Archief - Rootkit

belgianreaver · 5 aug 2010

Mijn broer heeft op zijn laptop naar het schijnt een rootkit staan in de map system32/drivers, de rootkit zou de naam zcfhfh.sys hebben. nu, ik heb dat bestand proberen te verwijderen maar er komt dan op: kan geen gegevens van het bronbestand of bronschijf lezen. Het is zeker geen leeg bestand want blijkbaar update dat bestand elke minuut enkele keren. Nu heb ik ook in de map Programdata dat er soms een bestand komt dat 86t86JPY.exe heet die na verwijdering ook weer na enkele minuten word aangemaakt. Na een tijdje komt er dan op dat 86t86JPY.exe niet meer werkt maar dat is ook alles.

Hier is een HJT logje

Code:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:54:14, on 5/08/2010
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Users\Brecht\AppData\Local\Apps\2.0\EGBXJ9HL.NAM\D7J0RVX1.ZN2\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\CurseClient.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl .exe
C:\Program Files\System Control Manager\MGSysCtrl .exe
C:\Program Files\Java\jre6\bin\jusched .exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\windows\system32\taskmgr.exe
C:\Users\Brecht\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brecht\AppData\Local\Google\Chrome\Application\chrome.exe
C:\windows\system32\wuauclt.exe
C:\Users\Brecht\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brecht\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brecht\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Brecht\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2102399
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = ${URL_STARTPAGE}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
R3 - URLSearchHook: PHPNukeDU Toolbar - {46735dee-f862-49d1-876d-6382794dc625} - C:\Program Files\PHPNukeDU\tbPHPN.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: PHPNukeDU Toolbar - {46735dee-f862-49d1-876d-6382794dc625} - C:\Program Files\PHPNukeDU\tbPHPN.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: PHPNukeDU Toolbar - {46735dee-f862-49d1-876d-6382794dc625} - C:\Program Files\PHPNukeDU\tbPHPN.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe" /runcleanupscript
O4 - HKCU\..\Run: [RGSC] C:\Program Files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
O4 - HKCU\..\Run: [Google Update] "C:\Users\Brecht\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [cbssreg] C:\windows\TEMP\tkwp.tmp\setup      .exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [cbssreg] C:\windows\TEMP\tkwp.tmp\setup      .exe (User 'Default user')
O4 - Startup: CurseClientStartup.ccip
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Micro Star SCM - Micro-Star International Co., Ltd. - C:\Program Files\System Control Manager\MSIService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Blaze Media Pro\NMSAccess32.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\windows\system32\nvvsvc.exe
O23 - Service: O2FLASH - O2Micro International - C:\windows\system32\DRIVERS\o2flash.exe
O23 - Service: PnkBstrA - Unknown owner - C:\windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files\Tunngle\TnglCtrl.exe

--
End of file - 8748 bytes

Juisterr · 6 aug 2010

Download ComboFix van één van deze locaties:
Link 1

Link 2

* BELANGRIJK !!! Sla ComboFix.exe op je Bureaublad op

Schakel alle antivirus- en antispywareprogramma's uit, want anders kunnen ze misschien conflicteren met ComboFix. Hier is een handleiding over hoe je ze kan uitschakelen:

Klik hier
Als het je niet lukt om ze uit te schakelen, ga dan gewoon door naar de volgende stap.
Dubbeklik op ComboFix.exe en volg de meldingen op het scherm.
ComboFix zal controleren of dat de Microsoft Windows Recovery Console reeds is geïnstalleerd.

**Let op: Als de Microsoft Windows Recovery Console al is geïnstalleerd, dan krijg je de volgende schermen niet te zien en zal ComboFix automatisch verder gaan met het scannen naar malware.
Volg de meldingen op het scherm om ComboFix de Microsoft Windows Recovery Console te laten downloaden en installeren.

Je krijgt de volgende melding te zien wanneer ComboFix de Microsoft Windows Recovery Console succesvol heeft geïnstalleerd:

Klik op Ja om verder te gaan met het scannen naar malware.

NOTE: Wanneer ComboFix start, kan het zijn dat je een Error melding krijgt dat de “contents of the ComboFix package has been compromised”
Ga niet verder met de instructies, maar download ComboFix opnieuw. Deze melding kan verschijnen wanneer een file-infector (Virut) actief is op de computer.

Blijf je die melding krijgen dan meld je dit.

Wanneer ComboFix klaar is, zal het het een logbestand voor je maken. Post de inhoud van dit logbestand (te vinden als C:\ComboFix.txt) in je volgende bericht.

belgianreaver · 6 aug 2010

ComboFix 10-08-06.01 - Brecht 06/08/2010 20:46:19.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.32.1043.18.3071.2152 [GMT 2:00]
Gestart vanuit: c:\users\Brecht\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
c:\program files\DivX\DivX Update\DivXUpdate.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Malwarebytes' Anti-Malware\mbam.exe
c:\program files\QuickTime\QTTask.exe
c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
c:\program files\System Control Manager\MGSysCtrl.exe
c:\users\Brecht\AppData\Roaming\Microsoft\AdjMmsVista.dll
c:\windows\system32\lgafqvr.dll
c:\windows\system32\skinboxer43.dll

Code:

 <pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe --->c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe --->c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
c:\program files\DivX\DivX Update\DivXUpdate .exe --->c:\program files\DivX\DivX Update\DivXUpdate.exe
c:\program files\Java\jre6\bin\jusched .exe --->c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe --->c:\program files\Malwarebytes' Anti-Malware\mbam.exe
c:\program files\QuickTime\QTTask .exe --->c:\program files\QuickTime\QTTask.exe
c:\program files\Realtek\Audio\HDA\RtHDVCpl .exe --->c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
c:\program files\System Control Manager\MGSysCtrl .exe --->c:\program files\System Control Manager\MGSysCtrl.exe
</pre>

.
.
(((((((((((((((((((( Bestanden Gemaakt van 2010-07-06 to 2010-08-06 ))))))))))))))))))))))))))))))
.

