[Opgelost] Win32/Mebroot trojan

Aspheros · 22 juli 2010, 10:49

(Gesponsorde links- (Wat is dit?))

In mn vorige post werd me gevraagd in deze sectie een HJT log en D.D.S. log te posten (http://www.nucia.eu/forum/showthread.php?t=58784)

Alvast bedankt!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:40:20, on 22/07/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Hercules\Deluxe Optical Glass\XtrCtrl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Nick\Desktop\dds.com
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Users\Nick\AppData\Local\Temp\A6B.tmp\evP.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Users\Nick\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: PandoraTV Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKLM\..\Run: [CamserviceOG] C:\Program Files\Hercules\Deluxe Optical Glass\XtrCtrl.exe /startup
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all by FlashGet3 - C:\Users\Nick\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
O8 - Extra context menu item: Download by FlashGet3 - C:\Users\Nick\AppData\Roaming\FlashGetBHO\GetUrl.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://software.kuaiche.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: acaptuser32.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\XAMMP\xampp\apache\bin\httpd.exe
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: ExtraFilm upload service (EFUploadSrv) - Textalk AB - C:\Program Files\ExtraFilm Designer BE NL\EFUploadSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MySQL - MySQL AB - C:\Program Files\XAMMP\xampp\mysql\bin\mysqld.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 8136 bytes

DDS (Ver_10-03-17.01) - NTFSx86
Run by Nick at 10:45:15,97 on do 22/07/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_16
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.32.1043.18.3070.1755 [GMT 2:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
svchost.exe 4
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
svchost.exe 4
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\XAMMP\xampp\apache\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ExtraFilm Designer BE NL\EFUploadSrv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\XAMMP\xampp\mysql\bin\mysqld.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\XAMMP\xampp\apache\bin\httpd.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Hercules\Deluxe Optical Glass\XtrCtrl.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Nick\Desktop\dds.com
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\users\nick\appdata\roaming\flashgetbho\FlashGetBHO3.dll
BHO: PandoraTV Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: PandoraTV Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [<NO NAME>]
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles
mRun: [Nokia FastStart] "c:\program files\nokia\nokia music\NokiaMusic.exe" /command:faststart
mRun: [CamserviceOG] c:\program files\hercules\deluxe optical glass\XtrCtrl.exe /startup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all by FlashGet3 - c:\users\nick\appdata\roaming\flashgetbho\GetAllUrl.htm
IE: Download by FlashGet3 - c:\users\nick\appdata\roaming\flashgetbho\GetUrl.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: kuaiche.com\software
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: acaptuser32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\nick\appdata\roaming\mozilla\firefox\profiles\8k7480nz.default\
FF - prefs.js: browser.startup.homepage - www.google.be
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\users\nick\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-14 20992]
R2 Apache2.2;Apache2.2;c:\program files\xammp\xampp\apache\bin\httpd.exe [2010-7-16 29416]
R2 EFUploadSrv;ExtraFilm upload service;c:\program files\extrafilm designer be nl\EFUploadSrv.exe [2009-7-9 1716224]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-11-16 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-11-16 38240]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-27 304464]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-6-7 240232]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2010-2-25 1047880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-30 20952]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-2-7 25832]
S3 hxctlflt;hxctlflt;c:\windows\system32\drivers\hxctlflt.sys [2010-4-12 99968]

=============== Created Last 30 ================

2010-07-22 08:37:49 0 d-----w- c:\program files\Trend Micro
2010-07-21 22:24:38 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-07-21 22:24:38 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-07-21 22:24:38 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-07-21 22:24:38 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-07-21 22:24:37 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-07-21 22:19:19 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-07-21 22:18:14 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-07-21 22:14:19 977920 ----a-w- c:\windows\system32\wininet.dll
2010-07-21 22:14:16 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-07-21 22:14:15 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-07-21 22:14:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-07-21 22:14:13 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-07-21 22:14:12 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-07-21 22:12:50 2048 ----a-w- c:\windows\system32\tzres.dll
2010-07-21 09:46:55 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-07-19 00:57:10 0 d-----w- c:\users\nick\appdata\roaming\E6A2B73AF46449D8F29CC97C08385E6E
2010-07-18 11:42:01 0 d-----w- c:\programdata\TechSmith
2010-07-18 11:40:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-07-15 22:36:00 0 d-----w- c:\program files\XAMMP
2010-07-13 20:14:30 0 d-----w- c:\users\nick\appdata\roaming\The Creative Assembly
2010-07-13 17:09:00 0 d-----w- c:\program files\Napoleon Total War
2010-07-07 12:17:50 0 d-----w- c:\program files\Wizards of the Coast LLC
2010-07-06 09:55:09 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-06 09:55:09 0 d-----w- c:\program files\iPod
2010-07-06 09:50:57 0 d-----w- c:\program files\Bonjour
2010-07-05 12:07:29 0 d-----w- c:\programdata\Blizzard Entertainment

==================== Find3M ====================

2010-07-18 17:33:21 702610 ----a-w- c:\windows\system32\perfh013.dat
2010-07-18 17:33:21 134366 ----a-w- c:\windows\system32\perfc013.dat
2010-06-07 15:48:04 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-06-07 15:48:04 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 15:48:04 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 15:48:04 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 15:48:04 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-05-21 12:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 14:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 14:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-09 09:14:55 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14:50 417792 ----a-w- c:\windows\system32\msdri.dll
2010-04-28 12:00:09 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2009-07-14 08:27:10 43068 ----a-w- c:\windows\inf\perflib\0413\perfd.dat
2009-07-14 08:27:10 43068 ----a-w- c:\windows\inf\perflib\0413\perfc.dat
2009-07-14 08:27:10 341322 ----a-w- c:\windows\inf\perflib\0413\perfi.dat
2009-07-14 08:27:10 341322 ----a-w- c:\windows\inf\perflib\0413\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 10:46:59,31 ===============

