Mededeling

Collapse
No announcement yet.

Tencent virus/yeabest.cc/popup invasion

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • Tencent virus/yeabest.cc/popup invasion

    Hallo,

    Ik wilde vandaag een bestand download om een theorie examen te leren. Echter werd mijn laptop vervolgens overspoeld met pop-ups, een chinees anit-virus programma (die microsoft defender, en spybot de-activeerde) en nog veel meer ellende (yeabest homepage hack).
    In alle paniek geprobeerd computer terug te zetten via systeem herstel ook in safe mode, maar zonder resultaat, waar systeem herstel niet kon worden uitgevoerd. Ik kon niet meer normaal het internet op dus via laptop van partner MBAM gedownload en gerund. Gelukkig was dit de eerste goeie hit. Vervolgens al met hulp van youtube dat Chinees anti virus software eraf gekregen, alsmede yeabest van de homepage van de internet browers.

    Echter blijven de scanners MBAM/Spybot ellende vinden. Ik ben bang dat mijn laptop nog lang niet 'schoon' is.

    Hieronder de logs in reply op mijn message (ik heb nl inmiddels MBAM al 3 keer gerund)

  • #2
    AdwCleaner

    # AdwCleaner v5.116 - Logbestand aangemaakt 10/05/2016 op 21:46:26
    # Laatste update 09/05/2016 door Xplode
    # Database : 2016-05-09.1 [Server]
    # Besturingssysteem : Windows 8.1 (X64)
    # Gebruikersnaam : Hester - PC-HESTER
    # Gestart vanuit : C:\Users\Hester\Downloads\adwcleaner_5.116.exe
    # Optie : Verwijderen
    # Ondersteuning : http://toolslib.net/forum

    ***** [ Services ] *****

    [-] Service verwijderd : QMUdisk
    [-] Service verwijderd : softaal
    [-] Service verwijderd : SRepairDrv
    [-] Service verwijderd : tsnethlpx64

    ***** [ Mappen ] *****

    [-] Map verwijderd : C:\ProgramData\tencent
    [-] Map verwijderd : C:\ProgramData\TXQMPC
    [-] Map verwijderd : C:\ProgramData\WindowsMsg
    [#] Map verwijderd : C:\ProgramData\Application Data\tencent
    [#] Map verwijderd : C:\ProgramData\Application Data\TXQMPC
    [#] Map verwijderd : C:\ProgramData\Application Data\WindowsMsg
    [-] Map verwijderd : C:\Program Files (x86)\Common Files\tencent
    [-] Map verwijderd : C:\Users\Hester\AppData\Local\Temp\MPC
    [-] Map verwijderd : C:\Users\Hester\AppData\Local\Temp\tencent
    [-] Map verwijderd : C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tencent
    [-] Map verwijderd : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\zdengine
    [-] Map verwijderd : C:\Users\Hester\AppData\Local\Popcorn Time
    [-] Map verwijderd : C:\Users\Hester\AppData\Roaming\tencent
    [-] Map verwijderd : C:\Users\Hester\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
    [-] Map verwijderd : C:\Users\Hester\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Popcorn Time
    [-] Map verwijderd : C:\Program Files\Common Files\tencent
    [-] Map verwijderd : C:\Users\Hester\AppData\Local\VirtualStore\Program Files (x86)\tencent

    ***** [ Bestanden ] *****

    [-] Bestand verwijderd : C:\ProgramData\AdbWinApi.dll
    [-] Bestand verwijderd : C:\ProgramData\AdbWinUsbApi.dll
    [#] Bestand verwijderd : C:\ProgramData\Application Data\AdbWinApi.dll
    [#] Bestand verwijderd : C:\ProgramData\Application Data\AdbWinUsbApi.dll
    [-] Bestand verwijderd : C:\Windows\SysWOW64\drivers\TS888x64.sys
    [-] Bestand verwijderd : C:\Windows\SysNative\drivers\TFsFltX64.sys

    ***** [ DLLs ] *****


    ***** [ WMI ] *****


    ***** [ Snelkoppelingen ] *****


    ***** [ Geplande taken ] *****

    [-] Taak verwijderd : runTask
    [-] Taak verwijderd : updateTask
    [-] Taak verwijderd : ttwifi
    [-] Taak verwijderd : Folasy Module

    ***** [ Register ] *****

    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
    [-] Sleutel verwijderd : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP
    [-] Sleutel verwijderd : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\metnsd
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\qmgcfiles
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\CLSID\{176F706B-5175-479C-A3DF-32420F6FB01A}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\CLSID\{38BE2BE8-EB8E-41D1-9D94-3B1697094D47}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\CLSID\{53C267B2-B01D-410F-A4DD-A32962EE55F4}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\CLSID\{8804A543-42D3-4D71-9685-B0243D5526F3}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\CLSID\{A0F322D5-6A13-4CAB-84CF-FABB5690618E}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\CLSID\{AC3E336C-B524-47F0-9AA2-5F67AA056086}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\CLSID\{C68E9BB6-3DBD-4C4B-910B-C5D84A7EBB03}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\CLSID\{F577A1BA-D82D-4BB2-8430-B767285D081D}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
    [-] Sleutel verwijderd : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{29B6CFD5-0064-411A-8C42-9890C83F9921}
    [-] Sleutel verwijderd : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{29B6CFD5-0064-411A-8C42-9890C83F9921}
    [-] Sleutel verwijderd : HKCU\Software\Installer
    [-] Sleutel verwijderd : HKCU\Software\Microsoft\Tinstalls
    [-] Sleutel verwijderd : HKCU\Software\Tutorials
    [-] Sleutel verwijderd : HKCU\Software\osTip
    [-] Sleutel verwijderd : HKCU\Software\MICROSOFT\OTUT
    [-] Sleutel verwijderd : HKLM\SOFTWARE\SrpnFiles
    [-] Sleutel verwijderd : HKLM\SOFTWARE\{A16B1AF7-982D-40C3-B5C1-633E1A6A6678}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\{E6276374-DE18-4AA5-A365-9016A2F98A2D}
    [-] Sleutel verwijderd : HKLM\SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
    [-] Sleutel verwijderd : [x64] HKLM\SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
    [-] Sleutel verwijderd : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer
    [-] Waarde verwijderd : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{9AFE1B56-6DD7-40AF-A11A-AA2DDB7B5ACA}]
    [-] Waarde verwijderd : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{A0C72C8B-5242-4BD1-BA19-82BAEAF3AF0F}]
    [-] Waarde verwijderd : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [apphide]
    [-] Waarde verwijderd : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Installer]
    [#] Waarde verwijderd : HKU\S-1-5-21-3659246377-308824069-1748581490-1001\Software\Microsoft\Windows\CurrentVersion\Run [Installer]
    [-] Waarde verwijderd : HKU\S-1-5-21-3659246377-308824069-1748581490-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Installer]
    [-] Waarde verwijderd : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [osmsg]
    [#] Waarde verwijderd : HKU\S-1-5-21-3659246377-308824069-1748581490-1001\Software\Microsoft\Windows\CurrentVersion\Run [osmsg]
    [-] Waarde verwijderd : HKU\S-1-5-21-3659246377-308824069-1748581490-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [osmsg]