2010-08-05 10:38 . 2010-08-05 10:38 -------- d-----w- c:\program files\GiPo@Utilities
2010-08-05 10:38 . 2010-08-05 10:38 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2010-08-03 23:35 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-03 22:11 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-03 22:10 . 2010-08-03 22:10 -------- d-----w- c:\users\Brecht\AppData\Local\Sunbelt Software
2010-08-03 22:08 . 2010-08-03 22:08 -------- dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-03 22:08 . 2010-07-12 08:56 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-08-03 22:07 . 2010-08-03 22:10 -------- d-----w- c:\programdata\Lavasoft
2010-08-03 22:07 . 2010-08-03 22:07 -------- d-----w- c:\program files\Lavasoft
2010-08-03 17:32 . 2010-08-03 17:32 -------- d-----w- c:\users\Brecht\AppData\Local\Google
2010-07-28 21:24 . 2010-07-28 21:24 47364 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-07-28 21:09 . 2010-08-06 15:46 -------- d-----w- c:\program files\StarCraft II
2010-07-22 14:15 . 2010-08-06 18:35 -------- d-----w- c:\users\Brecht\AppData\Local\Deployment
2010-07-22 13:32 . 2010-07-22 13:32 -------- d-----w- c:\users\Brecht\AppData\Roaming\Malwarebytes
2010-07-22 13:32 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 13:32 . 2010-08-06 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 13:32 . 2010-07-22 13:32 -------- d-----w- c:\programdata\Malwarebytes
2010-07-22 13:32 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-22 12:47 . 2010-07-22 12:47 -------- d--h--w- c:\windows\PIF
2010-07-16 18:12 . 2010-07-16 18:12 -------- d-----w- c:\program files\Mumble
2010-07-14 23:05 . 2010-07-14 23:05 -------- d-----w- c:\users\Brecht\AppData\Local\Apple Computer
2010-07-13 05:59 . 2010-07-13 05:59 -------- d-----w- c:\users\Brecht\AppData\Roaming\AVS4YOU
2010-07-13 05:58 . 2010-06-08 09:34 52224 ------w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\FFExternalAlert.dll
2010-07-13 05:58 . 2010-06-08 09:34 101376 ------w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\RadioWMPCore.dll
2010-07-13 05:58 . 2010-07-13 05:58 -------- d-----w- c:\program files\Hyplay
2010-07-13 05:58 . 2010-07-13 05:58 -------- d-----w- c:\program files\Common Files\Hypnotizer
2010-07-13 05:56 . 2010-07-13 05:57 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-07-13 05:56 . 2010-07-13 05:59 -------- d-----w- c:\programdata\AVS4YOU
2010-07-13 05:56 . 2010-07-13 05:57 -------- d-----w- c:\program files\AVS4YOU
2010-07-13 05:56 . 2008-08-13 09:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-07-13 05:56 . 2008-08-13 09:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-07-13 05:56 . 2008-08-13 09:22 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-07-13 05:56 . 2008-08-13 09:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-07-12 21:36 . 2010-07-12 21:36 -------- d-----w- c:\program files\Guitar Pro 5
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-06 18:52 . 2010-05-18 14:23 -------- d-----w- c:\program files\QuickTime
2010-08-06 18:52 . 2009-11-26 17:47 -------- d-----w- c:\program files\System Control Manager
2010-08-06 18:44 . 2010-06-02 18:10 -------- d-----w- c:\users\Brecht\AppData\Roaming\Skype
2010-08-06 14:04 . 2010-01-19 17:17 -------- d-----w- c:\users\Brecht\AppData\Roaming\skypePM
2010-08-06 13:29 . 2010-01-19 17:04 -------- d-----w- c:\program files\Steam
2010-08-05 22:30 . 2010-02-06 14:20 0 ----a-w- c:\windows\system32\Access.dat
2010-08-04 23:37 . 2010-01-19 17:51 -------- d-----w- c:\users\Brecht\AppData\Roaming\Xfire
2010-08-04 01:58 . 2010-01-19 17:51 -------- d-----w- c:\programdata\Xfire
2010-08-01 10:33 . 2010-06-04 23:54 36872 ----a-w- c:\users\Brecht\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient .exe
2010-07-31 08:57 . 2010-06-04 23:54 36872 ----a-w- c:\users\Brecht\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
2010-07-28 23:11 . 2009-11-26 17:08 691728 ----a-w- c:\windows\system32\perfh013.dat
2010-07-28 23:11 . 2009-11-26 17:08 130232 ----a-w- c:\windows\system32\perfc013.dat
2010-07-28 21:21 . 2010-01-19 16:43 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-28 21:21 . 2010-01-19 18:29 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-22 12:49 . 2010-02-18 12:17 -------- d-----w- c:\users\Brecht\AppData\Roaming\BitTorrent
2010-07-21 23:58 . 2010-01-19 17:04 -------- d-----w- c:\program files\Common Files\Steam
2010-07-16 19:39 . 2010-07-16 18:13 -------- d-----w- c:\users\Brecht\AppData\Roaming\Mumble
2010-07-13 05:58 . 2010-05-23 00:45 -------- d-----w- c:\program files\PHPNukeDU
2010-07-13 05:58 . 2009-11-26 17:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-13 05:16 . 2010-01-19 17:51 -------- d-----w- c:\program files\Xfire
2010-07-12 21:38 . 2010-01-19 16:19 79920 ----a-w- c:\users\Brecht\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-02 23:39 . 2010-06-17 16:42 -------- d-----w- c:\users\Brecht\AppData\Roaming\Screaming Bee
2010-07-02 23:39 . 2010-06-17 16:42 -------- d-----w- c:\program files\Screaming Bee
2010-06-19 21:37 . 2010-06-19 21:37 -------- d-----w- c:\programdata\UAB
2010-06-19 21:37 . 2010-06-19 21:37 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2010-06-19 21:36 . 2010-06-19 21:36 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2010-06-19 21:34 . 2010-06-19 21:34 -------- d-----w- c:\program files\ManyCam 2.4
2010-06-19 21:34 . 2010-06-19 21:34 -------- d-----w- c:\users\Brecht\AppData\Roaming\ManyCam
2010-06-17 17:18 . 2010-06-17 16:58 -------- d-----w- c:\programdata\Screaming Bee
2010-06-17 16:59 . 2010-06-17 16:59 -------- d-----w- c:\users\Default\AppData\Roaming\Screaming Bee
2010-06-17 16:58 . 2010-06-17 16:58 79520 ----a-w- c:\users\Default\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-17 16:45 . 2010-06-17 16:45 -------- d-----w- c:\program files\Screaming Bee LLC
2010-06-16 15:05 . 2010-02-18 12:17 -------- d-----w- c:\program files\Ask.com
2010-06-12 00:48 . 2009-11-26 17:38 -------- d-----w- c:\programdata\Microsoft Help
2010-06-04 23:54 . 2010-06-04 23:54 71960 ----a-w- c:\users\Brecht\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-05-27 07:24 . 2010-06-10 14:15 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-10 14:15 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 12:14 . 2010-01-20 12:02 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18 . 2010-06-10 14:15 977920 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