**Marckie** · 23 juli 2010, 19:47

Hallo,

Download Gmer Rootkitscanner: http://www2.gmer.net/download.php
Plaats het op je bureaublad.
Het bestand dat je downloadt bestaat uit een willekeurig gekozen combinatie van cijfers en letters. (vb jqb1jln3.exe of ubmp5cd5.exe steeds een combinatie van 8 cijfers en letters)
Dubbelklik op dit bestand om Gmer te starten.
Krijg je een melding dat er rootkits actief zijn en er wordt gevraagd om een scan uit te voeren, dan sta je dit niet toe.
Aan de rechterkant heb je een aantal opties die je kan uit- of aanvinken. Standaard staat alles aangevinkt, dit laat je zo.
Onder Files moet enkel de systeempartitie aangevinkt zijn. ( De systeempartitie is die partitie waarop je windows geïnstalleerd is. )
Haal het vinkje weg bij "show all" ( dit mag niet aangevinkt zijn! )
Klik nu op de "Scan" knop om de rootkitscan met Gmer te starten.
Als de scan klaar is klik je op de knop "Save" en sla je het logje op op je bureaublad.
( Klik je op knop "Copy", dan wordt de volledige rapportje van de log naar het klembord gekopieerd en kan je via CTRL+V in je volgende post plakken. )
Om Gmer te sluiten, klik je op de knop "Cancel".

Aspheros · 23 juli 2010, 22:25

Bedankt voor de reactie.

Tijdens de scan krijg ik volgende foutmelding:

ook een 2e en 3e poging lukt niet.

**Marckie** · 23 juli 2010, 23:21

Je gebruikt cd-emulatorsoftware (alcolhol 120%)?
Zo ja doe eerst dit:
Downloadt Defogger en plaats het op je bureaublad: http://www.jpshortstuff.247fixes.com/Defogger.exe
Dubbelklik op Defogger.exe om de tool te starten.
In het scherm dat verschijnt klik je op de knop "Disable".
In het volgende scherm klik je op Ja (Yes) om verder te gaan.
Wacht tot je de melding 'Finished' krijgt en klik in dat scherm op "Ok".
Indien DeFogger vraagt om de computer te herstarten doe je dit.
Krijg je een foutmelding wanneer je Defogger gebruikt, dan zoek je op het bureaublad (of de map van waar je Defogger gestart hebt) naar het bestand defogger_disable en post je de inhoud van dit bestand.
CD-emulator software kan je weer inschakelen met behulp van Defogger door de tool te starten en op de knop "Re-enable" te klikken.
Dit doe je pas wanneer we volledig klaar zijn met de analyse van de computer.

Probeer Gmer opnieuw.

Aspheros · 23 juli 2010, 23:32

Defogger gedownload & op disable geklikt. Na een boodschap 'finished' wordt gevraagd de computer te herstarten. Na reboot gescand met GMER en opnieuw kreeg ik een foutmelding bij '\Device\HarddiskVolumeShadowCopy1

**Marckie** · 24 juli 2010, 18:32

Download combofix.exe van deze site: http://www.bleepingcomputer.com/comb...uikt-te-worden .
ComboFix zal wanneer de Recovery Console niet geïnstalleerd is, voorstellen om deze te downloaden en te installeren. Sta dit toe.
Wanneer de Recovery Console geïnstalleerd is, laat je ComboFix de computer scannen.
Wanneer ComboFix start, kan het zijn dat je een Error melding krijgt dat de "contents of the ComboFix package has been compromised".
Ga niet verder met de instructies, maar download ComboFix opnieuw. Deze melding kan verschijnen wanneer een file-infector (Virut) actief is op de computer.
Krijg je deze melding dan meld je dit.
Wanneer ComboFix klaar is met scannen, dit kan eventueel na een reboot zijn, opent er een logfile (combofix.txt).
Post de inhoud van dit bestandje samen met een nieuwe hijackthislog.

Aspheros · 24 juli 2010, 22:33

Combofix Log:

ComboFix 10-07-23.04 - Nick 24/07/2010 22:14:49.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.32.1043.18.3070.2052 [GMT 2:00]
Gestart vanuit: c:\users\Nick\Desktop\ComboFix.exe
* Aanwezig AV is actief

