TechSpot

sirefef.B but now ZeroAcces.B??

Inactive
By MorgothG
Aug 4, 2012
  1. Hi all,

    This Sirefef.B is driving me mad :)
    I tried Combofix but I am afraid I need some real help here.

    I made a FRST log and it shows ZeroAcces. See under here. But I also wander: has Sirefef.B mutated to ZeroAcces.B? And is Sirefef gone?

    Well here is my FRST log

    Scan result of Farbar Recovery Scan Tool Version: 04-08-2012 01
    Ran by SYSTEM at 04-08-2012 17:56:18
    Running from H:\
    Windows 7 Home Premium (X64) OS Language: Dutch Standard
    The current controlset is ControlSet001
    ========================== Registry (Whitelisted) =============
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [9642528 2009-12-08] (Realtek Semiconductor)
    HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [2185032 2009-10-19] (CANON INC.)
    HKLM\...\Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon [767312 2009-03-18] (CANON INC.)
    HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1609296 2010-06-26] (Logitech, Inc.)
    HKLM\...\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe [x]
    HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [102400 2010-04-06] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [346320 2009-08-04] (DeviceVM, Inc.)
    HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [106496 2009-11-20] (NEC Electronics Corporation)
    HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
    HKLM-x32\...\Run: [Reader Library Launcher] C:\Program Files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe [906648 2010-07-13] (Sony Corporation)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [SweetIM] C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe [114992 2012-01-19] (SweetIM Technologies Ltd.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [1391272 2012-01-03] (Ask)
    HKLM-x32\...\Run: [F-Secure Manager] "C:\Program Files (x86)\Internetbeveiliging\Common\FSM32.EXE" /splash [199264 2009-08-05] (F-Secure Corporation)
    HKLM-x32\...\Run: [F-Secure TNB] "C:\Program Files (x86)\Internetbeveiliging\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW [2349664 2009-08-05] (F-Secure Corporation)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
    HKU\Sytske\...\Run: [IncrediMail] C:\Program Files (x86)\IncrediMail\bin\IncMail.exe /c [366024 2011-10-27] (IncrediMail, Ltd.)
    HKU\Sytske\...\Run: [PrinterProDesktop] C:\Program Files (x86)\Printer Pro Desktop\PrinterProDesktop.exe /autorun [2132992 2012-02-02] ()
    HKU\Sytske\...\Run: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s [955792 2012-05-04] (Samsung)
    HKU\Sytske\...\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [3521424 2012-05-04] (Samsung Electronics Co., Ltd.)
    HKU\Sytske\...\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [21392 2012-05-04] ()
    HKU\Sytske\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-03-23] (Google Inc.)
    HKU\Sytske\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
    Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
    Tcpip\Parameters: [DhcpNameServer] 212.54.40.25 212.54.35.25
    ==================== Services (Whitelisted) ======
    2 BCUService; C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [219360 2009-08-04] (DeviceVM, Inc.)
    2 ES lite Service; "C:\Program Files (x86)\Gigabyte\EasySaver\ESSVR.EXE" [68136 2009-08-24] ()
    2 F-Secure Gatekeeper Handler Starter; "C:\Program Files (x86)\Internetbeveiliging\Anti-Virus\fsgk32st.exe" [215648 2009-08-05] (F-Secure Corporation)
    3 FSDFWD; "C:\Program Files (x86)\Internetbeveiliging\FWES\Program\fsdfwd.exe" [844384 2012-04-04] (F-Secure Corporation)
    2 FSMA; "C:\Program Files (x86)\Internetbeveiliging\Common\FSMA32.EXE" [186976 2009-08-05] (F-Secure Corporation)
    3 FSORSPClient; "C:\Program Files (x86)\Internetbeveiliging\ORSP Client\fsorsp.exe" [61088 2012-04-04] (F-Secure Corporation)
    2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    2 RapiMgr; C:\Windows\WindowsMobile\rapimgr.dll [225672 2007-05-31] (Microsoft Corporation)
    2 Realtek11nSU; C:\Program Files (x86)\SITECOM\300N USB Wireless LAN Utility\RtlService.exe [36864 2010-04-16] (Realtek)
    2 WcesComm; C:\Windows\WindowsMobile\wcescomm.dll [443784 2007-05-31] (Microsoft Corporation)
    ========================== Drivers (Whitelisted) =============
    2 atksgt; C:\Windows\System32\Drivers\atksgt.sys [88480 2012-07-18] ()
    4 F-Secure Filter; \??\C:\Program Files (x86)\Internetbeveiliging\Anti-Virus\Win2K\FSfilter.sys [39776 2009-08-05] ()
    3 F-Secure Gatekeeper; \??\C:\Program Files (x86)\Internetbeveiliging\Anti-Virus\minifilter\fsgk.sys [199848 2012-06-07] ()
    1 F-Secure HIPS; \??\C:\Program Files (x86)\Internetbeveiliging\HIPS\drivers\fshs.sys [57920 2009-08-05] (F-Secure Corporation)
    4 F-Secure Recognizer; \??\C:\Program Files (x86)\Internetbeveiliging\Anti-Virus\Win2K\FSrec.sys [25184 2009-08-05] ()
    0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [55960 2012-05-09] ()
    0 fsbts; C:\Windows\SysWow64\Drivers\fsbts.sys [42672 2012-04-04] ()
    1 FSES; C:\Windows\System32\Drivers\FSES.sys [45624 2012-04-04] (F-Secure Corporation)
    1 FSFW; C:\Windows\System32\drivers\fsdfw.sys [94280 2012-04-04] (F-Secure Corporation)
    1 fsvista; \??\C:\Program Files (x86)\Internetbeveiliging\Anti-Virus\minifilter\fsvista.sys [14904 2009-08-05] ()
    3 gdrv; \??\C:\Windows\gdrv.sys [25640 2012-08-04] (Windows (R) Server 2003 DDK provider)
    2 lirsgt; C:\Windows\System32\Drivers\lirsgt.sys [46400 2012-07-18] ()
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
    3 SG762_64; C:\Windows\System32\DRIVERS\WlanBZ64.sys [493440 2009-08-27] (ZyDAS Technology Corporation)
    3 catchme; \??\C:\ComboFix\catchme.sys [x]
    3 dgderdrv; C:\Windows\System32\drivers\dgderdrv.sys [x]
    3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
    ========================== NetSvcs (Whitelisted) ===========