    ***** [ Internetbrowsers ] *****


    *************************

    :: "Tracing" sleutels verwijderd
    :: Winsock instellingen gereset

    *************************

    C:\AdwCleaner\AdwCleaner[C1].txt - [6150 bytes] - [10/05/2016 21:46:26]
    C:\AdwCleaner\AdwCleaner[S1].txt - [6249 bytes] - [10/05/2016 21:45:23]

    ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [6296 bytes] ##########

    Comment


    • #3
      (E-Peek)

      E-Peek v 1.9.9.0 ENHANCED 4 © Emphyrio/Onsia Patrick 2013-2016
      E Dev
      Run at di 10 mei 2016 22:01
      .
      Windows 8.1 (64 bits)
      C:\Windows [NTFS - Fixed]
      Default Browser: Firefox 46.0.1 (x86 nl)
      Boot mode: Normal boot
      User logged in: Hester
      .
      Java x86: n/a
      Java x64: n/a
      .
      AV : Windows Defender [Updated - Running]
      AS : Windows Defender [Updated - Running]
      AS : Spybot - Search and Destroy [Updated - Running]
      FW : Windows firewall
      .
      ==================== Files and Folders history =================================

      Folders Created Last 7 days :

      10-05-2016 ##### r-h-s-d+a- C:\Users\Hester\AppData\Roaming\Profiles
      10-05-2016 ##### r-h-s-d+a- C:\Users\Hester\AppData\Roaming\MCorp
      10-05-2016 ##### r-h-s-d+a- C:\Users\Hester\AppData\Roaming\gplyra
      10-05-2016 ##### r-h-s-d+a- C:\Users\Hester\AppData\Roaming\E Dev
      10-05-2016 ##### r-h-s-d+a- C:\Users\Hester\AppData\Local\Profiles
      10-05-2016 ##### r-h-s-d+a- C:\Users\Hester\AppData\Local\app
      10-05-2016 ##### r-h-s-d+a- C:\ProgramData\Windows Update
      10-05-2016 ##### r-h-s-d+a- C:\ProgramData\Thunder Network
      10-05-2016 ##### r-h-s-d+a- C:\ProgramData\Spybot - Search & Destroy
      10-05-2016 ##### r-h-s-d+a- C:\ProgramData\Malwarebytes
      10-05-2016 ##### r-h-s-d+a- C:\Program Files (x86)\Spybot - Search & Destroy 2
      10-05-2016 ##### r-h-s-d+a- C:\Program Files (x86)\Mozilla Maintenance Service
      10-05-2016 ##### r-h-s-d+a- C:\Program Files (x86)\Mozilla Firefox
      10-05-2016 ##### r-h-s-d+a- C:\Program Files (x86)\Malwarebytes Anti-Malware
      10-05-2016 ##### r-h-s-d+a- C:\Program Files (x86)\E Dev
      10-05-2016 ##### r-h-s-d+a- C:\AdwCleaner

      Files Modified Last 7 days :

      10-05-2016 01823174 r-h-s-d-a+ C:\Windows\system32\PerfStringBackup.INI
      10-05-2016 00806704 r-h-s-d-a+ C:\Windows\system32\perfh013.dat
      10-05-2016 00722476 r-h-s-d-a+ C:\Windows\system32\perfh009.dat
      10-05-2016 00483280 r-h-s-d-a+ C:\Windows\system32\FNTCACHE.DAT
      10-05-2016 00162170 r-h-s-d-a+ C:\Windows\system32\perfc013.dat
      10-05-2016 00135592 r-h-s-d-a+ C:\Windows\system32\perfc009.dat
      10-05-2016 00000094 r-h-s-d-a+ C:\Windows\SysWOW64\cookies

      Files Created Last 7 days :

      10-05-2016 06494208 r-h-s-d-a+ C:\Users\Hester\AppData\Roaming\agent.dat
      10-05-2016 01626777 r-h-s-d-a+ C:\Users\Hester\AppData\Roaming\Duotech.tst
      10-05-2016 01612800 r-h-s-d-a+ C:\ProgramData\360dlr.exe
      10-05-2016 01607168 r-h-s-d-a+ C:\ProgramData\conhost51500.exe
      10-05-2016 01443152 r-h-s-d-a+ C:\Users\Hester\AppData\Roaming\AutoTime_51477.exe
      10-05-2016 01253376 r-h-s-d-a+ C:\ProgramData\apptj.exe
      10-05-2016 00413439 r-h-s-d-a+ C:\ProgramData\xdo.zip
      10-05-2016 00127488 r-h-s-d-a+ C:\Users\Hester\AppData\Roaming\Installer.dat
      10-05-2016 00114176 r-h-s-d-a+ C:\ProgramData\hp.exe
      10-05-2016 00072717 r-h-s-d-a+ C:\Users\Hester\AppData\Roaming\KaySunlux.tst
      10-05-2016 00021040 r-h-s-d-a+ C:\Windows\system32\sdnclean64.exe
      10-05-2016 00018432 r-h-s-d-a+ C:\Users\Hester\AppData\Roaming\Main.dat
      10-05-2016 00005120 r-h-s-d-a+ C:\Users\Hester\AppData\Roaming\GiftBag.db
      10-05-2016 00002303 r-h-s-d-a+ C:\ProgramData\webad.xml
      10-05-2016 00000094 r-h-s-d-a+ C:\Windows\SysWOW64\cookies
      05-05-2016 00829944 r-h-s-d-a+ C:\Windows\SysWOW64\FlashPlayerApp.exe
      05-05-2016 00176632 r-h-s-d-a+ C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