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Voorgaande Run -------
.
c:\program files\FlashGet Network\FlashGet 3\adns.dll
c:\program files\FlashGet Network\FlashGet 3\btcoreu.dll
c:\program files\FlashGet Network\FlashGet 3\BugReport.dll
c:\program files\FlashGet Network\FlashGet 3\BugReport.exe
c:\program files\FlashGet Network\FlashGet 3\cd1.ico
c:\program files\FlashGet Network\FlashGet 3\ckcore.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\14_43260.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\28_83260.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\atrc.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\Codecs.zip
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\cook.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\ddnt3260.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\dnet3260.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\drv1.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\drv2.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\drvc.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\hxltcolor.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\raac.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\ralf.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\rv10.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\rv20.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\rv30.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\rv40.dll
c:\program files\FlashGet Network\FlashGet 3\codec\real\Codecs\sipr.dll
c:\program files\FlashGet Network\FlashGet 3\commonlib.dll
c:\program files\FlashGet Network\FlashGet 3\componentskrnl.dll
c:\program files\FlashGet Network\FlashGet 3\config\clients.met
c:\program files\FlashGet Network\FlashGet 3\config\clients.met.bak
c:\program files\FlashGet Network\FlashGet 3\config\cryptkey.dat
c:\program files\FlashGet Network\FlashGet 3\config\emfriends.met
c:\program files\FlashGet Network\FlashGet 3\config\known.met
c:\program files\FlashGet Network\FlashGet 3\config\known2_64.met
c:\program files\FlashGet Network\FlashGet 3\config\preferences.dat
c:\program files\FlashGet Network\FlashGet 3\config\preferences.ini
c:\program files\FlashGet Network\FlashGet 3\config\server.met
c:\program files\FlashGet Network\FlashGet 3\config\server_met.old
c:\program files\FlashGet Network\FlashGet 3\config\upload.met
c:\program files\FlashGet Network\FlashGet 3\corestat.dll
c:\program files\FlashGet Network\FlashGet 3\dbghelp.dll
c:\program files\FlashGet Network\FlashGet 3\fg.ico
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\default.htm
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\FGResDetector.conf
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\banner.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\bullet.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\close.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\closelabel.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\download-icon.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\explorer.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\ftp.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\image.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\introTextBg.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\loading.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\nextlabel.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\prevlabel.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\software.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\data\images\vod.gif
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\FGResDetector.exe
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\about.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\ftplist_tree_icon.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\option_icon.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\quickop_hide.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\quickop_show.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\statusbar_bk.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\tasktab_close.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_back.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_bk.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_close.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_forward.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\image\toolbar_refresh.png
c:\program files\FlashGet Network\FlashGet 3\FGResDetector_I\lang\l.eng.xml
c:\program files\FlashGet Network\FlashGet 3\FGSoftware.exe
c:\program files\FlashGet Network\FlashGet 3\Flashget3.exe
c:\program files\FlashGet Network\FlashGet 3\FlashGet3_En.xpi
c:\program files\FlashGet Network\FlashGet 3\FlashGetBHO3.dll
c:\program files\FlashGet Network\FlashGet 3\FlashGetHook.dll
c:\program files\FlashGet Network\FlashGet 3\fnsArchive.dll
c:\program files\FlashGet Network\FlashGet 3\fnsDirectuix.dll
c:\program files\FlashGet Network\FlashGet 3\fnsLanguage.dll
c:\program files\FlashGet Network\FlashGet 3\fnslanguage_en.dll
c:\program files\FlashGet Network\FlashGet 3\fnsScheduler.dll
c:\program files\FlashGet Network\FlashGet 3\fnsSecurity.dll
c:\program files\FlashGet Network\FlashGet 3\fnsSkinX.dll
c:\program files\FlashGet Network\FlashGet 3\fnsStatistics.dll
c:\program files\FlashGet Network\FlashGet 3\game.ico
c:\program files\FlashGet Network\FlashGet 3\gb2312-unicode.dic
c:\program files\FlashGet Network\FlashGet 3\gdiplus.dll
c:\program files\FlashGet Network\FlashGet 3\GetAllUrl.htm
c:\program files\FlashGet Network\FlashGet 3\GetUrl.htm
c:\program files\FlashGet Network\FlashGet 3\GoogleToolbarInstaller_download_signed.exe
c:\program files\FlashGet Network\FlashGet 3\libem.dll
c:\program files\FlashGet Network\FlashGet 3\LICENSE.TXT
c:\program files\FlashGet Network\FlashGet 3\lst_tz.bin
c:\program files\FlashGet Network\FlashGet 3\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet 3\p2pcore.dll
c:\program files\FlashGet Network\FlashGet 3\p2score.dll
c:\program files\FlashGet Network\FlashGet 3\perf.ini
c:\program files\FlashGet Network\FlashGet 3\pncrt.dll
c:\program files\FlashGet Network\FlashGet 3\pstat.dat
c:\program files\FlashGet Network\FlashGet 3\pup.dat
c:\program files\FlashGet Network\FlashGet 3\RdOldDb.dll
c:\program files\FlashGet Network\FlashGet 3\RealMediaSplitter.ax
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\BarSet.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\btn_check.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\btn_normal.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\btn_radio.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\desktoplink.ico
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\login_line.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\menu_icon.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\option_line.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\option_page_line.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\skin.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\statusbar_ad_bk_long.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\statusbar_ad_bk2.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\SuspendLogo.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\SuspendNoLogo.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_backgrand.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_cancle.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_catgroy.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_group.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_new.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_open.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_option.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_pause.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_recly.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbar_start.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbarbutton_left.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbarbutton_middle.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\toolbarbutton_right.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\top_logotitle.gif
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\torrent.ico
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\userinfo_head.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\image\VistaStyleListItems.bmp
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\preview.png
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\skin.xml
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\sound\loginfailed.wav
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\sound\loginsucc.wav
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\sound\msgnotify.wav
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\sound\notify.wav
c:\program files\FlashGet Network\FlashGet 3\skin\international\default\topmain.png
c:\program files\FlashGet Network\FlashGet 3\SnapShot.dll
c:\program files\FlashGet Network\FlashGet 3\storage.dll
c:\program files\FlashGet Network\FlashGet 3\SysOptimize.exe
c:\program files\FlashGet Network\FlashGet 3\uninst.exe
c:\program files\FlashGet Network\FlashGet 3\VodCore.dll
c:\program files\FlashGet Network\FlashGet 3\zlib.dll
c:\users\Nick\AppData\Roaming\BITS\BITS.ini
c:\users\Nick\AppData\Roaming\BITS\DHTTable.dat
c:\users\Nick\AppData\Roaming\BITS\ProxyList.ini
c:\users\Nick\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll
c:\users\Nick\AppData\Roaming\FlashGetBHO\FlashGetHook.dll
c:\users\Nick\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
c:\users\Nick\AppData\Roaming\FlashGetBHO\GetUrl.htm
c:\windows\system32\secushr.dat
c:\windows\system32\secustat.dat

.
MBR is infected with the Whistler Bootkit !!

(((((((((((((((((((( Bestanden Gemaakt van 2010-06-24 to 2010-07-24 ))))))))))))))))))))))))))))))
.