    ============ One Month Created Files and Folders ==============
    2012-08-04 16:00 - 2012-08-04 16:00 - 00607260 ____R (Swearware) C:\Users\Sytske\Desktop\dds.com
    2012-08-04 15:56 - 2012-08-04 15:56 - 00000000 ____A C:\Users\Sytske\Documents\gmer.log
    2012-08-04 15:52 - 2012-08-04 15:52 - 00302592 ____A C:\Users\Sytske\Downloads\iql1svem.exe
    2012-08-04 15:52 - 2012-08-04 15:52 - 00294216 ____A C:\Users\Sytske\Desktop\gmer.zip
    2012-08-04 15:52 - 2011-07-16 21:21 - 00302592 ____A C:\Users\Sytske\Desktop\gmer.exe
    2012-08-04 15:45 - 2012-08-04 16:11 - 00000000 ____D C:\Users\Sytske\Documents\virus logs enzo
    2012-08-04 15:27 - 2012-08-04 15:27 - 00000000 ____D C:\Users\Sytske\AppData\Roaming\Malwarebytes
    2012-08-04 15:26 - 2012-08-04 15:26 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-04 15:26 - 2012-08-04 15:26 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-08-04 15:26 - 2012-08-04 15:26 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-08-04 15:26 - 2012-07-03 12:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-08-04 15:25 - 2012-08-04 15:25 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Sytske\Desktop\mbam-setup-1.62.0.1300.exe
    2012-08-04 15:23 - 2012-08-04 15:23 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Sytske\Downloads\mbam-setup-1.62.0.1300.exe
    2012-08-04 14:44 - 2012-08-04 14:44 - 00000000 ____D C:\Program Files\Enigma Software Group
    2012-08-04 14:43 - 2012-08-04 15:27 - 00000000 ____D C:\Windows\F896D02690164122B9BD957FF092FFE9.TMP
    2012-08-04 14:42 - 2012-08-04 14:42 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Sytske\Desktop\SpyHunter-Installer.exe
    2012-08-04 14:37 - 2012-08-04 14:37 - 04009167 ____A C:\Users\Sytske\Desktop\ServicesRepair.exe
    2012-08-04 14:36 - 2012-08-04 14:36 - 00138120 ____A (ESET) C:\Users\Sytske\Desktop\ESETSirefefRemover.exe
    2012-08-04 14:35 - 2012-08-04 14:35 - 02030547 ____A C:\Users\Sytske\Desktop\EZ_Sirefix.exe
    2012-08-04 14:35 - 2012-08-04 14:35 - 00000000 ____D C:\Users\Sytske\AppData\Roaming\F-Secure
    2012-08-03 13:50 - 2012-08-03 13:50 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-08-02 07:34 - 2012-08-02 07:34 - 01438391 ____A (Farbar) C:\Users\Sytske\Downloads\FRST64.exe
    2012-07-29 19:03 - 2012-08-03 13:29 - 00000960 ____A C:\Users\Public\Desktop\calibre - E-book management.lnk
    2012-07-26 18:36 - 2012-07-26 18:36 - 00001144 ____A C:\Users\Sytske\Desktop\Jane Croft.lnk
    2012-07-25 17:40 - 2012-07-25 19:09 - 00000000 ____D C:\Program Files (x86)\Ad-Aware Antivirus
    2012-07-25 17:40 - 2012-07-25 17:40 - 00000000 ____D C:\Users\All Users\Lavasoft
    2012-07-25 17:39 - 2012-07-25 17:40 - 00000000 ____D C:\Users\Sytske\AppData\Local\adawarebp
    2012-07-25 17:38 - 2012-07-25 18:04 - 00000000 ____D C:\Users\Sytske\AppData\Roaming\Ad-Aware Antivirus
    2012-07-24 14:35 - 2012-07-25 19:08 - 00000000 ____D C:\Program Files (x86)\DealPly
    2012-07-24 14:35 - 2012-07-24 14:44 - 00000000 ____D C:\Program Files\Babylon
    2012-07-24 10:09 - 2012-07-24 10:09 - 00000000 ____D C:\Windows\SysWOW64\searchplugins
    2012-07-24 10:09 - 2012-07-24 10:09 - 00000000 ____D C:\Windows\SysWOW64\Extensions
    2012-07-24 10:03 - 2012-08-03 13:31 - 00000000 ____D C:\Users\Sytske\Documents\Calibrebibliotheek
    2012-07-24 10:03 - 2012-07-24 15:36 - 00000000 ____D C:\Users\Sytske\AppData\Roaming\calibre
    2012-07-24 10:03 - 2012-07-24 10:03 - 00000000 ____D C:\Users\All Users\Sidekick Manager
    2012-07-24 10:03 - 2012-07-24 10:03 - 00000000 ____D C:\Users\All Users\IBUpdaterService
    2012-07-24 10:02 - 2012-08-03 13:29 - 00000000 ____D C:\Program Files (x86)\Calibre2
    2012-07-23 12:07 - 2012-07-23 12:07 - 00023851 ____A C:\ComboFix.txt
    2012-07-23 11:39 - 2012-07-23 12:07 - 00000000 ____D C:\ComboFix
    2012-07-23 11:39 - 2011-06-26 07:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-07-23 11:39 - 2010-11-07 18:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-07-23 11:39 - 2009-04-20 05:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-07-23 11:39 - 2000-08-31 01:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-07-23 11:39 - 2000-08-31 01:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-07-23 11:39 - 2000-08-31 01:00 - 00098816 ____A C:\Windows\sed.exe
    2012-07-23 11:39 - 2000-08-31 01:00 - 00080412 ____A C:\Windows\grep.exe
    2012-07-23 11:39 - 2000-08-31 01:00 - 00068096 ____A C:\Windows\zip.exe
    2012-07-23 11:36 - 2012-07-23 12:07 - 00000000 ____D C:\Qoobox
    2012-07-23 11:35 - 2012-07-23 12:03 - 00000000 ____D C:\Windows\erdnt
    2012-07-23 11:35 - 2012-07-23 11:35 - 04582474 ____R (Swearware) C:\Users\Sytske\Downloads\ComboFix.exe
    2012-07-23 11:17 - 2012-07-23 11:17 - 00000000 __SHD C:\Windows\System32\%APPDATA%
    2012-07-18 18:25 - 2012-07-18 18:25 - 00235936 ____A (Tagès SA) C:\Users\Sytske\Downloads\TagesSetup_x64.exe