      ==================== RUNNING PROCESSES =========================================

      [armsvc] -SYSTEM- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe - (Adobe Systems Incorporated)
      [audiodg] -LOCAL SERVICE- C:\Windows\System32\audiodg.exe - (audiodg.exe)
      [CAudioFilterAgent64] -Hester- C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe - (Conexant Systems, Inc.)
      [csrss] -SYSTEM- C:\Windows\System32\csrss.exe - (csrss.exe)
      [csrss] -SYSTEM- C:\Windows\System32\csrss.exe - (csrss.exe)
      [CxAudMsg64] -SYSTEM- C:\Windows\system32\CxAudMsg64.exe - (Conexant Systems Inc.)
      [dasHost] -LOCAL SERVICE- C:\Windows\system32\dashost.exe - (Microsoft Corporation)
      [dts_apo_service] -SYSTEM- C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_service.exe - ()
      [dwm] -DWM-1- C:\Windows\system32\dwm.exe - (Microsoft Corporation)
      [E_S50RPB] -SYSTEM- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE - (SEIKO EPSON CORPORATION)
      [E-Peek 1.9.9.0] -Hester- C:\Program Files (x86)\E Dev\E-Peek\E-Peek 1.9.9.0.exe - (E Dev)
      [EvtEng] -SYSTEM- C:\Program Files\Intel\WiFi\bin\EvtEng.exe - (Intel(R) Corporation)
      [explorer] -Hester- C:\Windows\Explorer.EXE - (Microsoft Corporation)
      [firefox] -Hester- C:\Program Files (x86)\Mozilla Firefox\firefox.exe - (Mozilla Corporation)
      [GamesAppIntegrationService] -SYSTEM- C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe - (WildTangent)
      [GWX] -Hester- C:\Windows\system32\GWX\GWX.exe - (Microsoft Corporation)
      [HeciServer] -SYSTEM- C:\Program Files\Intel\iCLS Client\HeciServer.exe - (Intel(R) Corporation)
      [igfxCUIService] -SYSTEM- C:\Windows\system32\igfxCUIService.exe - (Intel Corporation)
      [igfxEM] -Hester- C:\Windows\system32\igfxEM.exe - (Intel Corporation)
      [igfxHK] -Hester- C:\Windows\system32\igfxHK.exe - (Intel Corporation)
      [igfxTray] -Hester- C:\Windows\system32\igfxTray.exe - (Intel Corporation)
      [IntelMeFWService] -SYSTEM- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe - (Intel Corporation)
      [jhi_service] -SYSTEM- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe - (Intel Corporation)
      [LMS] -SYSTEM- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe - (Intel Corporation)
      [lsass] -SYSTEM- C:\Windows\system32\lsass.exe - (Microsoft Corporation)
      [MpCmdRun] -NETWORK SERVICE- C:\Program Files\Windows Defender\MpCmdRun.exe - (Microsoft Corporation)
      [msiexec] -SYSTEM- C:\Windows\system32\msiexec.exe - (Microsoft Corporation)
      [MsMpEng] -SYSTEM- C:\Program Files\Windows Defender\MsMpEng.exe - (MsMpEng.exe)
      [NisSrv] -LOCAL SERVICE- C:\Program Files\Windows Defender\NisSrv.exe - (NisSrv.exe)
      [PresentationFontCache] -LOCAL SERVICE- C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe - (Microsoft Corporation)
      [reader_sl] -Hester- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe - (Adobe Systems Incorporated)
      [RegSrvc] -SYSTEM- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe - (Intel(R) Corporation)
      [rundll32] -Hester- C:\Windows\system32\RunDll32.exe - (Microsoft Corporation)
      [SDFSSvc] -SYSTEM- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe - (Safer-Networking Ltd.)
      [SDTray] -Hester- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe - (Safer-Networking Ltd.)
      [SDUpdSvc] -SYSTEM- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe - (Safer-Networking Ltd.)
      [SDWSCSvc] -SYSTEM- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe - (Safer-Networking Ltd.)
      [SearchFilterHost] -SYSTEM- C:\Windows\system32\SearchFilterHost.exe - (Microsoft Corporation)
      [SearchIndexer] -SYSTEM- C:\Windows\system32\SearchIndexer.exe - (Microsoft Corporation)
      [SearchProtocolHost] -SYSTEM- C:\Windows\system32\SearchProtocolHost.exe - (Microsoft Corporation)
      [services] -SYSTEM- C:\Windows\System32\services.exe - (services.exe)
      [SettingSyncHost] -Hester- C:\Windows\System32\SettingSyncHost.exe - (Microsoft Corporation)
      [SkyDrive] -Hester- C:\Windows\System32\skydrive.exe - (Microsoft Corporation)
      [smss] -SYSTEM- C:\Windows\System32\smss.exe - (smss.exe)
      [spoolsv] -SYSTEM- C:\Windows\System32\spoolsv.exe - (Microsoft Corporation)
      [SpotifyWebHelper] -Hester- C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe - (Spotify Ltd)
      [SynTPEnh] -Hester- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe - (Synaptics Incorporated)
      [SynTPHelper] -Hester- C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE - (Synaptics Incorporated)
      [System] -N/A- - (System)
      [taskhostex] -Hester- C:\Windows\system32\taskhostex.exe - (Microsoft Corporation)
      [TCrdMain_Win8] -Hester- C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe - (TOSHIBA Corporation)
      [TecoResident] -Hester- C:\Program Files\TOSHIBA\Teco\TecoResident.exe - (TOSHIBA Corporation)
      [TecoService] -SYSTEM- C:\Program Files\TOSHIBA\Teco\TecoService.exe - (Toshiba Corporation)
      [TMachInfo] -SYSTEM- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe - (TOSHIBA Corporation)
      [Toshiba.Tempro.UI.CommonNotifier] -Hester- C:\Program Files (x86)\Toshiba TEMPRO\Toshiba.Tempro.UI.CommonNotifier.exe - (Toshiba Europe GmbH)
      [ToshibaServiceStation] -Hester- C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe - (TOSHIBA Corporation)
      [TPCHSrv] -SYSTEM- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe - (TOSHIBA Corporation)
      [TPCHWMsg] -Hester- C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe - (TOSHIBA Corporation)
      [TssSrv] -Hester- C:\Program Files (x86)\TOSHIBA\System Setting\TssSrv.exe - (TOSHIBA Corporation)
      [unsecapp] -SYSTEM- C:\Windows\system32\wbem\unsecapp.exe - (Microsoft Corporation)
      [WerFault] -SYSTEM- C:\Windows\system32\WerFault.exe - (Microsoft Corporation)
      [wininit] -SYSTEM- C:\Windows\system32\wininit.exe - (Microsoft Corporation)
      [winlogon] -SYSTEM- C:\Windows\system32\winlogon.exe - (Microsoft Corporation)
      [WmiPrvSE] -NETWORK SERVICE- C:\Windows\system32\wbem\wmiprvse.exe - (Microsoft Corporation)
      [WmiPrvSE] -SYSTEM- C:\Windows\system32\wbem\wmiprvse.exe - (Microsoft Corporation)
      [wmpnetwk] -NETWORK SERVICE- C:\Program Files\Windows Media Player\wmpnetwk.exe - (Microsoft Corporation)
      [ZeroConfigService] -SYSTEM- C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe - (Intel® Corporation)
      [zg8g6w4z] -Hester- C:\Users\Hester\Downloads\zg8g6w4z.exe - ()

      ==================== IE PAGES ==================================================

      HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main
      Local Page = C:\Windows\SysWOW64\blank.htm
      Default_Page_URL = hxxp://go.microsoft.com/fwlink/p/?LinkId=255141
      Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
      Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896

      HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes
      DefaultScope = {8A9A969B-9A2A-4140-9C58-F4FD18F48A08}

      HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{8A9A969B-9A2A-4140-9C58-F4FD18F48A08}
      DisplayName = Bing
      URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=TEJB