2010-07-24 20:26 . 2010-07-24 20:26 -------- d-----w- c:\users\Gast\AppData\Local\temp
2010-07-24 20:26 . 2010-07-24 20:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-24 16:53 . 2010-07-24 20:26 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-07-22 08:37 . 2010-07-22 08:37 388096 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-22 08:37 . 2010-07-22 08:37 -------- d-----w- c:\program files\Trend Micro
2010-07-21 22:24 . 2009-11-25 10:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-07-21 22:24 . 2009-11-25 10:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-07-21 22:24 . 2009-11-25 10:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-07-21 22:24 . 2009-11-25 10:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-07-21 22:24 . 2009-11-25 10:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-07-21 22:19 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-07-21 22:18 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-07-21 22:14 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-07-21 22:14 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-07-21 22:14 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-07-21 22:14 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-07-21 22:14 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-07-21 22:14 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-07-21 22:12 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-07-19 00:57 . 2010-07-19 00:57 -------- d-----w- c:\users\Nick\AppData\Roaming\E6A2B73AF46449D8F29CC97C08385E6E
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\users\Nick\AppData\Local\assembly
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\programdata\TechSmith
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\users\Nick\AppData\Local\TechSmith
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\program files\TechSmith
2010-07-18 11:40 . 2010-07-18 11:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-15 22:36 . 2010-07-15 22:36 -------- d-----w- c:\program files\XAMMP
2010-07-13 20:14 . 2010-07-13 20:14 -------- d-----w- c:\users\Nick\AppData\Roaming\The Creative Assembly
2010-07-13 17:09 . 2010-07-13 20:13 -------- d-----w- c:\program files\Napoleon Total War
2010-07-08 13:28 . 2010-07-08 13:28 2568656 ----a-w- c:\users\Nick\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-07-07 12:17 . 2010-07-07 12:17 -------- d-----w- c:\program files\Wizards of the Coast LLC
2010-07-06 09:55 . 2010-07-06 09:55 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-06 09:55 . 2010-07-06 09:55 -------- d-----w- c:\program files\iPod
2010-07-06 09:50 . 2010-07-06 09:50 -------- d-----w- c:\program files\Bonjour
2010-07-06 09:49 . 2010-07-06 09:49 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-05 12:07 . 2010-07-05 12:07 -------- d-----w- c:\programdata\Blizzard Entertainment

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 20:26 . 2009-12-30 00:01 -------- d-----w- c:\program files\Common Files\Akamai
2010-07-24 20:12 . 2009-12-29 23:30 188152 ----a-w- c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\8k7480nz.default\FlashGot.exe
2010-07-24 16:55 . 2010-06-16 15:27 -------- d-----w- c:\programdata\NVIDIA
2010-07-24 15:35 . 2010-06-20 21:27 -------- d-----w- c:\users\Nick\AppData\Roaming\MusicSphere
2010-07-21 22:30 . 2010-03-17 14:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-21 22:29 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-07-21 22:24 . 2009-12-27 14:51 -------- d-----w- c:\programdata\Microsoft Help
2010-07-21 11:31 . 2009-12-26 15:51 -------- d-----w- c:\program files\World of Warcraft
2010-07-18 17:33 . 2009-07-14 08:27 702610 ----a-w- c:\windows\system32\perfh013.dat
2010-07-18 17:33 . 2009-07-14 08:27 134366 ----a-w- c:\windows\system32\perfc013.dat
2010-07-06 09:55 . 2010-02-02 16:12 -------- d-----w- c:\program files\iTunes
2010-07-06 09:55 . 2009-12-24 17:14 -------- d-----w- c:\program files\Common Files\Apple
2010-07-06 09:52 . 2009-12-24 17:15 -------- d-----w- c:\program files\QuickTime
2010-06-28 21:18 . 2010-03-07 16:18 -------- d-----w- c:\programdata\PC Suite
2010-06-20 21:18 . 2010-06-20 21:18 -------- d-----w- c:\program files\Pioneer
2010-06-16 15:27 . 2010-06-16 15:26 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-16 15:26 . 2010-06-16 15:26 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-06-07 15:48 . 2010-06-07 15:48 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-06-07 15:48 . 2010-06-07 15:48 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 15:48 . 2010-06-07 15:48 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 15:48 . 2010-06-07 15:48 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 15:48 . 2010-06-07 15:48 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-05-30 13:23 . 2010-05-30 13:19 -------- d-----w- c:\program files\YoutubeMusicDownloader
2010-05-28 15:41 . 2009-12-29 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 16:03 . 2010-01-23 11:20 -------- d-----w- c:\users\Nick\AppData\Roaming\LimeWire
2010-05-21 12:14 . 2009-12-24 15:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-09 09:14 . 2010-07-21 22:15 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-07-21 22:15 417792 ----a-w- c:\windows\system32\msdri.dll
2010-04-29 13:39 . 2009-12-29 23:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-12-29 23:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 12:00 . 2010-04-28 12:00 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 16:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-02-26 2376992]
"CamserviceOG"="c:\program files\Hercules\Deluxe Optical Glass\XtrCtrl.exe" [2009-10-19 2913576]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"FlashGet 3"="c:\program files\FlashGet Network\FlashGet 3\Flashget3.exe" -minimize
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 hxctlflt;hxctlflt;c:\windows\system32\DRIVERS\hxctlflt.sys [2009-02-09 99968]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-27 691696]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 Apache2.2;Apache2.2;c:\program files\XAMMP\xampp\apache\bin\httpd.exe [2009-12-19 29416]
S2 EFUploadSrv;ExtraFilm upload service;c:\program files\ExtraFilm Designer BE NL\EFUploadSrv.exe [2009-07-09 1716224]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-11-16 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-11-16 38240]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-06-07 240232]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-25 1047880]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhoud van de 'Gedeelde Taken' map

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2306573394-648279368-3433534606-1001Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-24 16:03]