Code:

<pre>
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{46735dee-f862-49d1-876d-6382794dc625}"= "c:\program files\PHPNukeDU\tbPHPN.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{46735dee-f862-49d1-876d-6382794dc625}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46735dee-f862-49d1-876d-6382794dc625}]
2010-06-13 17:10 2734688 ----a-w- c:\program files\PHPNukeDU\tbPHPN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2009-12-31 10:53 2349080 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 13:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{46735dee-f862-49d1-876d-6382794dc625}"= "c:\program files\PHPNukeDU\tbPHPN.dll" [2010-06-13 2734688]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{46735dee-f862-49d1-876d-6382794dc625}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{46735DEE-F862-49D1-876D-6382794DC625}"= "c:\program files\PHPNukeDU\tbPHPN.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{46735dee-f862-49d1-876d-6382794dc625}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [N/A]
"Google Update"="c:\users\Brecht\AppData\Local\Google\Update\GoogleUpdate.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-24 7596576]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-08-28 2072576]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-26 149280]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-03-09 2769336]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam .exe" [N/A]

c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-7-29 0]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-8-26 2684256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Users^Brecht^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Brecht^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
c:\users\Brecht\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient .exe -inv:bootrun [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\users\Brecht\AppData\Local\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam]
2010-04-21 08:26 1824040 ----a-w- c:\program files\ManyCam 2.4\ManyCam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 14:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-07 05:29 1238352 ----a-w- c:\program files\Steam\Steam.exe

R0 1888905301;1888905301;c:\windows\system32\drivers\1888905301.sys [x]
R0 261085039;261085039;c:\windows\system32\drivers\261085039.sys [x]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 17408]
R3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [2009-05-19 11776]
R3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [2008-04-24 5632]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
R3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-07 1343400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2009-07-09 160768]
S2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2009-12-31 682232]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-05-20 59904]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-26 66080]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2009-07-14 52768]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2009-07-10 42400]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-01 34384]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - zcfhfh
.
Inhoud van de 'Gedeelde Taken' map

2010-08-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-08-05 c:\windows\Tasks\Norton Security Scan for Brecht.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-05-14 16:00]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2102399
mStart Page = ${URL_STARTPAGE}
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2102399&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - PHPNukeDU Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2102399&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2102399&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\FFExternalAlert.dll
FF - component: c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Brecht\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Brecht\AppData\Roaming\Mozilla\plugins\npoctoshape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS VERWIJDERD - - - -

Toolbar-Locked - (no file)
AddRemove-LSI Soft Modem - c:\windows\agrsmdel

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\zcfhfh]

.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,63,2e,06,96,24,0e,46,9a,6f,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,63,2e,06,96,24,0e,46,9a,6f,a7,\

[HKEY_USERS\S-1-5-21-148138387-3408007177-1954212148-1000\Software\SecuROM\License information*]
"datasecu"=hex:02,9d,f3,52,b7,f7,0d,12,24,8c,cd,a9,ec,d0,17,b2,09,d3,99,f9,3d,
d6,28,d0,41,a8,2b,18,aa,a5,4e,36,ad,4a,f5,99,ba,56,1b,2d,ea,42,a7,c6,52,b2,\
"rkeysecu"=hex:35,d6,46,a8,5c,e4,d7,0d,28,cf,67,a9,b2,5d,76,8e