      ==================== IE PAGES x64 ==============================================

      HKLM\Software\Microsoft\Internet Explorer\Main
      Start Page = hxxp://go.microsoft.com/fwlink/p/?LinkId=255141
      Local Page = C:\Windows\System32\blank.htm
      Default_Page_URL = hxxp://go.microsoft.com/fwlink/p/?LinkId=255141
      Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
      Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896

      HKLM\Software\Microsoft\Internet Explorer\SearchScopes
      DefaultScope = {8A9A969B-9A2A-4140-9C58-F4FD18F48A08}

      HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{8A9A969B-9A2A-4140-9C58-F4FD18F48A08}
      DisplayName = Bing
      URL = hxxp://www.bing.com/search?q={searchTerms}&form=IE11TR&src=IE11TR&pc=TEJB

      ==================== Auto Load =================================================

      HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
      Userinit = userinit.exe,
      Shell = explorer.exe

      ==================== Auto Load x64 =============================================

      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
      Userinit = userinit.exe,
      Shell = explorer.exe

      ==================== Browsers present ==========================================

      FIREFOX.EXE
      Google Chrome
      IEXPLORE.EXE

      ==================== Firefox ===================================================

      FF - ProfilePath - C:\Users\Hester\AppData\Roaming\Mozilla\firefox\Profiles\hgqos12l.default-1462879239763

      FF - Ext: [Multi-process staged rollout 1.0 ] - extension - [email protected] [ visible: True # active: True]
      FF - Ext: [Pocket 1.0 ] - extension - [email protected] [ visible: True # active: True]
      FF - Ext: [Firefox Hello 1.2.6 ] - extension - [email protected] [ visible: True # active: True]
      FF - Ext: [Default 46.0.1 ] - theme - {972ce4c6-7e08-4474-a285-3208198ce6fd} [ visible: True # active: True]

      FF - PlugIn: [Adobe® Flash® Player 21.0.0.213 Plugin] - C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_213.dll
      FF - PlugIn: [Ag Player] - c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll
      FF - PlugIn: [Office Authorization] - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL

      FF - prefs.js: user_pref("browser.startup.homepage", "hxxp://www.google.nl/");

      ==================== Google Chrome =============================================

      ==================== Windows Host File =========================================

      Number of lines exceeds 10

      127.0.0.1 down.baidu2016.com
      127.0.0.1 123.sogou.com
      127.0.0.1 www.czzsyzgm.com
      127.0.0.1 www.czzsyzxl.com

      ==================== BHO =======================================================

      HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
      {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
      HKCR\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} Default = Groove GFS Browser Helper
      => HKCR\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\InProcServer32 Default = C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

      {92EF2EAD-A7CE-4424-B0DB-499CF856608E}
      HKCR\CLSID\{92EF2EAD-A7CE-4424-B0DB-499CF856608E} Default = Evernote extension
      => HKCR\CLSID\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\InProcServer32 Default = C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll

      {B4F3A835-0E21-4959-BA22-42B3008E02FF}
      HKCR\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF} Default = Office Document Cache Handler
      => HKCR\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InProcServer32 Default = C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

      ==================== BHO x64 ===================================================

      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
      {72853161-30C5-4D22-B7F9-0BBC1D38A37E}
      HKCR\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} Default = Groove GFS Browser Helper
      => HKCR\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\InProcServer32 Default = C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL

      {B4F3A835-0E21-4959-BA22-42B3008E02FF}
      HKCR\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF} Default = Office Document Cache Handler
      => HKCR\CLSID\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\InProcServer32 Default = C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL

      ==================== Auto Start Programs =======================================

      HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
      BCSSync = "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
      SDTray = "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
      tasklist = c:\users\hester\appdata\roaming\tasklist
      TSVU = "c:\Program Files\TOSHIBA\TOSHIBA Smart View Utility\TosSmartViewLauncher.exe"

      HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
      msiql = c:\programdata\msiql.exe /RUNNING
      Spotify Web Helper = "C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe"

      ==================== Auto Start Programs x64 ===================================

      HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
      cAudioFilterAgent = C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe
      SmartAudio = "C:\Program Files\CONEXANT\SAII\SACpl.exe" /t
      TCrdMain = C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe
      TecoResident = C:\Program Files\TOSHIBA\Teco\TecoResident.exe
      TosWaitSrv = C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe
      TSSSrv = C:\Program Files (x86)\TOSHIBA\System Setting\TSSSrv.exe

      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved [2 = enabled 3= disabled]
      = 4
      cAudioFilterAgent = 2
      cpuminer = 2
      SmartAudio = 2
      TCrdMain = 2
      TecoResident = 2
      TosWaitSrv = 2
      TSSSrv = 2
      WINCOMO36 = 2
      QQPCTray = 3
      apphide = 2
      BCSSync = 2
      sun21 = 2
      tasklist = 2
      TSVU = 2
      B1.BAT = 4

      HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      msiql = c:\programdata\msiql.exe /RUNNING
      Spotify Web Helper = "C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe"

      ==================== Extra Items IE ============================================

      HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions
      Tools - {A95fe080-8f5d-11d2-a20b-00aa003c157a} Script = C:\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
      HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS @ Text = Accelerated graphics
      HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY @ Text = Accessibility
      HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE @ Text = Browsing
      HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO @ Text = Security
      HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\HTTP @ Text = HTTP settings
      HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL @ Text = International
      HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA @ Text = Multimedia

      ==================== Extra Items IE x64 ========================================

      HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
      Tools - {A95fe080-8f5d-11d2-a20b-00aa003c157a} Script = C:\Program Files (x86)\Evernote\Evernote\EvernoteIERes\AddNote.html
      HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS @ Text = Accelerated graphics
      HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY @ Text = Accessibility
      HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE @ Text = Browsing
      HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO @ Text = Security
      HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\HTTP @ Text = HTTP settings
      HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL @ Text = International
      HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA @ Text = Multimedia

      ==================== Internet Default Prefix ===================================

      HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
      Default = http://

      HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\URL\Prefixes
      WWW = http://

      ==================== Internet Default Prefix x64 ===============================

      HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
      Default = http://

      HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
      WWW = http://

      ==================== ShellServiceObjectDelayLoad ===============================

      HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
      WebCheck = {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
      => HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} [CLSID not present]


      ==================== ShellServiceObjectDelayLoad x64 =========================

      HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
      WebCheck = {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
      => HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED} [CLSID not present]


      ==================== Extra (Torpig/ConduitSearch) ==============================

      HKCR\Directory\shellex\CopyHookHandlers\FileSystem @ Default = {217FC9C0-3AEA-1069-A2DB-08002B30309D}
      => HKCR\CLSID\{217FC9C0-3AEA-1069-A2DB-08002B30309D}\InProcServer32 @ Default = C:\Windows\system32\shell32.dll

      HKCR\Directory\shellex\CopyHookHandlers\Sharing @ Default = {40dd6e20-7c17-11ce-a804-00aa003ca9f6}
      => HKCR\CLSID\{40dd6e20-7c17-11ce-a804-00aa003ca9f6}\InProcServer32 @ Default = C:\Windows\system32\ntshrui.dll