2010-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2306573394-648279368-3433534606-1001UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-24 16:03]
.
.
------- Bijkomende Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all by FlashGet3 - c:\users\Nick\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\users\Nick\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\8k7480nz.default\
FF - prefs.js: browser.startup.homepage - www.google.be
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\users\Nick\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS VERWIJDERD - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
AddRemove-FlashGet 3.3 - c:\program files\FlashGet Network\FlashGet 3\uninst.exe

.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,e9,4c,4f,64,9a,58,40,b2,49,7b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,e9,4c,4f,64,9a,58,40,b2,49,7b,\

[HKEY_USERS\S-1-5-21-2306573394-648279368-3433534606-1001\Software\¢0×0ê0±0ü0·0ç0ó0 *¦0£0¶0ü0É0g0ubU0Œ0_0í0ü0«0ë0 *¢0×0ê0±0ü0·0ç0ó0]
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-07-24 22:30:54
ComboFix-quarantined-files.txt 2010-07-24 20:30

Pre-Run: 169.219.530.752 bytes beschikbaar
Post-Run: 169.178.546.176 bytes beschikbaar

- - End Of File - - DA1AB61CA4AC5EB007EDE368D0610F67

HJT Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:33:29, on 24/07/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Hercules\Deluxe Optical Glass\XtrCtrl.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\wuauclt.exe
C:\ComboFix\CF3212.cfxxe
C:\Windows\system32\conhost.exe
C:\ComboFix\mbr.cfxxe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Users\Nick\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: PandoraTV Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [Nokia FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKLM\..\Run: [CamserviceOG] C:\Program Files\Hercules\Deluxe Optical Glass\XtrCtrl.exe /startup
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download all by FlashGet3 - C:\Users\Nick\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
O8 - Extra context menu item: Download by FlashGet3 - C:\Users\Nick\AppData\Roaming\FlashGetBHO\GetUrl.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://software.kuaiche.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: C:\Windows\System32\acaptuser32.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\XAMMP\xampp\apache\bin\httpd.exe
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: ExtraFilm upload service (EFUploadSrv) - Textalk AB - C:\Program Files\ExtraFilm Designer BE NL\EFUploadSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MySQL - MySQL AB - C:\Program Files\XAMMP\xampp\mysql\bin\mysqld.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

--
End of file - 7251 bytes

**Marckie** · 25 juli 2010, 13:55

Downloadt MBRCheck: http://ad13.geekstogo.com/MBRCheck.exe
Start de tool door te dubbelklikken op MBRCheck.exe
Wanneer de tool klaar is krijg je een keuzemenu. Tik in N om af te sluiten en druk daarna nog een keer op Enter.
Op je bureaublad staat een logje waarvan de naam begint met MBRCheck gevolgd door de datum en het uur.
Post dit logje.

Aspheros · 25 juli 2010, 14:16

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 Unknown MBR code

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done! Press ENTER to exit...

**Marckie** · 25 juli 2010, 14:53

Is er een recoverypartitie aanwezig?

Aspheros · 25 juli 2010, 15:02

**Marckie** · 25 juli 2010, 16:49

Dubbelklik op MBRCheck.exe.

Tik in Y voor meer opties.
Kies dan optie 1 om een dumpfile van de MBR aan te maken.
Achter "Enter the physical disk number to dump" tik je in: 0
Achter "Enter Filename to dump to:" tik je in: c:\dumpfile

Zip deze file: c:\dumpfile
en voeg die toe aan je volgende post.

Aspheros · 25 juli 2010, 18:49

in bijlage de gevraagde dumpfile

**Marckie** · 25 juli 2010, 19:35

De master boot record is inderdaad geïnfecteerd met een bootkit (whistler).

Je mag dit herstellen mbv MBRcheck.exe
Dubbelklik op MBRCheck.exe
Tik in Y voor meer opties.
Kies optie 2 om de MBR te herstellen (met standaard bootcode): Tik in 2.
Achter "Restore the MBR of a physical disk with a standard boot code" tik je in: 0
Druk op Enter.
Bij "Select the MBR code to write to this drive" tik je in: 5
(5 is de standaard windows 7 bootcode)
Volg de instructies in het scherm om de tool af te sluiten.
Herstart de computer.
Maak een nieuwe log met MBRcheck.exe en post die.

**Marckie** · 25 juli 2010, 19:36

Ik heb de file die je geupload hebt verwijderd, die hebben we niet meer nodig.

Aspheros · 25 juli 2010, 21:25

log van MBRCheck.exe na je instructies

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 Unknown MBR code

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

**Marckie** · 25 juli 2010, 21:43

Herhaal deze instructies, maar noem het bestand nu dumpfile2.
http://www.nucia.eu/forum/showpost.p...8&postcount=12

Voeg toe aan je post.
Daarna maak je een nieuwe log met ComboFix en post je deze.

Aspheros · 26 juli 2010, 01:00

ComboFix 10-07-24.04 - Nick 26/07/2010 0:38.3.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.32.1043.18.3070.2138 [GMT 2:00]
Gestart vanuit: c:\users\Nick\Desktop\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
* Aanwezig AV is actief

.

(((((((((((((((((((( Bestanden Gemaakt van 2010-06-25 to 2010-07-25 ))))))))))))))))))))))))))))))
.

