04 19:33 . 2008-03-17 09:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-08-04 18:31 . 2010-06-17 17:40 112 ----a-w- c:\programdata\62Yt6p.dat

2010-08-04 18:21 . 2009-06-22 10:36 -------- d-----w- c:\program files\CCleaner

2010-08-02 20:09 . 2008-03-24 14:32 -------- d-----w- c:\users\Qforce\AppData\Roaming\LimeWire

2010-07-05 12:12 . 2010-06-27 12:21 204205 ----a-w- c:\windows\hpwins23.dat

2010-07-05 12:12 . 2010-07-05 12:12 -------- d-----w- c:\programdata\WEBREG

2010-07-05 12:09 . 2010-06-27 12:21 -------- d-----w- c:\programdata\HP

2010-07-05 12:08 . 2010-07-05 12:08 -------- d-----w- c:\users\Qforce\AppData\Roaming\HP

2010-06-27 12:33 . 2010-06-27 12:25 -------- d-----w- c:\program files\HP

2010-06-27 12:32 . 2010-06-27 12:32 -------- d-----w- c:\programdata\HP Product Assistant

2010-06-27 12:27 . 2010-06-27 12:27 -------- d-----w- c:\program files\Common Files\HP

2010-06-27 12:27 . 2010-06-27 12:27 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2010-06-27 12:27 . 2010-06-27 12:27 -------- d-----w- c:\program files\Hewlett-Packard

2010-06-24 06:55 . 2010-02-11 16:46 -------- d-----w- c:\users\Qforce\AppData\Roaming\vlc

2010-06-24 06:55 . 2010-04-12 12:44 -------- d-----w- c:\program files\The Master Genealogist v7

2010-06-24 06:55 . 2008-12-12 16:31 -------- d-----w- c:\program files\DVD Shrink

2010-06-24 06:55 . 2008-09-19 12:06 -------- d-----w- c:\program files\BlueJ

2010-06-15 17:19 . 2007-10-09 15:16 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-15 09:33 . 2009-02-02 08:39 -------- d-----w- c:\program files\Solid Edge ST

2010-06-10 09:34 . 2009-10-26 17:41 -------- d-----w- c:\programdata\Microsoft Help

2010-05-26 17:06 . 2010-06-09 08:23 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-05-26 14:47 . 2010-06-09 08:23 289792 ----a-w- c:\windows\system32\atmfd.dll

2010-05-12 09:21 . 2009-10-03 15:17 221568 ------w- c:\windows\system32\MpSigStub.exe

.

<pre>
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\windows\PixArt\Pac207\Monitor .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Snelle start.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Snelle start.lnk

backup=c:\windows\pss\Adobe Reader Snelle start.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Qforce^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]

path=c:\users\Qforce\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Groove.lnk

backup=c:\windows\pss\Microsoft Office Groove.lnk.Startup

backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Qforce^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Schermopname en Snel starten.lnk]

path=c:\users\Qforce\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Schermopname en Snel starten.lnk

backup=c:\windows\pss\OneNote 2007 Schermopname en Snel starten.lnk.Startup

backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

c:\program files\Ares\Ares.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

2010-03-18 16:42 2046816 ----a-w- c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]

2007-03-12 12:51 663552 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]

2007-01-26 13:58 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2007-04-03 22:29 165784 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]

c:\program files\ScanSoft\PaperPort\IndexSearch.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 2200 Series]

c:\program files\Lexmark 2200 Series\lxbvbmgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2009-07-26 14:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]

c:\program files\ScanSoft\PaperPort\pptd40nt.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPort11reminder]

c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

c:\program files\QuickTime\QTTask.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

2006-05-16 10:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-01-26 13:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(:1f,73,ac,f7,4c,1b,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-833183691-1392465726-190259266-1003]

"EnableNotificationsRef"=dword:00000002

R2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 135664]

R2 nirrquxf;Floppy Disk Support;c:\windows\System32\svchost.exe [2008-01-19 21504]

R3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-12-05 507136]

R4 MTC0301_CIR;CIR Device;c:\windows\system32\drivers\CIR.sys [2004-11-26 13941]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-03-12 691696]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-05 64288]

S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2005-08-05 34144]

S1 aswSP;aswSP; [x]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-29 335240]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-29 297752]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-08-05 1352832]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

nirrquxf

.