      ==================== DRIVERS and SERVICES ======================================

      *** Win32OwnProcess ***

      SERV - R2 - [AdobeARMservice] - Adobe Acrobat Update Service - c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe
      SERV - R2 - [CxAudMsg] - Conexant Audio Message Service - c:\windows\system32\cxaudmsg64.exe
      SERV - R2 - [EPSON_PM_RPCV4_04] - EPSON V3 Service4(04) - c:\program files\common files\epson\epw!3 ssrp\e_s50rpb.exe
      SERV - R2 - [EvtEng] - Intel(R) PROSet/Wireless Event Log - c:\program files\intel\wifi\bin\evteng.exe
      SERV - R2 - [GamesAppIntegrationService] - GamesAppIntegrationService - c:\program files (x86)\wildtangent games\app\gamesappintegrationservice.exe
      SERV - R2 - [igfxCUIService1.0.0.0] - Intel(R) HD Graphics Control Panel Service - c:\windows\system32\igfxcuiservice.exe
      SERV - R2 - [Intel(R) Capability Licensing Service Interface] - Intel(R) Capability Licensing Service Interface - c:\program files\intel\icls client\heciserver.exe
      SERV - R2 - [Intel(R) ME Service] - Intel(R) ME Service - c:\program files (x86)\intel\intel(r) management engine components\fwservice\intelmefwservice.exe
      SERV - R2 - [jhi_service] - Intel(R) Dynamic Application Loader Host Interface Service - c:\program files (x86)\intel\intel(r) management engine components\dal\jhi_service.exe
      SERV - R2 - [LMS] - Intel(R) Management and Security Application Local Management Service - c:\program files (x86)\intel\intel(r) management engine components\lms\lms.exe
      SERV - R2 - [RegSrvc] - Intel(R) PROSet/Wireless Registry Service - c:\program files\common files\intel\wirelesscommon\regsrvc.exe
      SERV - R2 - [SDScannerService] - Spybot-S&D 2 Scanner Service - c:\program files (x86)\spybot - search & destroy 2\sdfssvc.exe
      SERV - R2 - [SDUpdateService] - Spybot-S&D 2 Updating Service - c:\program files (x86)\spybot - search & destroy 2\sdupdsvc.exe
      SERV - R2 - [SDWSCService] - Spybot-S&D 2 Security Center Service - c:\program files (x86)\spybot - search & destroy 2\sdwscsvc.exe
      SERV - R2 - [TOSHIBA eco Utility Service] - TOSHIBA eco Utility Service - c:\program files\toshiba\teco\tecoservice.exe
      SERV - R2 - [WinDefend] - Windows Defender Service - c:\program files\windows defender\msmpeng.exe
      SERV - R2 - [WMPNetworkSvc] - Windows Media Player Network Sharing Service - c:\program files\windows media player\wmpnetwk.exe
      SERV - R2 - [WSearch] - Windows Search - c:\windows\system32\searchindexer.exe
      SERV - R2 - [ZeroConfigService] - Intel(R) PROSet/Wireless Zero Configuration Service - c:\program files\intel\wifi\bin\zeroconfigservice.exe
      SERV - R3 - [dts_apo_service] - DTS APO Service - c:\program files (x86)\dts, inc\dts studio sound\dts_apo_service.exe
      SERV - R3 - [FontCache3.0.0.0] - Windows Presentation Foundation Font Cache 3.0.0.0 - c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe
      SERV - R3 - [msiserver] - Windows Installer - c:\windows\system32\msiexec.exe
      SERV - R3 - [TMachInfo] - TMachInfo - c:\program files\toshiba\toshiba service station\tmachinfo.exe
      SERV - R3 - [TPCHSrv] - TPCH Service - c:\program files\toshiba\tphm\tpchsrv.exe
      SERV - R3 - [WdNisSvc] - Windows Defender Network Inspection Service - c:\program files\windows defender\nissrv.exe
      SERV - S2 - [gupdate] - Google Update Service (gupdate) - c:\program files (x86)\google\update\googleupdate.exe
      SERV - S2 - [SkypeUpdate] - Skype Updater - c:\program files (x86)\skype\updater\updater.exe
      SERV - S2 - [sppsvc] - Software Protection - c:\windows\system32\sppsvc.exe
      SERV - S3 - [ALG] - Application Layer Gateway Service - c:\windows\system32\alg.exe
      SERV - S3 - [COMSysApp] - COM+ System Application - c:\windows\system32\dllhost.exe
      SERV - S3 - [cphs] - Intel(R) Content Protection HECI Service - c:\windows\syswow64\intelcphecisvc.exe
      SERV - S3 - [Fax] - Fax - c:\windows\system32\fxssvc.exe
      SERV - S3 - [GamesAppService] - GamesAppService - c:\program files (x86)\wildtangent games\app\gamesappservice.exe
      SERV - S3 - [gupdatem] - Google Update Service (gupdatem) - c:\program files (x86)\google\update\googleupdate.exe
      SERV - S3 - [IEEtwCollectorService] - Internet Explorer ETW Collector Service - c:\windows\system32\ieetwcollector.exe
      SERV - S3 - [Intel(R) Capability Licensing Service TCP IP Interface] - Intel(R) Capability Licensing Service TCP IP Interface - c:\program files\intel\icls client\socketheciserver.exe
      SERV - S3 - [Microsoft SharePoint Workspace Audit Service] - Microsoft SharePoint Workspace Audit Service - c:\program files (x86)\microsoft office\office14\groove.exe
      SERV - S3 - [MozillaMaintenance] - Mozilla Maintenance Service - c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
      SERV - S3 - [MSDTC] - Distributed Transaction Coordinator - c:\windows\system32\msdtc.exe
      SERV - S3 - [MyWiFiDHCPDNS] - Wireless PAN DHCP Server - c:\program files\intel\wifi\bin\pandhcpdns.exe
      SERV - S3 - [ose] - Office Source Engine - c:\program files (x86)\common files\microsoft shared\source engine\ose.exe
      SERV - S3 - [osppsvc] - Office Software Protection Platform - c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe
      SERV - S3 - [PerfHost] - Performance Counter DLL Host - c:\windows\syswow64\perfhost.exe
      SERV - S3 - [RpcLocator] - Remote Procedure Call (RPC) Locator - c:\windows\system32\locator.exe
      SERV - S3 - [SNMPTRAP] - SNMP Trap - c:\windows\system32\snmptrap.exe
      SERV - S3 - [TemproMonitoringService] - TEMPRO Service - c:\program files (x86)\toshiba tempro\temprosvc.exe
      SERV - S3 - [TrustedInstaller] - Windows Modules Installer - c:\windows\servicing\trustedinstaller.exe
      SERV - S3 - [vds] - Virtual Disk - c:\windows\system32\vds.exe
      SERV - S3 - [VSS] - Volume Shadow Copy - c:\windows\system32\vssvc.exe
      SERV - S3 - [wbengine] - Block Level Backup Engine Service - c:\windows\system32\wbengine.exe
      SERV - S3 - [wmiApSrv] - WMI Performance Adapter - c:\windows\system32\wbem\wmiapsrv.exe