2010-07-25 22:50 . 2010-07-25 22:50 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-25 22:50 . 2010-07-25 22:50 -------- d-----w- c:\users\Gast\AppData\Local\temp
2010-07-25 22:50 . 2010-07-25 22:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-24 16:53 . 2010-07-25 22:50 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-07-22 08:37 . 2010-07-22 08:37 -------- d-----w- c:\program files\Trend Micro
2010-07-21 22:24 . 2009-11-25 10:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-07-21 22:24 . 2009-11-25 10:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-07-21 22:24 . 2009-11-25 10:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-07-21 22:24 . 2009-11-25 10:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-07-21 22:24 . 2009-11-25 10:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-07-21 22:19 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-07-21 22:18 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-07-21 22:14 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-07-21 22:14 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-07-21 22:14 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-07-21 22:14 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-07-21 22:14 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-07-21 22:14 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-07-21 22:12 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-07-19 00:57 . 2010-07-19 00:57 -------- d-----w- c:\users\Nick\AppData\Roaming\E6A2B73AF46449D8F29CC97C08385E6E
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\users\Nick\AppData\Local\assembly
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\programdata\TechSmith
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\users\Nick\AppData\Local\TechSmith
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\program files\TechSmith
2010-07-18 11:40 . 2010-07-18 11:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-15 22:36 . 2010-07-15 22:36 -------- d-----w- c:\program files\XAMMP
2010-07-13 20:14 . 2010-07-13 20:14 -------- d-----w- c:\users\Nick\AppData\Roaming\The Creative Assembly
2010-07-13 17:09 . 2010-07-13 20:13 -------- d-----w- c:\program files\Napoleon Total War
2010-07-07 12:17 . 2010-07-07 12:17 -------- d-----w- c:\program files\Wizards of the Coast LLC
2010-07-06 09:55 . 2010-07-06 09:55 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-06 09:55 . 2010-07-06 09:55 -------- d-----w- c:\program files\iPod
2010-07-06 09:50 . 2010-07-06 09:50 -------- d-----w- c:\program files\Bonjour
2010-07-05 12:07 . 2010-07-05 12:07 -------- d-----w- c:\programdata\Blizzard Entertainment

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 22:50 . 2009-12-30 00:01 -------- d-----w- c:\program files\Common Files\Akamai
2010-07-25 19:22 . 2010-06-16 15:27 -------- d-----w- c:\programdata\NVIDIA
2010-07-24 20:57 . 2010-06-20 21:27 -------- d-----w- c:\users\Nick\AppData\Roaming\MusicSphere
2010-07-24 20:12 . 2009-12-29 23:30 188152 ----a-w- c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\8k7480nz.default\FlashGot.exe
2010-07-22 08:37 . 2010-07-22 08:37 388096 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-21 22:30 . 2010-03-17 14:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-21 22:29 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-07-21 22:24 . 2009-12-27 14:51 -------- d-----w- c:\programdata\Microsoft Help
2010-07-21 11:31 . 2009-12-26 15:51 -------- d-----w- c:\program files\World of Warcraft
2010-07-18 17:33 . 2009-07-14 08:27 702610 ----a-w- c:\windows\system32\perfh013.dat
2010-07-18 17:33 . 2009-07-14 08:27 134366 ----a-w- c:\windows\system32\perfc013.dat
2010-07-08 13:28 . 2010-07-08 13:28 2568656 ----a-w- c:\users\Nick\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-07-06 09:55 . 2010-02-02 16:12 -------- d-----w- c:\program files\iTunes
2010-07-06 09:55 . 2009-12-24 17:14 -------- d-----w- c:\program files\Common Files\Apple
2010-07-06 09:52 . 2009-12-24 17:15 -------- d-----w- c:\program files\QuickTime
2010-07-06 09:49 . 2010-07-06 09:49 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-28 21:18 . 2010-03-07 16:18 -------- d-----w- c:\programdata\PC Suite
2010-06-20 21:18 . 2010-06-20 21:18 -------- d-----w- c:\program files\Pioneer
2010-06-16 15:27 . 2010-06-16 15:26 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-16 15:26 . 2010-06-16 15:26 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-06-07 15:48 . 2010-06-07 15:48 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-06-07 15:48 . 2010-06-07 15:48 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 15:48 . 2010-06-07 15:48 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 15:48 . 2010-06-07 15:48 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 15:48 . 2010-06-07 15:48 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-05-30 13:23 . 2010-05-30 13:19 -------- d-----w- c:\program files\YoutubeMusicDownloader
2010-05-28 15:41 . 2009-12-29 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 12:14 . 2009-12-24 15:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-09 09:14 . 2010-07-21 22:15 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-07-21 22:15 417792 ----a-w- c:\windows\system32\msdri.dll
2010-04-29 13:39 . 2009-12-29 23:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-12-29 23:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 12:00 . 2010-04-28 12:00 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 16:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-02-26 2376992]
"CamserviceOG"="c:\program files\Hercules\Deluxe Optical Glass\XtrCtrl.exe" [2009-10-19 2913576]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"FlashGet 3"="c:\program files\FlashGet Network\FlashGet 3\Flashget3.exe" -minimize
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 hxctlflt;hxctlflt;c:\windows\system32\DRIVERS\hxctlflt.sys [2009-02-09 99968]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-27 691696]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 Apache2.2;Apache2.2;c:\program files\XAMMP\xampp\apache\bin\httpd.exe [2009-12-19 29416]
S2 EFUploadSrv;ExtraFilm upload service;c:\program files\ExtraFilm Designer BE NL\EFUploadSrv.exe [2009-07-09 1716224]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-11-16 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-11-16 38240]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-06-07 240232]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-25 1047880]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhoud van de 'Gedeelde Taken' map

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2306573394-648279368-3433534606-1001Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-24 16:03]

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2306573394-648279368-3433534606-1001UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-24 16:03]
.
.
------- Bijkomende Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all by FlashGet3 - c:\users\Nick\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\users\Nick\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\8k7480nz.default\
FF - prefs.js: browser.startup.homepage - www.google.be
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\users\Nick\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,e9,4c,4f,64,9a,58,40,b2,49,7b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,e9,4c,4f,64,9a,58,40,b2,49,7b,\

[HKEY_USERS\S-1-5-21-2306573394-648279368-3433534606-1001\Software\¢0×0ê0±0ü0·0ç0ó0 *¦0£0¶0ü0É0g0ubU0Œ0_0í0ü0«0ë0 *¢0×0ê0±0ü0·0ç0ó0]
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-07-26 00:59:00
ComboFix-quarantined-files.txt 2010-07-25 22:59
ComboFix2.txt 2010-07-24 20:30

Pre-Run: 177.034.539.008 bytes beschikbaar
Post-Run: 176.514.981.888 bytes beschikbaar

- - End Of File - - 42473755EDF690EC87F63394E70ED316

Aspheros · 26 juli 2010, 11:40

om de 3-4 minuten krijg ik nu deze melding:

na een 24 tal files in quarantaine te hebben gezwierd, lijkt het voorlopig op te houden.