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-08-06 20:54:49
ComboFix-quarantined-files.txt 2010-08-06 18:54

Pre-Run: 46.243.180.544 bytes beschikbaar
Post-Run: 46.187.966.464 bytes beschikbaar

- - End Of File - - E70D3F53FC5CF10FBE8997E9CD9B11F9
[/code]

Juisterr · 7 aug 2010

Open Kladblok, kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:

Renv::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe --->c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe --->c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
c:\program files\DivX\DivX Update\DivXUpdate .exe --->c:\program files\DivX\DivX Update\DivXUpdate.exe
c:\program files\Java\jre6\bin\jusched .exe --->c:\program files\Java\jre6\bin\jusched.exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe --->c:\program files\Malwarebytes' Anti-Malware\mbam.exe
c:\program files\QuickTime\QTTask .exe --->c:\program files\QuickTime\QTTask.exe
c:\program files\Realtek\Audio\HDA\RtHDVCpl .exe --->c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
c:\program files\System Control Manager\MGSysCtrl .exe --->c:\program files\System Control Manager\MGSysCtrl.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

Folder::
c:\program files\Ask.com

Sla dit op op je Bureaublad als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :

Dit zal ComboFix doen herstarten.

Na het herstarten van je computer, (indien het vraagt om te herstarten), kopieer en plak de inhoud van log.txt in je volgende antwoord.

belgianreaver · 8 aug 2010

ComboFix 10-08-06.01 - Brecht 08/08/2010 0:51.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.32.1043.18.3071.2180 [GMT 2:00]
Gestart vanuit: c:\users\Brecht\Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\Brecht\Desktop\CFScript.txt.log
.

(((((((((((((((((((( Bestanden Gemaakt van 2010-07-07 to 2010-08-07 ))))))))))))))))))))))))))))))
.