      *** Win32ShareProcess ***

      SERV - R2 - [SamSs] - Security Accounts Manager - c:\windows\system32\lsass.exe
      SERV - S3 - [EFS] - Encrypting File System (EFS) - c:\windows\system32\lsass.exe
      SERV - S3 - [KeyIso] - CNG Key Isolation - c:\windows\system32\lsass.exe
      SERV - S3 - [Netlogon] - Netlogon - c:\windows\system32\lsass.exe
      SERV - S3 - [VaultSvc] - Credential Manager - c:\windows\system32\lsass.exe
      SERV - S4 - [NetTcpPortSharing] - Net.Tcp Port Sharing Service - c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe

      *** Others ***

      SERV - R2 - [Spooler] - Print Spooler - c:\windows\system32\spoolsv.exe
      SERV - S2 - [flsmdlSrv] - Folasy Module - c:\program files (x86)\folasy\flsmdlsrv.exe [x]
      SERV - S3 - [UI0Detect] - Interactive Services Detection - c:\windows\system32\ui0detect.exe

      *** File System Driver ***

      DRV - R0 - [FileInfo] - File Information FS MiniFilter - C:\Windows\system32\Drivers\FileInfo.sys
      DRV - R0 - [FltMgr] - FltMgr - C:\Windows\system32\Drivers\FltMgr.sys
      DRV - R0 - [Mup] - Mup - C:\Windows\system32\Drivers\Mup.sys
      DRV - R0 - [WdFilter] - Windows Defender Mini-Filter Driver - C:\Windows\system32\Drivers\WdFilter.sys
      DRV - R0 - [Wof] - Windows Overlay File System Filter Driver - C:\Windows\system32\Drivers\Wof.sys
      DRV - R1 - [NetBIOS] - NetBIOS Interface - C:\Windows\system32\Drivers\NetBIOS.sys
      DRV - R2 - [srv] - Server SMB 1.xxx Driver - C:\Windows\system32\Drivers\srv.sys
      DRV - R3 - [srv2] - Server SMB 2.xxx Driver - C:\Windows\system32\Drivers\srv2.sys

      *** Kernel Driver ***

      DRV - R0 - [ACPI] - Microsoft ACPI-stuurprogramma - C:\Windows\system32\Drivers\ACPI.sys
      DRV - R0 - [acpiex] - Microsoft ACPIEx Driver - C:\Windows\system32\Drivers\acpiex.sys
      DRV - R0 - [CLFS] - Common Log (CLFS) - C:\Windows\system32\Drivers\CLFS.sys
      DRV - R0 - [CNG] - CNG - C:\Windows\system32\Drivers\CNG.sys
      DRV - R0 - [disk] - Stuurprogramma voor schijfstations - C:\Windows\system32\Drivers\disk.sys
      DRV - R0 - [EhStorClass] - Enhanced Storage Filter Driver - C:\Windows\system32\Drivers\EhStorClass.sys
      DRV - R0 - [fvevol] - BitLocker Drive Encryption Filter Driver - C:\Windows\system32\Drivers\fvevol.sys
      DRV - R0 - [iaStorA] - iaStorA - C:\Windows\system32\Drivers\iaStorA.sys
      DRV - R0 - [intelpep] - Stuurprogramma voor Intel(R) Power Engine-invoegtoepassing - C:\Windows\system32\Drivers\intelpep.sys
      DRV - R0 - [KSecDD] - KSecDD - C:\Windows\system32\Drivers\KSecDD.sys
      DRV - R0 - [KSecPkg] - KSecPkg - C:\Windows\system32\Drivers\KSecPkg.sys
      DRV - R0 - [mountmgr] - Mount Point Manager - C:\Windows\system32\Drivers\mountmgr.sys
      DRV - R0 - [msisadrv] - msisadrv - C:\Windows\system32\Drivers\msisadrv.sys
      DRV - R0 - [NDIS] - NDIS System Driver - C:\Windows\system32\Drivers\NDIS.sys
      DRV - R0 - [partmgr] - Partition Manager - C:\Windows\system32\Drivers\partmgr.sys
      DRV - R0 - [pci] - PCI Bus-stuurprogramma - C:\Windows\system32\Drivers\pci.sys
      DRV - R0 - [pcw] - Performance Counters for Windows Driver - C:\Windows\system32\Drivers\pcw.sys
      DRV - R0 - [pdc] - pdc - C:\Windows\system32\Drivers\pdc.sys
      DRV - R0 - [rdyboost] - ReadyBoost - C:\Windows\system32\Drivers\rdyboost.sys
      DRV - R0 - [spaceport] - Stuurprogramma voor opslagruimten - C:\Windows\system32\Drivers\spaceport.sys
      DRV - R0 - [Tcpip] - Stuurprogramma voor TCP/IP-protocol - C:\Windows\system32\Drivers\Tcpip.sys
      DRV - R0 - [TVALZ] - TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver - C:\Windows\system32\Drivers\TVALZ.sys [x]
      DRV - R0 - [TVALZFL] - TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver - C:\Windows\system32\Drivers\TVALZFL.sys
      DRV - R0 - [vdrvroot] - Microsoft Virtual Drive Enumerator - C:\Windows\system32\Drivers\vdrvroot.sys
      DRV - R0 - [volmgr] - Stuurprogramma voor Volumebeheer - C:\Windows\system32\Drivers\volmgr.sys
      DRV - R0 - [volmgrx] - Dynamic Volume Manager - C:\Windows\system32\Drivers\volmgrx.sys
      DRV - R0 - [volsnap] - Opslagvolumes - C:\Windows\system32\Drivers\volsnap.sys
      DRV - R0 - [Wdf01000] - Kernel Mode Driver Frameworks service - C:\Windows\system32\Drivers\Wdf01000.sys
      DRV - R0 - [WFPLWFS] - Microsoft Windows Filtering Platform - C:\Windows\system32\Drivers\WFPLWFS.sys
      DRV - R1 - [AFD] - Ancillary Function Driver for Winsock - C:\Windows\system32\Drivers\AFD.sys
      DRV - R1 - [Beep] - Beep - C:\Windows\system32\Drivers\Beep.sys
      DRV - R1 - [tdx] - Stuurprogramma voor ondersteuning van NetIO Legacy TDI - C:\Windows\system32\Drivers\tdx.sys
      DRV - R2 - [tcpipreg] - TCP/IP Registry Compatibility - C:\Windows\system32\Drivers\tcpipreg.sys
      DRV - S0 - [hwpolicy] - Hardware Policy Driver - C:\Windows\system32\Drivers\hwpolicy.sys
      DRV - S0 - [WdBoot] - Windows Defender Boot Driver - C:\Windows\system32\Drivers\WdBoot.sys
      DRV - S3 - [atapi] - IDE-kanaal - C:\Windows\system32\Drivers\atapi.sys