**Marckie** · 26 juli 2010, 19:06

De MBR is nog steeds geïnfecteerd.
Had je de instructies in deze post correct uitgevoerd?
http://www.nucia.eu/forum/showpost.p...4&postcount=14

In principe moest dat je probleem oplossen.
(had je de computer onmiddellijk herstart?)

Aspheros · 26 juli 2010, 19:21

nogmaals gedaan wat je in die post vroeg; lijkt me normaal nu?

MBRCheck, version 1.1.1

(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0

\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected

Done! Press ENTER to exit...

**Marckie** · 26 juli 2010, 20:04

Dat ziet er beter uit.

Voer dit nog even uit http://www.nucia.eu/forum/showpost.p...4&postcount=14
met dumpfile3 en die mag je ook uploaden hier.

Daarna maak je een nieuwe combofixlog en post je deze.
Zijn er nog problemen?

Aspheros · 26 juli 2010, 22:51

MBRCheck geeft enkel exit (enter) als optie na de scan bij opstart van de tool. Een filedump maken lijkt me niet meer mogelijk?

Alles lijkt me normaal nu, zowel eset als malwarebytes geven geen alerts meer.

Hieronder de gevraagde combofixlog.

ComboFix 10-07-24.06 - Nick 26/07/2010 21:28:31.4.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.32.1043.18.3070.2156 [GMT 2:00]
Gestart vanuit: c:\users\Nick\Desktop\ComboFix.exe
* Aanwezig AV is actief

.

(((((((((((((((((((( Bestanden Gemaakt van 2010-06-26 to 2010-07-26 ))))))))))))))))))))))))))))))
.

2010-07-26 19:37 . 2010-07-26 19:37 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-26 19:37 . 2010-07-26 19:37 -------- d-----w- c:\users\Gast\AppData\Local\temp
2010-07-26 19:37 . 2010-07-26 19:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-24 16:53 . 2010-07-26 19:37 -------- d-----w- c:\users\Nick\AppData\Local\temp
2010-07-22 08:37 . 2010-07-22 08:37 -------- d-----w- c:\program files\Trend Micro
2010-07-21 22:24 . 2009-11-25 10:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-07-21 22:24 . 2009-11-25 10:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-07-21 22:24 . 2009-11-25 10:47 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-07-21 22:24 . 2009-11-25 10:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-07-21 22:24 . 2009-11-25 10:47 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-07-21 22:19 . 2010-02-11 07:10 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-07-21 22:18 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-07-21 22:14 . 2010-05-21 05:18 977920 ----a-w- c:\windows\system32\wininet.dll
2010-07-21 22:14 . 2010-03-05 07:42 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-07-21 22:14 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-07-21 22:14 . 2010-05-27 07:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-07-21 22:14 . 2010-05-27 03:49 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-07-21 22:14 . 2010-05-01 14:49 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-07-21 22:12 . 2010-04-23 07:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-07-19 00:57 . 2010-07-19 00:57 -------- d-----w- c:\users\Nick\AppData\Roaming\E6A2B73AF46449D8F29CC97C08385E6E
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\users\Nick\AppData\Local\assembly
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\programdata\TechSmith
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\users\Nick\AppData\Local\TechSmith
2010-07-18 11:42 . 2010-07-18 11:42 -------- d-----w- c:\program files\TechSmith
2010-07-18 11:40 . 2010-07-18 11:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-15 22:36 . 2010-07-15 22:36 -------- d-----w- c:\program files\XAMMP
2010-07-13 20:14 . 2010-07-13 20:14 -------- d-----w- c:\users\Nick\AppData\Roaming\The Creative Assembly
2010-07-13 17:09 . 2010-07-13 20:13 -------- d-----w- c:\program files\Napoleon Total War
2010-07-07 12:17 . 2010-07-07 12:17 -------- d-----w- c:\program files\Wizards of the Coast LLC
2010-07-06 09:55 . 2010-07-06 09:55 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-06 09:55 . 2010-07-06 09:55 -------- d-----w- c:\program files\iPod
2010-07-06 09:50 . 2010-07-06 09:50 -------- d-----w- c:\program files\Bonjour
2010-07-05 12:07 . 2010-07-05 12:07 -------- d-----w- c:\programdata\Blizzard Entertainment