2010-08-07 22:58 . 2010-08-07 22:58 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-07 22:58 . 2010-08-07 22:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-06 22:11 . 2010-08-06 22:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-06 18:54 . 2010-08-07 22:58 -------- d-----w- c:\users\Brecht\AppData\Local\temp
2010-08-06 15:46 . 2010-08-06 15:46 47364 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-08-05 10:38 . 2010-08-05 10:38 -------- d-----w- c:\program files\GiPo@Utilities
2010-08-05 10:38 . 2010-08-05 10:38 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2010-08-03 23:35 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-03 22:11 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-03 22:10 . 2010-08-03 22:10 -------- d-----w- c:\users\Brecht\AppData\Local\Sunbelt Software
2010-08-03 22:08 . 2010-08-03 22:08 -------- dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-03 22:08 . 2010-07-12 08:56 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-08-03 22:07 . 2010-08-03 22:10 -------- d-----w- c:\programdata\Lavasoft
2010-08-03 22:07 . 2010-08-03 22:07 -------- d-----w- c:\program files\Lavasoft
2010-08-03 17:32 . 2010-08-03 17:32 -------- d-----w- c:\users\Brecht\AppData\Local\Google
2010-07-28 21:09 . 2010-08-06 15:46 -------- d-----w- c:\program files\StarCraft II
2010-07-22 14:15 . 2010-08-07 08:10 -------- d-----w- c:\users\Brecht\AppData\Local\Deployment
2010-07-22 13:32 . 2010-07-22 13:32 -------- d-----w- c:\users\Brecht\AppData\Roaming\Malwarebytes
2010-07-22 13:32 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 13:32 . 2010-08-06 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 13:32 . 2010-07-22 13:32 -------- d-----w- c:\programdata\Malwarebytes
2010-07-22 13:32 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-22 12:47 . 2010-07-22 12:47 -------- d--h--w- c:\windows\PIF
2010-07-16 18:12 . 2010-07-16 18:12 -------- d-----w- c:\program files\Mumble
2010-07-14 23:05 . 2010-07-14 23:05 -------- d-----w- c:\users\Brecht\AppData\Local\Apple Computer
2010-07-13 05:59 . 2010-07-13 05:59 -------- d-----w- c:\users\Brecht\AppData\Roaming\AVS4YOU
2010-07-13 05:58 . 2010-06-08 09:34 52224 ------w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\FFExternalAlert.dll
2010-07-13 05:58 . 2010-06-08 09:34 101376 ------w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\RadioWMPCore.dll
2010-07-13 05:58 . 2010-07-13 05:58 -------- d-----w- c:\program files\Hyplay
2010-07-13 05:58 . 2010-07-13 05:58 -------- d-----w- c:\program files\Common Files\Hypnotizer
2010-07-13 05:56 . 2010-07-13 05:57 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-07-13 05:56 . 2010-07-13 05:59 -------- d-----w- c:\programdata\AVS4YOU
2010-07-13 05:56 . 2010-07-13 05:57 -------- d-----w- c:\program files\AVS4YOU
2010-07-13 05:56 . 2008-08-13 09:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-07-13 05:56 . 2008-08-13 09:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-07-13 05:56 . 2008-08-13 09:22 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-07-13 05:56 . 2008-08-13 09:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-07-12 21:36 . 2010-07-12 21:36 -------- d-----w- c:\program files\Guitar Pro 5
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 22:49 . 2010-06-02 18:10 -------- d-----w- c:\users\Brecht\AppData\Roaming\Skype
2010-08-07 22:00 . 2010-01-19 17:17 -------- d-----w- c:\users\Brecht\AppData\Roaming\skypePM
2010-08-07 13:04 . 2010-01-19 17:04 -------- d-----w- c:\program files\Steam
2010-08-06 23:31 . 2010-02-06 14:20 0 ----a-w- c:\windows\system32\Access.dat
2010-08-06 18:52 . 2010-05-18 14:23 -------- d-----w- c:\program files\QuickTime
2010-08-06 18:52 . 2009-11-26 17:47 -------- d-----w- c:\program files\System Control Manager
2010-08-04 23:37 . 2010-01-19 17:51 -------- d-----w- c:\users\Brecht\AppData\Roaming\Xfire
2010-08-04 01:58 . 2010-01-19 17:51 -------- d-----w- c:\programdata\Xfire
2010-08-01 10:33 . 2010-06-04 23:54 36872 ----a-w- c:\users\Brecht\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient .exe
2010-07-31 08:57 . 2010-06-04 23:54 36872 ----a-w- c:\users\Brecht\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
2010-07-28 23:11 . 2009-11-26 17:08 691728 ----a-w- c:\windows\system32\perfh013.dat
2010-07-28 23:11 . 2009-11-26 17:08 130232 ----a-w- c:\windows\system32\perfc013.dat
2010-07-28 21:21 . 2010-01-19 16:43 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-28 21:21 . 2010-01-19 18:29 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-22 12:49 . 2010-02-18 12:17 -------- d-----w- c:\users\Brecht\AppData\Roaming\BitTorrent
2010-07-21 23:58 . 2010-01-19 17:04 -------- d-----w- c:\program files\Common Files\Steam
2010-07-16 19:39 . 2010-07-16 18:13 -------- d-----w- c:\users\Brecht\AppData\Roaming\Mumble
2010-07-13 05:58 . 2010-05-23 00:45 -------- d-----w- c:\program files\PHPNukeDU
2010-07-13 05:58 . 2009-11-26 17:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-13 05:16 . 2010-01-19 17:51 -------- d-----w- c:\program files\Xfire
2010-07-12 21:38 . 2010-01-19 16:19 79920 ----a-w- c:\users\Brecht\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-02 23:39 . 2010-06-17 16:42 -------- d-----w- c:\users\Brecht\AppData\Roaming\Screaming Bee
2010-07-02 23:39 . 2010-06-17 16:42 -------- d-----w- c:\program files\Screaming Bee
2010-06-19 21:37 . 2010-06-19 21:37 -------- d-----w- c:\programdata\UAB
2010-06-19 21:37 . 2010-06-19 21:37 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2010-06-19 21:36 . 2010-06-19 21:36 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2010-06-19 21:34 . 2010-06-19 21:34 -------- d-----w- c:\program files\ManyCam 2.4
2010-06-19 21:34 . 2010-06-19 21:34 -------- d-----w- c:\users\Brecht\AppData\Roaming\ManyCam
2010-06-17 17:18 . 2010-06-17 16:58 -------- d-----w- c:\programdata\Screaming Bee
2010-06-17 16:59 . 2010-06-17 16:59 -------- d-----w- c:\users\Default\AppData\Roaming\Screaming Bee
2010-06-17 16:58 . 2010-06-17 16:58 79520 ----a-w- c:\users\Default\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-17 16:45 . 2010-06-17 16:45 -------- d-----w- c:\program files\Screaming Bee LLC
2010-06-16 15:05 . 2010-02-18 12:17 -------- d-----w- c:\program files\Ask.com
2010-06-12 00:48 . 2009-11-26 17:38 -------- d-----w- c:\programdata\Microsoft Help
2010-06-04 23:54 . 2010-06-04 23:54 71960 ----a-w- c:\users\Brecht\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-05-27 07:24 . 2010-06-10 14:15 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-10 14:15 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 12:14 . 2010-01-20 12:02 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18 . 2010-06-10 14:15 977920 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

Code:

<pre>
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{46735dee-f862-49d1-876d-6382794dc625}"= "c:\program files\PHPNukeDU\tbPHPN.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{46735dee-f862-49d1-876d-6382794dc625}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46735dee-f862-49d1-876d-6382794dc625}]
2010-06-13 17:10 2734688 ----a-w- c:\program files\PHPNukeDU\tbPHPN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2009-12-31 10:53 2349080 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 13:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{46735dee-f862-49d1-876d-6382794dc625}"= "c:\program files\PHPNukeDU\tbPHPN.dll" [2010-06-13 2734688]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{46735dee-f862-49d1-876d-6382794dc625}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{46735DEE-F862-49D1-876D-6382794DC625}"= "c:\program files\PHPNukeDU\tbPHPN.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{46735dee-f862-49d1-876d-6382794dc625}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RGSC"="c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe" [N/A]
"Google Update"="c:\users\Brecht\AppData\Local\Google\Update\GoogleUpdate.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-24 7596576]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-08-28 2072576]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-26 149280]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-03-09 2769336]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam .exe" [N/A]

c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-7-29 0]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-8-26 2684256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Users^Brecht^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Brecht^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
c:\users\Brecht\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient .exe -inv:bootrun [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
c:\users\Brecht\AppData\Local\Google\Update\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam]
2010-04-21 08:26 1824040 ----a-w- c:\program files\ManyCam 2.4\ManyCam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 14:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-07 05:29 1238352 ----a-w- c:\program files\Steam\Steam.exe