    2012-07-16 18:33 - 2012-07-16 18:33 - 00000000 ____D C:\Users\All Users\RVLGames
    2012-07-15 13:57 - 2012-07-15 13:57 - 00000000 ____D C:\Users\Sytske\AppData\Local\Macromedia
    2012-07-12 17:34 - 2012-07-23 09:45 - 00012962 ____A C:\Users\Sytske\Documents\Van Kristian.xlsx
    2012-07-11 14:36 - 2012-07-11 14:36 - 00000000 ____D C:\Users\Sytske\Documents\My Games
    2012-07-11 14:36 - 2012-07-11 14:36 - 00000000 ____D C:\Users\Sytske\AppData\Local\My Games
    2012-07-11 13:36 - 2012-07-11 13:36 - 00000220 ____A C:\Users\Sytske\Desktop\Sid Meier's Civilization V.url
    2012-07-11 13:28 - 2012-08-04 16:50 - 00000940 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-11 13:28 - 2012-08-03 13:50 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-07-11 13:28 - 2012-07-11 13:28 - 00000000 ____D C:\Windows\System32\Macromed
    2012-07-11 13:07 - 2012-06-12 04:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-07-11 13:04 - 2012-06-02 13:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-07-11 13:04 - 2012-06-02 13:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-07-11 13:04 - 2012-06-02 13:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-07-11 13:04 - 2012-06-02 13:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-07-11 13:04 - 2012-06-02 13:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-07-11 13:04 - 2012-06-02 13:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-07-11 13:04 - 2012-06-02 13:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-07-11 13:04 - 2012-06-02 13:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-07-11 13:04 - 2012-06-02 13:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-07-11 13:04 - 2012-06-02 13:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-07-11 13:04 - 2012-06-02 12:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-07-11 13:04 - 2012-06-02 12:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-07-11 13:04 - 2012-06-02 12:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-07-11 13:04 - 2012-06-02 12:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-07-11 13:04 - 2012-06-02 10:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-07-11 13:04 - 2012-06-02 09:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-07-11 13:04 - 2012-06-02 09:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-07-11 13:04 - 2012-06-02 09:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-07-11 13:04 - 2012-06-02 09:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-07-11 13:04 - 2012-06-02 09:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-07-11 13:04 - 2012-06-02 09:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-07-11 13:04 - 2012-06-02 09:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-07-11 13:04 - 2012-06-02 09:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-07-11 13:04 - 2012-06-02 09:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-07-11 13:04 - 2012-06-02 09:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-07-11 13:04 - 2012-06-02 09:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-07-11 13:04 - 2012-06-02 09:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-07-11 13:04 - 2012-06-02 09:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-07-11 08:22 - 2012-06-06 07:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-07-11 08:22 - 2012-06-06 07:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-07-11 08:22 - 2012-06-06 06:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-07-11 08:22 - 2012-06-06 06:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-07-11 08:22 - 2010-06-26 04:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
    2012-07-11 08:22 - 2010-06-26 04:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
    2012-07-11 08:21 - 2012-06-09 06:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-07-11 08:21 - 2012-06-09 05:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-07-11 08:21 - 2012-06-06 07:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-07-11 08:21 - 2012-06-06 06:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-07-11 08:21 - 2012-06-02 06:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-07-11 08:21 - 2012-06-02 06:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-07-11 08:21 - 2012-06-02 06:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-07-11 08:21 - 2012-06-02 06:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-07-11 08:21 - 2012-06-02 06:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-07-11 08:21 - 2012-06-02 05:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-07-11 08:21 - 2012-06-02 05:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-07-11 08:21 - 2012-06-02 05:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-07-11 08:21 - 2012-06-02 05:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll

    ============ 3 Months Modified Files ========================
    2012-08-04 16:50 - 2012-07-11 13:28 - 00000940 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-04 16:50 - 2010-08-08 21:09 - 00000236 ____A C:\service.log
    2012-08-04 16:50 - 2010-08-08 02:29 - 01411024 ____A C:\Windows\WindowsUpdate.log
    2012-08-04 16:50 - 2009-07-14 05:45 - 00015024 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-04 16:50 - 2009-07-14 05:45 - 00015024 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-04 16:46 - 2010-08-11 08:11 - 00001052 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-04 16:46 - 2010-08-08 22:50 - 00025640 ____A (Windows (R) Server 2003 DDK provider) C:\Windows\gdrv.sys
    2012-08-04 16:45 - 2009-07-14 06:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-04 16:45 - 2009-07-14 05:51 - 00100038 ____A C:\Windows\setupact.log
    2012-08-04 16:14 - 2009-07-14 10:16 - 00714012 ____A C:\Windows\System32\perfh013.dat
    2012-08-04 16:14 - 2009-07-14 10:16 - 00139356 ____A C:\Windows\System32\perfc013.dat
    2012-08-04 16:14 - 2009-07-14 06:13 - 01587152 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-04 16:03 - 2010-08-11 08:11 - 00001056 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-04 16:00 - 2012-08-04 16:00 - 00607260 ____R (Swearware) C:\Users\Sytske\Desktop\dds.com
    2012-08-04 15:56 - 2012-08-04 15:56 - 00000000 ____A C:\Users\Sytske\Documents\gmer.log
    2012-08-04 15:52 - 2012-08-04 15:52 - 00302592 ____A C:\Users\Sytske\Downloads\iql1svem.exe
    2012-08-04 15:52 - 2012-08-04 15:52 - 00294216 ____A C:\Users\Sytske\Desktop\gmer.zip
    2012-08-04 15:47 - 2010-08-11 07:39 - 00180688 ____A C:\Windows\PFRO.log
    2012-08-04 15:26 - 2012-08-04 15:26 - 00001109 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-08-04 15:25 - 2012-08-04 15:25 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Sytske\Desktop\mbam-setup-1.62.0.1300.exe
    2012-08-04 15:23 - 2012-08-04 15:23 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Sytske\Downloads\mbam-setup-1.62.0.1300.exe
    2012-08-04 14:42 - 2012-08-04 14:42 - 00725440 ____A (Enigma Software Group USA, LLC.) C:\Users\Sytske\Desktop\SpyHunter-Installer.exe
    2012-08-04 14:37 - 2012-08-04 14:37 - 04009167 ____A C:\Users\Sytske\Desktop\ServicesRepair.exe
    2012-08-04 14:36 - 2012-08-04 14:36 - 00138120 ____A (ESET) C:\Users\Sytske\Desktop\ESETSirefefRemover.exe
    2012-08-04 14:35 - 2012-08-04 14:35 - 02030547 ____A C:\Users\Sytske\Desktop\EZ_Sirefix.exe
    2012-08-04 09:25 - 2011-11-29 18:37 - 00015048 ____A C:\Users\Sytske\Documents\Geocachen.xlsx
    2012-08-03 13:50 - 2012-08-03 13:50 - 09827016 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
    2012-08-03 13:50 - 2012-07-11 13:28 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-03 13:50 - 2011-06-12 10:40 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-03 13:29 - 2012-07-29 19:03 - 00000960 ____A C:\Users\Public\Desktop\calibre - E-book management.lnk
    2012-08-02 07:34 - 2012-08-02 07:34 - 01438391 ____A (Farbar) C:\Users\Sytske\Downloads\FRST64.exe
    2012-08-01 18:27 - 2009-07-14 06:08 - 00032598 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-26 18:36 - 2012-07-26 18:36 - 00001144 ____A C:\Users\Sytske\Desktop\Jane Croft.lnk
    2012-07-23 12:07 - 2012-07-23 12:07 - 00023851 ____A C:\ComboFix.txt
    2012-07-23 11:58 - 2009-07-14 03:34 - 00000215 ____A C:\Windows\system.ini
    2012-07-23 11:55 - 2009-07-14 03:34 - 67895296 ____A C:\Windows\System32\config\SOFTWARE.bak
    2012-07-23 11:55 - 2009-07-14 03:34 - 23068672 ____A C:\Windows\System32\config\SYSTEM.bak
    2012-07-23 11:55 - 2009-07-14 03:34 - 00262144 ____A C:\Windows\System32\config\SECURITY.bak
    2012-07-23 11:55 - 2009-07-14 03:34 - 00262144 ____A C:\Windows\System32\config\SAM.bak
    2012-07-23 11:55 - 2009-07-14 03:34 - 00262144 ____A C:\Windows\System32\config\DEFAULT.bak
    2012-07-23 11:35 - 2012-07-23 11:35 - 04582474 ____R (Swearware) C:\Users\Sytske\Downloads\ComboFix.exe
    2012-07-23 09:45 - 2012-07-12 17:34 - 00012962 ____A C:\Users\Sytske\Documents\Van Kristian.xlsx
    2012-07-18 18:25 - 2012-07-18 18:25 - 00235936 ____A (Tagès SA) C:\Users\Sytske\Downloads\TagesSetup_x64.exe
    2012-07-18 18:25 - 2011-08-01 09:54 - 00088480 ____A C:\Windows\System32\Drivers\atksgt.sys
    2012-07-18 18:25 - 2011-08-01 09:54 - 00046400 ____A C:\Windows\System32\Drivers\lirsgt.sys
    2012-07-11 14:35 - 2011-02-25 18:27 - 00274489 ____A C:\Windows\DirectX.log
    2012-07-11 13:36 - 2012-07-11 13:36 - 00000220 ____A C:\Users\Sytske\Desktop\Sid Meier's Civilization V.url
    2012-07-11 13:26 - 2009-07-14 05:45 - 00359456 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-11 13:05 - 2010-08-11 07:47 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-03 19:00 - 2012-07-03 19:00 - 00001235 ____A C:\Users\Sytske\Desktop\World Riddles 2.lnk