      ==================== SvcHost - White Listed ====================================

      WOW x64 - All Ok

      ==================== SvcHost x64 - White Listed ================================

      All Ok

      ==================== SigCheck x86 Fast =========================================

      ==================== Job tasks at C:\Windows\Tasks =============================

      C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 1080 bytes [ 6-9-2014 00:26:23 ]

      C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 1084 bytes [ 6-9-2014 00:26:24 ]

      C:\Windows\Tasks\SA.DAT 6 bytes [ 22-8-2013 16:45:54 ]


      ==================== Job tasks at C:\Windows\system32\Tasks ====================

      C:\Windows\system32\Tasks\Adobe Acrobat Update Task 3886 bytes [ 12-8-2015 09:50:17 ]
      => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

      C:\Windows\system32\Tasks\dts_apo_service_task 3068 bytes [ 6-10-2014 02:32:03 ]
      => C:\Program Files (x86)\DTS, Inc\DTS Studio Sound\dts_apo_task.exe

      C:\Windows\system32\Tasks\GoogleUpdateTaskMachineCore 3820 bytes [ 6-9-2014 00:26:23 ]
      => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

      C:\Windows\system32\Tasks\GoogleUpdateTaskMachineUA 4056 bytes [ 6-9-2014 00:26:24 ]
      => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

      C:\Windows\system32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1183942981-852300617-1390488555-500 3594 bytes [ 5-9-2014 23:17:05 ]

      C:\Windows\system32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3659246377-308824069-1748581490-1001 3596 bytes [ 31-5-2015 12:31:58 ]

      C:\Windows\system32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3659246377-308824069-1748581490-500 3596 bytes [ 6-10-2014 02:17:08 ]

      C:\Windows\system32\Tasks\Resolution+ Setting Task 3128 bytes [ 6-10-2014 02:53:09 ]
      => C:\Program Files\Toshiba\TOSHIBA Smart View Utility\Plugins\ResolutionPlus\TosRegPermissionChg.exe

      C:\Windows\system32\Tasks\Synaptics TouchPad Enhancements 2990 bytes [ 6-10-2014 02:32:29 ]
      => "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

      C:\Windows\system32\Tasks\User_Feed_Synchronization-{1917C6C7-2F37-4888-BCE2-06078D2493CA} 3966 bytes [ 31-5-2015 12:33:14 ]
      => C:\Windows\system32\msfeedssync.exe


      ==================== Job tasks at C:\Windows\SysWOW64\Tasks ====================

      There are no .job files found.

      ==================== End scanning at di 10 mei 2016 22:01 (0 Min 9 Sec ) =======

      Comment


      • #4
        Gmer

        GMER 2.2.19882 - http://www.gmer.net
        Rootkit scan 2016-05-10 21:55:37
        Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f HGST_HTS541075A9E680 rev.JA2OA700 698,64GB
        Running: zg8g6w4z.exe; Driver: C:\Users\Hester\AppData\Local\Temp\kwtcipob.sys


        ---- Disk sectors - GMER 2.2 ----

        Disk \Device\Harddisk0\DR0 unknown MBR code

        ---- Threads - GMER 2.2 ----

        Thread C:\Windows\system32\csrss.exe [560:584] fffff9600092e2d0

        ---- EOF - GMER 2.2 ----

        Comment


        • #5
          MBAM 1, 2 en 3 al bijlage

          Sorry ik wist niet dat je een bijlage kon toevoegen....Vandaar dat de volgorde niet helemaal klopt.


          MBAM log 10062016.1.txtMBAM log 10052016.2.txtMBAM log 10052016.3.txt
          Last edited by Hestertje; 10-05-16, 21:49.

          Comment


          • #6
            Schakel eerst de Antivirussoftware uit voordat je zoek.exe download of uitvoert.
            Schakel je antivirus- en antispywareprogramma's tijdelijk uit, deze kunnen namelijk de werking van Zoek.exe nadelig beïnvloeden.
            (hier en hier) kan je lezen hoe je dat doet.

            en download Zoek.exe naar het bureaublad.
            klik hier voor meer informatie over hoe zoek.exe te gebruiken)
            • Wanneer Internet Explorer of een andere browser of virusscanner melding geeft dat dit bestand onveilig zou zijn kan je dat negeren, het is namelijk een onterechte waarschuwing.
            • Dubbelklik vervolgens op Zoek.exe om de tool te starten.
            • Windows Vista, 7 en 8 gebruikers dienen de tool als "administrator" uit te voeren door middel van de rechtermuisknop en kiezen voor Als Administrator uitvoeren.
            • Kopieer nu onderstaande code en plak die in het grote invulvenster:
            • Note: Dit script is speciaal bedoeld voor deze Computer, gebruik dit dan ook niet op andere computers met een gelijkaardig probleem.
              Code:
              emptyfolderscheck;delete
              firefoxlook; 
              Chromelook; 
              Tencent;fs
              autoclean; 
              iedefaults;
            • Klik nu op de knop "Run script".
            • Wacht nu geduldig af tot er een logje opent (dit kan na een herstart zijn als deze benodigd is).
            • Mocht er geen logje verschijnen, start zoek.exe dan opnieuw en klik op de knop zoek-results.log, de log verschijnt dan alsnog.
            • Post het geopende logje in het volgende bericht als bijlage.

            Windows 10 opstarten in Veilige Modus

            Comment


            • #7
              Ik hoop dat dit het juiste logje is (ik heb tijdens de run het internet uitgezet).zoek exe log.txt

              Comment


              • #8
                niet helemaal, je hebt de code niet gebruikt.

                Windows 10 opstarten in Veilige Modus

                Comment


                • #9
                  zoek exe log.txt

                  Ik hoop dat het nu goed gaat. Op de C schijf vind ik ook een log met de voglende tekst:


                  Zoek.exe v5.0.0.1 Updated 31-December-2015
                  Tool run by Hester on vr 13-05-2016 at 17:13:08,78.
                  Microsoft Windows 8.1 6.3.9600 x64
                  Running in: Normal Mode Internet Access Detected
                  Launched: C:\Users\Hester\Downloads\zoek.exe [Scan all users] [Script inserted]

                  ==== Older Logs ======================

                  C:\zoek-results2016-05-12-183600.log 5507 bytes

                  ==== Deleting CLSID Registry Keys ======================


                  ==== Deleting CLSID Registry Values ======================


                  ==== Deleting Services ======================


                  ==== Deleting Files \ Folders ======================

                  C:\Users\Hester\AppData\Roaming\GiftBag.db deleted
                  C:\Users\Public\Documents\dmp deleted

                  ==== Firefox Start and Search pages ======================

                  ProfilePath: C:\Users\Hester\AppData\Roaming\Profiles\41A66E7E5EE1
                  user_pref("browser.startup.homepage", "http://google.nl/");
                  user_pref("browser.search.defaultenginename", "hohosearch");
                  user_pref("browser.search.defaultenginename.US", "data:text/plain,browser.search.defaultenginename.US=hohosearch");
                  user_pref("browser.search.selectedEngine", "hohosearch");

                  ProfilePath: C:\Users\Hester\AppData\Roaming\Mozilla\Firefox\Profiles\hgqos12l.default-1462879239763
                  user_pref("browser.startup.homepage", "http://www.google.nl/");

                  Comment


                  • #10
                    Dit is maar een deel van het logje helaas.