R0 1888905301;1888905301;c:\windows\system32\drivers\1888905301.sys [x]
R0 261085039;261085039;c:\windows\system32\drivers\261085039.sys [x]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 17408]
R3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [2009-05-19 11776]
R3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [2008-04-24 5632]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
R3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-07 1343400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2009-07-09 160768]
S2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2009-12-31 682232]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-05-20 59904]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-26 66080]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2009-07-14 52768]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2009-07-10 42400]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-01 34384]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - zcfhfh
.
Inhoud van de 'Gedeelde Taken' map

2010-08-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-08-07 c:\windows\Tasks\Norton Security Scan for Brecht.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-05-14 16:00]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2102399
mStart Page = ${URL_STARTPAGE}
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2102399&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - PHPNukeDU Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2102399&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2102399&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\FFExternalAlert.dll
FF - component: c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Brecht\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Brecht\AppData\Roaming\Mozilla\plugins\npoctoshape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\zcfhfh]

.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,63,2e,06,96,24,0e,46,9a,6f,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,63,2e,06,96,24,0e,46,9a,6f,a7,\

[HKEY_USERS\S-1-5-21-148138387-3408007177-1954212148-1000\Software\SecuROM\License information*]
"datasecu"=hex:02,9d,f3,52,b7,f7,0d,12,24,8c,cd,a9,ec,d0,17,b2,09,d3,99,f9,3d,
d6,28,d0,41,a8,2b,18,aa,a5,4e,36,ad,4a,f5,99,ba,56,1b,2d,ea,42,a7,c6,52,b2,\
"rkeysecu"=hex:35,d6,46,a8,5c,e4,d7,0d,28,cf,67,a9,b2,5d,76,8e

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'Explorer.exe'(4932)
c:\program files\Xfire\xfire_toucan_43094.dll
.
Voltooingstijd: 2010-08-08 01:00:56
ComboFix-quarantined-files.txt 2010-08-07 23:00
ComboFix2.txt 2010-08-06 18:54

Pre-Run: 45.802.291.200 bytes beschikbaar
Post-Run: 45.754.327.040 bytes beschikbaar

- - End Of File - - CA02950B4CFA8466F4DCD00999EFA4F1

[/code]

Juisterr · 8 aug 2010

Open Kladblok, kopieer en plak het volgende (vetgedrukte, blauwe tekst) in een leeg venster:

Driver::
1888905301
261085039

Renv::::
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe

Sla dit op op je Bureaublad als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe zoals getoond in onderstaand voorbeeld :

Dit zal ComboFix doen herstarten.

Na het herstarten van je computer, (indien het vraagt om te herstarten), kopieer en plak de inhoud van log.txt in je volgende antwoord.

belgianreaver · 9 aug 2010

sorry van die code btw, had de wijzigingsreden niet gezien

ComboFix 10-08-06.01 - Brecht 09/08/2010 2:06.4.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.32.1043.18.3071.1823 [GMT 2:00]
Gestart vanuit: c:\users\Brecht\Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\Brecht\Desktop\CFScript.txt.txt
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_1888905301
-------\Service_261085039

(((((((((((((((((((( Bestanden Gemaakt van 2010-07-09 to 2010-08-09 ))))))))))))))))))))))))))))))
.

2010-08-09 00:34 . 2010-08-09 00:34 -------- d-----w- C:\Device
2010-08-09 00:14 . 2010-08-09 00:14 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-09 00:14 . 2010-08-09 00:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-06 22:11 . 2010-08-06 22:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-06 18:54 . 2010-08-09 00:35 -------- d-----w- c:\users\Brecht\AppData\Local\temp
2010-08-05 10:38 . 2010-08-05 10:38 -------- d-----w- c:\program files\GiPo@Utilities
2010-08-05 10:38 . 2010-08-05 10:38 -------- d-----w- c:\program files\Common Files\Gibinsoft Shared
2010-08-03 23:35 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-03 22:11 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-03 22:10 . 2010-08-03 22:10 -------- d-----w- c:\users\Brecht\AppData\Local\Sunbelt Software
2010-08-03 22:08 . 2010-08-03 22:08 -------- dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-03 22:07 . 2010-08-03 22:10 -------- d-----w- c:\programdata\Lavasoft
2010-08-03 22:07 . 2010-08-03 22:07 -------- d-----w- c:\program files\Lavasoft
2010-08-03 17:32 . 2010-08-03 17:32 -------- d-----w- c:\users\Brecht\AppData\Local\Google
2010-07-28 21:09 . 2010-08-06 15:46 -------- d-----w- c:\program files\StarCraft II
2010-07-22 14:15 . 2010-08-09 00:35 -------- d-----w- c:\users\Brecht\AppData\Local\Deployment
2010-07-22 13:32 . 2010-07-22 13:32 -------- d-----w- c:\users\Brecht\AppData\Roaming\Malwarebytes
2010-07-22 13:32 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-22 13:32 . 2010-08-06 18:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-22 13:32 . 2010-07-22 13:32 -------- d-----w- c:\programdata\Malwarebytes
2010-07-22 13:32 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-22 12:47 . 2010-07-22 12:47 -------- d--h--w- c:\windows\PIF
2010-07-16 18:13 . 2010-07-16 19:39 -------- d-----w- c:\users\Brecht\AppData\Roaming\Mumble
2010-07-16 18:12 . 2010-07-16 18:12 -------- d-----w- c:\program files\Mumble
2010-07-14 23:05 . 2010-07-14 23:05 -------- d-----w- c:\users\Brecht\AppData\Local\Apple Computer
2010-07-13 05:59 . 2010-07-13 05:59 -------- d-----w- c:\users\Brecht\AppData\Roaming\AVS4YOU
2010-07-13 05:58 . 2010-07-13 05:58 -------- d-----w- c:\program files\Hyplay
2010-07-13 05:58 . 2010-07-13 05:58 -------- d-----w- c:\program files\Common Files\Hypnotizer
2010-07-13 05:56 . 2010-07-13 05:57 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-07-13 05:56 . 2010-07-13 05:59 -------- d-----w- c:\programdata\AVS4YOU
2010-07-13 05:56 . 2010-07-13 05:57 -------- d-----w- c:\program files\AVS4YOU
2010-07-13 05:56 . 2008-08-13 09:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-07-13 05:56 . 2008-08-13 09:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-07-13 05:56 . 2008-08-13 09:22 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-07-13 05:56 . 2008-08-13 09:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-07-12 21:36 . 2010-07-12 21:36 -------- d-----w- c:\program files\Guitar Pro 5