    2012-07-03 12:46 - 2012-08-04 15:26 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-29 16:17 - 2012-06-29 16:17 - 00001226 ____A C:\Users\Sytske\Desktop\Spirit of Wandering.lnk
    2012-06-12 04:08 - 2012-07-11 13:07 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-09 06:43 - 2012-07-11 08:21 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-09 05:41 - 2012-07-11 08:21 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-06 07:06 - 2012-07-11 08:22 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-06 07:06 - 2012-07-11 08:22 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-06 07:02 - 2012-07-11 08:21 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
    2012-06-06 06:05 - 2012-07-11 08:22 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-06-06 06:05 - 2012-07-11 08:22 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-06-06 06:03 - 2012-07-11 08:21 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
    2012-06-02 23:19 - 2012-06-21 09:27 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 23:19 - 2012-06-21 09:27 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 23:19 - 2012-06-21 09:27 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 23:19 - 2012-06-21 09:26 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 23:19 - 2012-06-21 09:26 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 23:15 - 2012-06-21 09:27 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 23:15 - 2012-06-21 09:26 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:19 - 2012-06-21 09:26 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 14:15 - 2012-06-21 09:26 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 13:49 - 2012-07-11 13:04 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 13:17 - 2012-07-11 13:04 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 13:12 - 2012-07-11 13:04 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 13:05 - 2012-07-11 13:04 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 13:05 - 2012-07-11 13:04 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 13:04 - 2012-07-11 13:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 13:04 - 2012-07-11 13:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 13:03 - 2012-07-11 13:04 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 13:01 - 2012-07-11 13:04 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 13:00 - 2012-07-11 13:04 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 12:59 - 2012-07-11 13:04 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 12:57 - 2012-07-11 13:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 12:57 - 2012-07-11 13:04 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 12:54 - 2012-07-11 13:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-02 10:07 - 2012-07-11 13:04 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-02 09:43 - 2012-07-11 13:04 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-02 09:33 - 2012-07-11 13:04 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-02 09:26 - 2012-07-11 13:04 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-02 09:25 - 2012-07-11 13:04 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-02 09:25 - 2012-07-11 13:04 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-02 09:23 - 2012-07-11 13:04 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-02 09:21 - 2012-07-11 13:04 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-02 09:20 - 2012-07-11 13:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-02 09:19 - 2012-07-11 13:04 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-02 09:19 - 2012-07-11 13:04 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-02 09:17 - 2012-07-11 13:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-02 09:16 - 2012-07-11 13:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-02 09:14 - 2012-07-11 13:04 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-02 06:50 - 2012-07-11 08:21 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
    2012-06-02 06:48 - 2012-07-11 08:21 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
    2012-06-02 06:48 - 2012-07-11 08:21 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 06:45 - 2012-07-11 08:21 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-02 06:44 - 2012-07-11 08:21 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-02 05:40 - 2012-07-11 08:21 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-06-02 05:40 - 2012-07-11 08:21 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-06-02 05:39 - 2012-07-11 08:21 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-06-02 05:34 - 2012-07-11 08:21 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
    2012-05-31 11:25 - 2010-08-08 21:29 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-20 17:51 - 2011-05-25 18:27 - 00000075 ____A C:\Windows\ImportClient.INI
    2012-05-16 16:09 - 2011-03-22 12:29 - 00003584 ____A C:\Users\Sytske\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-05-09 09:41 - 2012-05-09 09:41 - 00055960 ____A C:\Windows\System32\Drivers\fsbts.sys