Inhoud van de 'Gedeelde Taken' map

2010-08-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 07:18]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 11:18]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 11:18]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.be/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://g.msn.be/0SENLBE/SAOS01?FORM=TOOLBR

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Qforce\AppData\Roaming\Mozilla\Firefox\Profiles\fnj4krig.default\

FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/

FF - prefs.js: keyword.URL - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS VERWIJDERD - - - -

BHO-{6697BE83-7494-42A6-832D-F5321C3FA210} - c:\windows\system32\qxozgql.dll

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-08-05 20:27

Windows 6.0.6002 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Voltooingstijd: 2010-08-05 20:33:15

ComboFix-quarantined-files.txt 2010-08-05 18:33

Pre-Run: 7.298.342.912 bytes beschikbaar

Post-Run: 7.279.456.256 bytes beschikbaar

- - End Of File - - 3E9FF123EF74835B7F795FD640698030

-------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:35:36, on 5/08/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v7.00 (7.00.6002.18005)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe (User 'SYSTEEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe (User 'Default user')

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: HP Slim selecteren - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programs\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programs\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - Pagina niet gevonden | Facebook

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-BE/a-UNO1/GAME_UNO1.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--

End of file - 7298 bytes

[kape]

Start Hijackthis op. Selecteer “Scan”. Selecteer alleen de items die hieronder zijn genoemd:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programs\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programs\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - Pagina niet gevonden | Facebook

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/.../armhelper.ocx

Klik op 'Fix checked' om de items te verwijderen.

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\programdata\62Yt6p.dat

Renv::

c:\program files\HP\HP Software Update\HPWuSchd2 .exe

c:\program files\Java\jre6\bin\jusched .exe

c:\program files\Microsoft Office\Office12\GrooveMonitor .exe

c:\windows\PixArt\Pac207\Monitor .exe

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.

5 augustus 2010 aangepast door kape

[djdanvan]

Kape,

dank voor het vugge antw,

k'zal pas morgen doen

thx djdanvan

[djdanvan]

Kape,

hieronder mijn beide logjes

ComboFix 10-08-05.06 - Qforce 06/08/2010 13:32:13.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.32.1043.18.2045.1269 [GMT 2:00]

Gestart vanuit: c:\users\Qforce\Desktop\ComboFix.exe

gebruikte Opdracht switches :: c:\users\Qforce\Desktop\CFScript.txt

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::

"c:\programdata\62Yt6p.dat"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\62Yt6p.dat

.

(((((((((((((((((((( Bestanden Gemaakt van 2010-07-06 to 2010-08-06 ))))))))))))))))))))))))))))))

.

2010-08-06 11:43 . 2010-08-06 11:43 -------- d-----w- c:\users\Qforce\AppData\Local\temp

2010-08-06 11:43 . 2010-08-06 11:43 -------- d-----w- c:\users\Public\AppData\Local\temp

2010-08-06 11:43 . 2010-08-06 11:43 -------- d-----w- c:\users\Default\AppData\Local\temp

2010-08-05 19:24 . 2010-08-05 19:24 -------- d-----w- c:\users\Qforce\AppData\Local\VS Revo Group

2010-08-05 19:24 . 2009-12-20 15:41 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-08-05 19:24 . 2010-08-05 19:24 -------- d-----w- c:\program files\VS Revo Group

2010-08-05 19:19 . 2010-08-05 19:19 -------- d-----w- c:\program files\Trend Micro

2010-08-05 18:58 . 2009-11-08 08:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll

2010-08-05 18:58 . 2009-11-08 08:55 297808 ----a-w- c:\windows\system32\mscoree.dll

2010-08-05 18:58 . 2009-11-08 08:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe

2010-08-05 18:58 . 2009-11-08 08:55 49472 ----a-w- c:\windows\system32\netfxperf.dll

2010-08-05 18:58 . 2009-11-08 08:55 1130824 ----a-w- c:\windows\system32\dfshim.dll

2010-08-05 09:53 . 2010-08-05 07:18 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-08-05 07:18 . 2010-08-05 07:18 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys

2010-08-05 07:18 . 2010-08-05 07:18 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-08-05 07:13 . 2010-08-05 07:13 -------- dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

2010-08-05 07:13 . 2010-02-04 15:53 2954656 -c--a-w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe

2010-08-05 07:11 . 2010-08-05 07:13 -------- d-----w- c:\program files\Lavasoft

2010-08-04 19:21 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

2010-08-04 18:50 . 2010-08-04 18:50 -------- d-----w- c:\users\Qforce\AppData\Roaming\Malwarebytes

2010-08-04 18:48 . 2009-02-11 08:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-04 18:48 . 2009-02-11 08:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-04 18:48 . 2010-08-04 18:48 -------- d-----w- c:\programdata\Malwarebytes

2010-08-04 18:48 . 2010-08-04 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-04 18:30 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-08-04 18:30 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-08-04 18:30 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-08-04 18:30 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-08-04 18:30 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2010-08-04 18:29 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-08-04 18:29 . 2010-08-04 18:29 -------- d-----w- c:\programdata\Alwil Software

2010-08-04 18:29 . 2010-08-04 18:29 -------- d-----w- c:\program files\Alwil Software

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-05 19:52 . 2009-01-24 15:42 -------- d-----w- c:\program files\Common Files\PX Storage Engine

2010-08-05 19:52 . 2007-04-26 14:00 -------- d-----w- c:\program files\Google

2010-08-05 19:39 . 2006-11-02 16:11 67250 ----a-w- c:\windows\system32\perfc013.dat

2010-08-05 19:39 . 2006-11-02 16:11 248552 ----a-w- c:\windows\system32\perfh013.dat

2010-08-05 19:30 . 2008-10-17 11:20 -------- d-----w- c:\program files\AVG

2010-08-05 18:58 . 2009-10-26 17:41 -------- d-----w- c:\programdata\Microsoft Help

2010-08-05 18:46 . 2008-03-17 09:44 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2010-08-05 07:11 . 2008-03-15 15:14 -------- d-----w- c:\programdata\Lavasoft

2010-08-05 07:00 . 2006-11-02 12:37 -------- d-----w- c:\program files\Microsoft Games

2010-08-04 19:37 . 2008-03-17 09:44 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-04 18:21 . 2009-06-22 10:36 -------- d-----w- c:\program files\CCleaner

2010-08-02 20:09 . 2008-03-24 14:32 -------- d-----w- c:\users\Qforce\AppData\Roaming\LimeWire

2010-07-05 12:12 . 2010-06-27 12:21 204205 ----a-w- c:\windows\hpwins23.dat

2010-07-05 12:12 . 2010-07-05 12:12 -------- d-----w- c:\programdata\WEBREG

2010-07-05 12:09 . 2010-06-27 12:21 -------- d-----w- c:\programdata\HP

2010-07-05 12:08 . 2010-07-05 12:08 -------- d-----w- c:\users\Qforce\AppData\Roaming\HP

2010-06-27 12:33 . 2010-06-27 12:25 -------- d-----w- c:\program files\HP

2010-06-27 12:32 . 2010-06-27 12:32 -------- d-----w- c:\programdata\HP Product Assistant

2010-06-27 12:27 . 2010-06-27 12:27 -------- d-----w- c:\program files\Common Files\HP

2010-06-27 12:27 . 2010-06-27 12:27 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2010-06-27 12:27 . 2010-06-27 12:27 -------- d-----w- c:\program files\Hewlett-Packard

2010-06-24 06:55 . 2010-02-11 16:46 -------- d-----w- c:\users\Qforce\AppData\Roaming\vlc