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 00:36 . 2010-06-02 18:10 -------- d-----w- c:\users\Brecht\AppData\Roaming\Skype
2010-08-09 00:36 . 2010-01-19 17:17 -------- d-----w- c:\users\Brecht\AppData\Roaming\skypePM
2010-08-08 21:32 . 2010-01-19 17:04 -------- d-----w- c:\program files\Steam
2010-08-08 01:46 . 2010-02-06 14:20 0 ----a-w- c:\windows\system32\Access.dat
2010-08-06 18:52 . 2010-05-18 14:23 -------- d-----w- c:\program files\QuickTime
2010-08-06 18:52 . 2009-11-26 17:47 -------- d-----w- c:\program files\System Control Manager
2010-08-06 15:46 . 2010-08-06 15:46 47364 ----a-w- c:\programdata\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-08-04 23:37 . 2010-01-19 17:51 -------- d-----w- c:\users\Brecht\AppData\Roaming\Xfire
2010-08-04 01:58 . 2010-01-19 17:51 -------- d-----w- c:\programdata\Xfire
2010-08-01 10:33 . 2010-06-04 23:54 36872 ----a-w- c:\users\Brecht\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient .exe
2010-07-31 08:57 . 2010-06-04 23:54 36872 ----a-w- c:\users\Brecht\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
2010-07-28 23:11 . 2009-11-26 17:08 691728 ----a-w- c:\windows\system32\perfh013.dat
2010-07-28 23:11 . 2009-11-26 17:08 130232 ----a-w- c:\windows\system32\perfc013.dat
2010-07-28 21:21 . 2010-01-19 16:43 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-28 21:21 . 2010-01-19 18:29 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-22 12:49 . 2010-02-18 12:17 -------- d-----w- c:\users\Brecht\AppData\Roaming\BitTorrent
2010-07-21 23:58 . 2010-01-19 17:04 -------- d-----w- c:\program files\Common Files\Steam
2010-07-13 05:58 . 2010-05-23 00:45 -------- d-----w- c:\program files\PHPNukeDU
2010-07-13 05:58 . 2009-11-26 17:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-13 05:16 . 2010-01-19 17:51 -------- d-----w- c:\program files\Xfire
2010-07-12 21:38 . 2010-01-19 16:19 79920 ----a-w- c:\users\Brecht\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-12 08:56 . 2010-08-03 22:08 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-07-02 23:39 . 2010-06-17 16:42 -------- d-----w- c:\users\Brecht\AppData\Roaming\Screaming Bee
2010-07-02 23:39 . 2010-06-17 16:42 -------- d-----w- c:\program files\Screaming Bee
2010-06-19 21:37 . 2010-06-19 21:37 -------- d-----w- c:\programdata\UAB
2010-06-19 21:37 . 2010-06-19 21:37 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2010-06-19 21:36 . 2010-06-19 21:36 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2010-06-19 21:34 . 2010-06-19 21:34 -------- d-----w- c:\program files\ManyCam 2.4
2010-06-19 21:34 . 2010-06-19 21:34 -------- d-----w- c:\users\Brecht\AppData\Roaming\ManyCam
2010-06-17 17:18 . 2010-06-17 16:58 -------- d-----w- c:\programdata\Screaming Bee
2010-06-17 16:59 . 2010-06-17 16:59 -------- d-----w- c:\users\Default\AppData\Roaming\Screaming Bee
2010-06-17 16:58 . 2010-06-17 16:58 79520 ----a-w- c:\users\Default\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-17 16:45 . 2010-06-17 16:45 -------- d-----w- c:\program files\Screaming Bee LLC
2010-06-16 15:05 . 2010-02-18 12:17 -------- d-----w- c:\program files\Ask.com
2010-06-12 00:48 . 2009-11-26 17:38 -------- d-----w- c:\programdata\Microsoft Help
2010-06-08 09:34 . 2010-07-13 05:58 52224 ------w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\FFExternalAlert.dll
2010-06-08 09:34 . 2010-07-13 05:58 101376 ------w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\RadioWMPCore.dll
2010-06-04 23:54 . 2010-06-04 23:54 71960 ----a-w- c:\users\Brecht\AppData\Roaming\Mozilla\Plugins\npoctoshape.dll
2010-05-27 07:24 . 2010-06-10 14:15 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-10 14:15 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 12:14 . 2010-01-20 12:02 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18 . 2010-06-10 14:15 977920 ----a-w- c:\windows\system32\wininet.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{46735dee-f862-49d1-876d-6382794dc625}"= "c:\program files\PHPNukeDU\tbPHPN.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{46735dee-f862-49d1-876d-6382794dc625}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46735dee-f862-49d1-876d-6382794dc625}]
2010-06-13 17:10 2734688 ----a-w- c:\program files\PHPNukeDU\tbPHPN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2009-12-31 10:53 2349080 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 13:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{46735dee-f862-49d1-876d-6382794dc625}"= "c:\program files\PHPNukeDU\tbPHPN.dll" [2010-06-13 2734688]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{46735dee-f862-49d1-876d-6382794dc625}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{46735DEE-F862-49D1-876D-6382794DC625}"= "c:\program files\PHPNukeDU\tbPHPN.dll" [2010-06-13 2734688]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{46735dee-f862-49d1-876d-6382794dc625}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-24 7596576]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2009-08-28 2072576]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-26 149280]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-03-09 2769336]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-7-29 0]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-8-26 2684256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Users^Brecht^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip]
path=c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
backup=c:\windows\pss\CurseClientStartup.ccip.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Brecht^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Octoshape Streaming Services]
c:\users\Brecht\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient .exe -inv:bootrun [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ManyCam]
2010-04-21 08:26 1824040 ----a-w- c:\program files\ManyCam 2.4\ManyCam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 14:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-07 05:29 1238352 ----a-w- c:\program files\Steam\Steam.exe