    ZeroAccess:
    C:\Windows\Installer\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421}
    C:\Windows\Installer\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421}\L
    C:\Windows\Installer\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421}\U
    ZeroAccess:
    C:\Users\Sytske\AppData\Local\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421}
    C:\Users\Sytske\AppData\Local\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421}\@
    C:\Users\Sytske\AppData\Local\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421}\L
    C:\Users\Sytske\AppData\Local\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421}\U
    ========================= Known DLLs (Whitelisted) ============

    ========================= Bamital & volsnap Check ============
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ========================= Memory info ======================
    Percentage of memory in use: 15%
    Total physical RAM: 4094.49 MB
    Available physical RAM: 3448.52 MB
    Total Pagefile: 4092.64 MB
    Available Pagefile: 3433.82 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB
    ======================= Partitions =========================
    2 Drive c: () (Fixed) (Total:931.41 GB) (Free:753.2 GB) NTFS
    3 Drive d: (Achief) (Fixed) (Total:931.39 GB) (Free:811.35 GB) NTFS
    4 Drive f: (Herstelschijf Windows 7 64-bits) (CDROM) (Total:0.16 GB) (Free:0 GB) UDF
    6 Drive h: (KINGSTON) (Removable) (Total:3.74 GB) (Free:1.54 GB) FAT32
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    8 Drive y: (Door systeem gereserveerd) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Schfnr. Status Grootte Vrij Dyn GPT
    -------- ------------- ------- ------- --- ---
    Schf 0 Online 931 GB 0 B
    Schf 1 Online 931 GB 0 B *
    Schf 2 Geen medium 0 B 0 B
    Schf 3 Online 3836 MB 0 B