2010-06-24 06:55 . 2010-04-12 12:44 -------- d-----w- c:\program files\The Master Genealogist v7

2010-06-24 06:55 . 2008-12-12 16:31 -------- d-----w- c:\program files\DVD Shrink

2010-06-24 06:55 . 2008-09-19 12:06 -------- d-----w- c:\program files\BlueJ

2010-06-15 17:19 . 2007-10-09 15:16 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-06-15 09:33 . 2009-02-02 08:39 -------- d-----w- c:\program files\Solid Edge ST

2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr

2010-05-26 17:06 . 2010-06-09 08:23 34304 ----a-w- c:\windows\system32\atmlib.dll

2010-05-26 14:47 . 2010-06-09 08:23 289792 ----a-w- c:\windows\system32\atmfd.dll

2010-05-21 12:14 . 2009-10-03 15:17 221568 ------w- c:\windows\system32\MpSigStub.exe

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Snelle start.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Snelle start.lnk

backup=c:\windows\pss\Adobe Reader Snelle start.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup

backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Qforce^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]

path=c:\users\Qforce\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office Groove.lnk

backup=c:\windows\pss\Microsoft Office Groove.lnk.Startup

backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Qforce^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Schermopname en Snel starten.lnk]

path=c:\users\Qforce\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Schermopname en Snel starten.lnk

backup=c:\windows\pss\OneNote 2007 Schermopname en Snel starten.lnk.Startup

backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]

2007-03-12 12:51 663552 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]

2007-01-26 13:58 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

2007-04-03 22:29 165784 ----a-w- c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2009-07-26 14:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

2006-05-16 10:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-01-26 13:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]

"VistaSp2"=hex(:1f,73,ac,f7,4c,1b,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-833183691-1392465726-190259266-1003]

"EnableNotificationsRef"=dword:00000002

R2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 135664]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-08-05 1352832]

R2 nirrquxf;Floppy Disk Support;c:\windows\System32\svchost.exe [2008-01-19 21504]

R3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-12-05 507136]

R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-20 27192]

R4 MTC0301_CIR;CIR Device;c:\windows\system32\drivers\CIR.sys [2004-11-26 13941]

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-03-12 691696]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-08-05 64288]

S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2005-08-05 34144]

S1 aswSP;aswSP; [x]

S2 aswFsBlk;aswFsBlk; [x]

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]

S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

nirrquxf

.

Inhoud van de 'Gedeelde Taken' map

2010-08-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 07:18]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 11:18]

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 11:18]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.be/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS VERWIJDERD - - - -

MSConfigStartUp-ares - c:\program files\Ares\Ares.exe

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe

MSConfigStartUp-IndexSearch - c:\program files\ScanSoft\PaperPort\IndexSearch.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-Lexmark 2200 Series - c:\program files\Lexmark 2200 Series\lxbvbmgr.exe

MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

MSConfigStartUp-PaperPort PTD - c:\program files\ScanSoft\PaperPort\pptd40nt.exe

MSConfigStartUp-PPort11reminder - c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe

MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe

MSConfigStartUp-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-08-06 13:43

Windows 6.0.6002 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond

verborgen bestanden: 0

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Voltooingstijd: 2010-08-06 13:49:09

ComboFix-quarantined-files.txt 2010-08-06 11:49

ComboFix2.txt 2010-08-05 18:33

Pre-Run: 8.496.652.288 bytes beschikbaar

Post-Run: 8.356.577.280 bytes beschikbaar

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - BF3AD2404A007FBD967F9FFC3A7118CC

------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:50:49, on 6/08/2010

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v7.00 (7.00.6002.18005)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Windows\explorer.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe (User 'SYSTEEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe (User 'Default user')

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: HP Slim selecteren - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - Pagina niet gevonden | Facebook

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/NL-BE/a-UNO1/GAME_UNO1.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--

End of file - 6686 bytes

groeten djdanvan

6 augustus 2010 aangepast door kape
dubbel log verwijderd

[kape]

Logjes zien er nu piccobello uit ! Nog merkbare problemen op de PC ?