                    Windows 10 opstarten in Veilige Modus

                    Comment


                    • #11
                      Ik begrijp dan niet goed wat ik verkeerd doe. Ik heb nu een printscreen gemaakt van de run (nadat ik de code in het scherm heb geplakt en op run script heb gedrukt).

                      Hij heeft dan gerund van 21.04 tot 23.01. Er verschijnt geen log in beeld ook niet als ik opstart, en de knop zoek log zie ik niet in het menu.

                      Wederom wat ik wel terugvind op de C schijf als teksbestand 'zoek-results':


                      Zoek.exe v5.0.0.1 Updated 31-December-2015
                      Tool run by Hester on za 14-05-2016 at 21:04:49,05.
                      Microsoft Windows 8.1 6.3.9600 x64
                      Running in: Normal Mode Internet Access Detected
                      Launched: C:\Users\Hester\Downloads\zoek.exe [Scan all users] [Script inserted]

                      ==== Older Logs ======================

                      C:\zoek-results2016-05-12-183600.log 5507 bytes
                      C:\zoek-results2016-05-13-152313.log 1287 bytes

                      ==== Deleting CLSID Registry Keys ======================


                      ==== Deleting CLSID Registry Values ======================


                      ==== Deleting Services ======================


                      ==== Deleting Files \ Folders ======================


                      ==== Firefox Start and Search pages ======================

                      ProfilePath: C:\Users\Hester\AppData\Roaming\Profiles\41A66E7E5EE1
                      user_pref("browser.startup.homepage", "http://google.nl/");
                      user_pref("browser.search.defaultenginename", "hohosearch");
                      user_pref("browser.search.defaultenginename.US", "data:text/plain,browser.search.defaultenginename.US=hohosearch");
                      user_pref("browser.search.selectedEngine", "hohosearch");

                      ProfilePath: C:\Users\Hester\AppData\Roaming\Mozilla\Firefox\Profiles\hgqos12l.default-1462879239763
                      user_pref("browser.startup.homepage", "http://www.google.nl/");
                      Bijgevoegde Bestanden

                      Comment


                      • #12
                        Correctie knop 'zoek log' wel gevonden en daar staat hetzelfde als wat ik terugvind in het teksbestand op de C schijf:


                        Zoek.exe v5.0.0.1 Updated 31-December-2015
                        Tool run by Hester on za 14-05-2016 at 21:04:49,05.
                        Microsoft Windows 8.1 6.3.9600 x64
                        Running in: Normal Mode Internet Access Detected
                        Launched: C:\Users\Hester\Downloads\zoek.exe [Scan all users] [Script inserted]

                        ==== Older Logs ======================

                        C:\zoek-results2016-05-12-183600.log 5507 bytes
                        C:\zoek-results2016-05-13-152313.log 1287 bytes

                        ==== Deleting CLSID Registry Keys ======================


                        ==== Deleting CLSID Registry Values ======================


                        ==== Deleting Services ======================


                        ==== Deleting Files \ Folders ======================


                        ==== Firefox Start and Search pages ======================

                        ProfilePath: C:\Users\Hester\AppData\Roaming\Profiles\41A66E7E5EE1
                        user_pref("browser.startup.homepage", "http://google.nl/");
                        user_pref("browser.search.defaultenginename", "hohosearch");
                        user_pref("browser.search.defaultenginename.US", "data:text/plain,browser.search.defaultenginename.US=hohosearch");
                        user_pref("browser.search.selectedEngine", "hohosearch");

                        ProfilePath: C:\Users\Hester\AppData\Roaming\Mozilla\Firefox\Profiles\hgqos12l.default-1462879239763
                        user_pref("browser.startup.homepage", "http://www.google.nl/");

                        Comment


                        • #13
                          Download ZHPDiag via onderstaande link:
                          - ZHPDiag (klik op de blauwe knop 'Télécharger')
                          Bewaar het op je bureaublad.

                          Antivirussoftware uitschakelen
                          Schakel je antivirus- en antispywareprogramma's tijdelijk uit, deze kunnen namelijk conflicteren met ZHPDiag.

                          ZHPDiag uitvoeren[list][*] Rechtsklik op ZHPDiag3.exe en klik op Als Administrator uitvoeren.[*] Klik op "I agree" in het openingsscherm "TERMS OF USE".[*] Klik op "Scanner" en wacht geduldig tot dit klaar is.[*] Na afloop staat er een tekstbestand met de naam ZHPDiag.txt op je bureaublad, post deze als bijlage in je volgende bericht.
                          (Het logbestand kan je ook terugvinden in de map %AppData%\ZHP.)

                          Windows 10 opstarten in Veilige Modus

                          Comment


                          • #14
                            ZHPDiag.txt

                            Comment


                            • #15
                              Download ZHPfix naar het bureaublad.
                              ZHPFix installeren:
                              • Rechtsklik op ZHPFix.exe en klik op "Als Administrator uitvoeren".
                              • Klik meerdere keren op "Suivant" en vervolgens op "Installer" om het programma te installeren.
                              • Klik daarna op "Terminer".


                              Kopieer onderstaande code volledig:

                              Code:
                              Script ZHPFix
                              HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}  =>Heuristic.Suspect
                              HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}  =>Heuristic.Suspect
                              HKLM\SOFTWARE\Wow6432Node\Tencent  =>.Superfluous.Tencent
                              HKCU\SOFTWARE\Tencent  =>.Superfluous.Tencent
                              C:\Users\Hester\AppData\Local\app  =>PUP.Optional.CrossRider
                              
                              
                              shortcutfix
                              emptytemp
                              emptyflash
                              Schakel uw antivirussoftware tijdelijk uit.
                              ZHPFix uitvoeren:
                              • Dubbelklik op de snelkoppeling ZHPFix op het bureaublad.
                              • De geselecteerde scriptcode wordt in het venster van ZHPFix geplakt. Gebeurt dit niet automatisch, rechtsklik dan in het venster van ZHPFix en klik op Plakken.
                              • Druk op de knop "Importeren".
                              • Druk daarna onderaan op de knop "Go".
                              • Wacht nu geduldig af tot er een logje opent.

                              Post het logbestand met de naam "ZHPFix[r1].txt" als bijlage in je volgend bericht.

                              Windows 10 opstarten in Veilige Modus

                              Comment

                              Sorry, you are not authorized to view this page
                              Working...
                              X