    ==========================================================
    Last Boot: 2012-07-30 12:45
    ======================= End Of Log ==========================
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    services.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
  3. MorgothG

    MorgothG TS Rookie Topic Starter

    Thanks for the speed!

    Farbar Recovery Scan Tool Version: 04-08-2012 01
    Ran by SYSTEM at 2012-08-04 19:03:20
    Running from H:\
    ================== Search: "services.exe" ===================
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
    [2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB
    C:\Windows\System32\services.exe
    [2009-07-14 00:19] - [2009-07-14 02:39] - 0328704 ____N (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06
    ====== End Of Search ======
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  5. MorgothG

    MorgothG TS Rookie Topic Starter

    Oke thanks again, I ran the fix.
    But after reboot still my F-secure noticed ZeroAccess.B again.
    Oh, and after reading the log,...it cant find services :(

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-08-2012 01
    Ran by SYSTEM at 2012-08-06 07:30:18 Run:1
    Running from G:\
    ==============================================
    Could not find C:\Windows\System32\services.exe.
    Could not find C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe.
    ==== End of Fixlog ====
  6. MorgothG

    MorgothG TS Rookie Topic Starter

    just a thought. in notepad the script did not have an ENTER after the services.exe...maybe this is related, but I did not dare to change anything. See below. Anyway, thanks in advance for all the help!

    start
    Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
    C:\Windows\Installer\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421}
    C:\Users\Sytske\AppData\Local\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421}
    end
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Download this premade script, transfer it to the flash drive to replace the current fixlist.txt.

    Run the Fix in FRST, and post the fixlog.txt back here, please.

    Attached Files:

  8. MorgothG

    MorgothG TS Rookie Topic Starter

    Seems good! Now what :)

    And: You are good!!


    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 04-08-2012 01
    Ran by SYSTEM at 2012-08-07 08:10:53 Run:2
    Running from G:\
    ==============================================
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe
    C:\Windows\Installer\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421} moved successfully.
    C:\Users\Sytske\AppData\Local\{bd96b1c2-558e-dbd4-c240-c2c67e7b8421} moved successfully.
    ==== End of Fixlog ====
  9. MorgothG

    MorgothG TS Rookie Topic Starter

    Do I need the ComboFix now?
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  11. MorgothG

    MorgothG TS Rookie Topic Starter

    Done!!