R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2009-05-26 17408]
R3 enecirhid;ENE CIR HID Receiver;c:\windows\system32\DRIVERS\enecirhid.sys [2009-05-19 11776]
R3 enecirhidma;ENE CIR HIDmini Filter;c:\windows\system32\DRIVERS\enecirhidma.sys [2008-04-24 5632]
R3 NETw5s32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
R3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-07 1343400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
S2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2009-07-09 160768]
S2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [2009-12-31 682232]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-05-20 59904]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-26 66080]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2009-07-14 52768]
S3 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2009-07-10 42400]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-05-22 167936]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-01 34384]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [2009-09-16 27136]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - zcfhfh
.
Inhoud van de 'Gedeelde Taken' map

2010-08-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-08-08 c:\windows\Tasks\Norton Security Scan for Brecht.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-05-14 16:00]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2102399
mStart Page = ${URL_STARTPAGE}
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2102399&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - PHPNukeDU Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2102399&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2102399&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\FFExternalAlert.dll
FF - component: c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\xjnhzn4c.default\extensions\{46735dee-f862-49d1-876d-6382794dc625}\components\RadioWMPCore.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Brecht\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Brecht\AppData\Roaming\Mozilla\plugins\npoctoshape.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS VERWIJDERD - - - -

HKCU-Run-RGSC - c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe
HKCU-Run-Google Update - c:\users\Brecht\AppData\Local\Google\Update\GoogleUpdate.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam .exe
MSConfigStartUp-Google Update - c:\users\Brecht\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\zcfhfh]

.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,63,2e,06,96,24,0e,46,9a,6f,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,63,2e,06,96,24,0e,46,9a,6f,a7,\

[HKEY_USERS\S-1-5-21-148138387-3408007177-1954212148-1000\Software\SecuROM\License information*]
"datasecu"=hex:02,9d,f3,52,b7,f7,0d,12,24,8c,cd,a9,ec,d0,17,b2,09,d3,99,f9,3d,
d6,28,d0,41,a8,2b,18,aa,a5,4e,36,ad,4a,f5,99,ba,56,1b,2d,ea,42,a7,c6,52,b2,\
"rkeysecu"=hex:35,d6,46,a8,5c,e4,d7,0d,28,cf,67,a9,b2,5d,76,8e

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Blaze Media Pro\NMSAccess32.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\windows\system32\sppsvc.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Voltooingstijd: 2010-08-09 02:41:02 - machine werd herstart
ComboFix-quarantined-files.txt 2010-08-09 00:41
ComboFix2.txt 2010-08-07 23:00
ComboFix3.txt 2010-08-06 18:54

Pre-Run: 45.331.554.304 bytes beschikbaar
Post-Run: 45.039.992.832 bytes beschikbaar

- - End Of File - - 29F3C597D4A5A298240D0E107052D8C1

Juisterr · 9 aug 2010

gaat het al beter nu ?

belgianreaver · 10 aug 2010

het lijkt op dit moment opgelost te zijn

bedankt!

Juisterr · 10 aug 2010

Ga naar Start - Uitvoeren
en Geef hier het volgende in: Combofix /Uninstall
Druk daarna op OK.
Als het goed is krijg je dan een melding dat Combofix verwijderd werd.

Voorbeeld:

Uitvoeren kan ook gestart worden door de toetsencombinatie

Archief - Rootkit

belgianreaver

Legacy Member

Juisterr

Legacy Member

belgianreaver

Legacy Member

Juisterr

Legacy Member

belgianreaver

Legacy Member

Juisterr

Legacy Member

belgianreaver

Legacy Member

Juisterr

Legacy Member

belgianreaver

Legacy Member

Juisterr

Legacy Member