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 19:38 . 2009-12-30 00:01 -------- d-----w- c:\program files\Common Files\Akamai
2010-07-26 17:18 . 2010-06-16 15:27 -------- d-----w- c:\programdata\NVIDIA
2010-07-26 15:40 . 2010-06-20 21:27 -------- d-----w- c:\users\Nick\AppData\Roaming\MusicSphere
2010-07-24 20:12 . 2009-12-29 23:30 188152 ----a-w- c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\8k7480nz.default\FlashGot.exe
2010-07-22 08:37 . 2010-07-22 08:37 388096 ----a-r- c:\users\Nick\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-21 22:30 . 2010-03-17 14:00 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-21 22:29 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-07-21 22:24 . 2009-12-27 14:51 -------- d-----w- c:\programdata\Microsoft Help
2010-07-21 11:31 . 2009-12-26 15:51 -------- d-----w- c:\program files\World of Warcraft
2010-07-18 17:33 . 2009-07-14 08:27 702610 ----a-w- c:\windows\system32\perfh013.dat
2010-07-18 17:33 . 2009-07-14 08:27 134366 ----a-w- c:\windows\system32\perfc013.dat
2010-07-08 13:28 . 2010-07-08 13:28 2568656 ----a-w- c:\users\Nick\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-07-06 09:55 . 2010-02-02 16:12 -------- d-----w- c:\program files\iTunes
2010-07-06 09:55 . 2009-12-24 17:14 -------- d-----w- c:\program files\Common Files\Apple
2010-07-06 09:52 . 2009-12-24 17:15 -------- d-----w- c:\program files\QuickTime
2010-07-06 09:49 . 2010-07-06 09:49 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-28 21:18 . 2010-03-07 16:18 -------- d-----w- c:\programdata\PC Suite
2010-06-20 21:18 . 2010-06-20 21:18 -------- d-----w- c:\program files\Pioneer
2010-06-16 15:27 . 2010-06-16 15:26 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-16 15:26 . 2010-06-16 15:26 -------- d-----w- c:\programdata\NVIDIA Corporation
2010-06-07 15:48 . 2010-06-07 15:48 66664 ----a-w- c:\windows\system32\nvshext.dll
2010-06-07 15:48 . 2010-06-07 15:48 13917800 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 15:48 . 2010-06-07 15:48 1331816 ----a-w- c:\windows\system32\nvsvc.dll
2010-06-07 15:48 . 2010-06-07 15:48 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-06-07 15:48 . 2010-06-07 15:48 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-05-30 13:23 . 2010-05-30 13:19 -------- d-----w- c:\program files\YoutubeMusicDownloader
2010-05-28 15:41 . 2009-12-29 23:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 12:14 . 2009-12-24 15:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 14:35 . 2010-05-18 14:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 14:35 . 2010-05-18 14:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 14:35 . 2010-05-18 14:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-09 09:14 . 2010-07-21 22:15 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14 . 2010-07-21 22:15 417792 ----a-w- c:\windows\system32\msdri.dll
2010-04-29 13:39 . 2009-12-29 23:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-12-29 23:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 12:00 . 2010-04-28 12:00 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 16:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-02-26 2376992]
"CamserviceOG"="c:\program files\Hercules\Deluxe Optical Glass\XtrCtrl.exe" [2009-10-19 2913576]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"FlashGet 3"="c:\program files\FlashGet Network\FlashGet 3\Flashget3.exe" -minimize
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-07-26 25832]
R3 hxctlflt;hxctlflt;c:\windows\system32\DRIVERS\hxctlflt.sys [2009-02-09 99968]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-27 691696]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 Apache2.2;Apache2.2;c:\program files\XAMMP\xampp\apache\bin\httpd.exe [2009-12-19 29416]
S2 EFUploadSrv;ExtraFilm upload service;c:\program files\ExtraFilm Designer BE NL\EFUploadSrv.exe [2009-07-09 1716224]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-11-16 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-11-16 38240]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-06-07 240232]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-25 1047880]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhoud van de 'Gedeelde Taken' map

2010-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2306573394-648279368-3433534606-1001Core.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-24 16:03]

2010-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2306573394-648279368-3433534606-1001UA.job
- c:\users\Nick\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-24 16:03]
.
.
------- Bijkomende Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all by FlashGet3 - c:\users\Nick\AppData\Roaming\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\users\Nick\AppData\Roaming\FlashGetBHO\GetUrl.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
FF - ProfilePath - c:\users\Nick\AppData\Roaming\Mozilla\Firefox\Profiles\8k7480nz.default\
FF - prefs.js: browser.startup.homepage - www.google.be
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\users\Nick\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,e9,4c,4f,64,9a,58,40,b2,49,7b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ad,e9,4c,4f,64,9a,58,40,b2,49,7b,\

[HKEY_USERS\S-1-5-21-2306573394-648279368-3433534606-1001\Software\¢0×0ê0±0ü0·0ç0ó0 *¦0£0¶0ü0É0g0ubU0Œ0_0í0ü0«0ë0 *¢0×0ê0±0ü0·0ç0ó0]
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Voltooingstijd: 2010-07-26 21:45:21
ComboFix-quarantined-files.txt 2010-07-26 19:45
ComboFix2.txt 2010-07-25 22:59
ComboFix3.txt 2010-07-24 20:30

Pre-Run: 177.035.051.008 bytes beschikbaar
Post-Run: 176.999.383.040 bytes beschikbaar

- - End Of File - - 24DEB7A523602D4A1563DDE49E50879A

**Marckie** · 27 juli 2010, 21:12

Dat is beter zo.
Zijn er nog problemen?

Aspheros · 27 juli 2010, 21:36

geen verdere problemen.

Heel erg bedankt voor je hulp!

Discussietools
Printversie tonen Deze pagina e-mailen
Geef een waardering voor deze discussie
Geef een waardering voor deze discussie:

Soortgelijke discussies
Discussie	Auteur	Forum	Reacties	Laatste bericht
Win32/Mebroot trojan	Aspheros	Geïnfecteerd?	2	22 juli 2010 10:50
WIN32/Mebroot/K	Artmusic	Opgeloste / inactieve HJT-logs	57	11 september 2009 13:18
WIN32/Mebroot/k.	Artmusic	Geïnfecteerd?	22	9 augustus 2009 14:11
Win32/Mebroot.K trojan	Aspheros	Geïnfecteerd?	8	4 oktober 2008 11:18
Trojan.win32.agent.aoy/.anr en Win32/Swizzor	karama12	Opgeloste / inactieve HJT-logs	13	3 juli 2007 16:02