    ComboFix 12-08-07.05 - Sytske 08-08-2012 8:14.2.6 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.31.1043.18.4094.2440 [GMT 2:00]
    Gestart vanuit: c:\users\Sytske\Desktop\ComboFix.exe
    gebruikte Opdracht switches :: c:\users\Sytske\Desktop\svchost.exe
    AV: Ziggo uitgebreide internetbeveiliging 9.01 *Disabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
    FW: Ziggo uitgebreide internetbeveiliging 9.01 *Enabled* {2D7AC0A6-6241-D774-E168-461178D9686C}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Ziggo uitgebreide internetbeveiliging 9.01 *Disabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
    * Nieuw herstelpunt werd aangemaakt
    .
    .
    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\DealPly
    c:\program files (x86)\DealPly\DealPly.crx
    c:\users\Sytske\AppData\Local\Temp\c25e8b3d-33a7-42bf-85e6-6880c6753136\CliSecureRT.dll
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome.manifest
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome\content\background.html
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome\content\browser.xul
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome\content\crossrider.js
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome\content\crossriderapi.js
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome\content\dialog.js
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome\content\options.js
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome\content\options.xul
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome\content\search_dialog.xul
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\chrome\content\update.html
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\defaults\preferences\prefs.js
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\install.rdf
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\locale\en-US\translations.dtd
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\button1.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\button2.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\button3.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\button4.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\button5.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\crossrider_statusbar.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\icon128.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\icon16.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\icon24.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\icon48.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\panelarrow-up.png
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\popup.css
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\popup.html
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\popup_binding.xml
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\skin.css
    c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\extensions\crossriderapp5060@crossrider.com\skin\update.css
    .
    .
    (((((((((((((((((((( Bestanden Gemaakt van 2012-07-08 to 2012-08-08 ))))))))))))))))))))))))))))))
    .
    .
    2012-08-08 06:22 . 2012-08-08 06:22 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-04 16:55 . 2012-08-04 16:56 -------- d-----w- C:\FRST
    2012-08-04 14:27 . 2012-08-04 14:27 -------- d-----w- c:\users\Sytske\AppData\Roaming\Malwarebytes
    2012-08-04 14:26 . 2012-08-04 14:26 -------- d-----w- c:\programdata\Malwarebytes
    2012-08-04 14:26 . 2012-08-04 14:26 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-08-04 14:26 . 2012-07-03 11:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-04 13:44 . 2012-08-04 13:44 -------- d-----w- c:\program files\Enigma Software Group
    2012-08-04 13:43 . 2012-08-04 14:27 -------- d-----w- c:\windows\F896D02690164122B9BD957FF092FFE9.TMP
    2012-08-04 13:43 . 2012-08-04 13:43 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    2012-08-04 13:35 . 2012-08-04 13:35 -------- d-----w- c:\users\Sytske\AppData\Roaming\F-Secure
    2012-08-03 12:50 . 2012-08-03 12:50 9827016 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-07-25 16:40 . 2012-07-25 16:40 -------- d-----w- c:\programdata\Lavasoft
    2012-07-25 16:40 . 2012-07-25 18:09 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus
    2012-07-25 16:39 . 2012-07-25 16:40 -------- d-----w- c:\users\Sytske\AppData\Local\adawarebp
    2012-07-25 16:38 . 2012-07-25 17:04 -------- d-----w- c:\users\Sytske\AppData\Roaming\Ad-Aware Antivirus
    2012-07-24 13:35 . 2012-07-24 13:44 -------- d-----w- c:\program files\Babylon
    2012-07-24 09:09 . 2012-07-24 09:09 -------- d-----w- c:\windows\SysWow64\searchplugins
    2012-07-24 09:09 . 2012-07-24 09:09 -------- d-----w- c:\windows\SysWow64\Extensions
    2012-07-24 09:03 . 2012-07-25 16:30 -------- d-----w- c:\programdata\Tarma Installer
    2012-07-24 09:03 . 2012-07-24 09:03 -------- d-----w- c:\programdata\IBUpdaterService
    2012-07-24 09:03 . 2012-07-24 09:03 -------- d-----w- c:\programdata\Sidekick Manager
    2012-07-24 09:03 . 2012-07-24 14:36 -------- d-----w- c:\users\Sytske\AppData\Roaming\calibre
    2012-07-24 09:02 . 2012-08-03 12:29 -------- d-----w- c:\program files (x86)\Calibre2
    2012-07-23 10:17 . 2012-07-23 10:17 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-16 17:33 . 2012-07-16 17:33 -------- d-----w- c:\programdata\RVLGames
    2012-07-15 12:57 . 2012-07-15 12:57 -------- d-----w- c:\users\Sytske\AppData\Local\Macromedia
    2012-07-11 13:36 . 2012-07-11 13:36 -------- d-----w- c:\users\Sytske\AppData\Local\My Games
    2012-07-11 12:28 . 2012-08-03 12:50 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-11 12:28 . 2012-07-11 12:28 -------- d-----w- c:\windows\system32\Macromed
    2012-07-11 12:07 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 07:22 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 07:22 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 07:22 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
    2012-07-11 07:22 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
    2012-07-11 07:22 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
    2012-07-11 07:22 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-08 06:23 . 2010-08-08 21:50 25640 ----a-w- c:\windows\gdrv.sys
    2012-08-03 12:50 . 2011-06-12 09:40 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-18 17:25 . 2011-08-01 08:54 88480 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2012-07-18 17:25 . 2011-08-01 08:54 46400 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2012-07-11 12:05 . 2010-08-11 06:47 59701280 ----a-w- c:\windows\system32\MRT.exe
    2012-06-29 10:04 . 2012-07-20 09:24 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1CDA9EA7-A232-40A4-80B8-296BAE9A5F96}\mpengine.dll
    2012-06-02 22:19 . 2012-06-21 08:26 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 08:27 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-21 08:27 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 08:27 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 08:26 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-21 08:27 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-21 08:26 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 13:19 . 2012-06-21 08:26 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 13:15 . 2012-06-21 08:26 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-31 10:25 . 2010-08-08 20:29 279656 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-07-23_10.58.44 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-14 04:54 . 2012-08-03 12:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2012-07-12 15:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-08-03 12:50 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-07-12 15:50 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-07-12 15:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-03 12:50 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-08-08 20:13 . 2012-08-08 06:25 70908 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-08-08 06:25 33588 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-08-08 19:44 . 2012-08-08 06:25 22690 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1533824660-63877345-1307092320-1000_UserData.bin
    + 2010-08-08 01:31 . 2012-08-08 06:04 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-08-08 01:31 . 2012-07-23 10:22 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:46 . 2012-08-07 06:14 95072 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2010-08-08 20:18 . 2012-07-31 08:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-08-08 20:18 . 2012-07-23 07:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2012-08-04 14:08 . 2012-08-04 14:26 66956 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCall.dll
    + 2011-07-19 16:28 . 2012-07-25 17:55 1872 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    - 2012-07-23 10:56 . 2012-07-23 10:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-08 06:23 . 2012-08-08 06:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-08 06:23 . 2012-08-08 06:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-07-23 10:56 . 2012-07-23 10:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2012-08-03 12:50 . 2012-08-03 12:50 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_Plugin.exe
    + 2012-08-03 11:50 . 2012-08-03 11:50 686792 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
    + 2012-08-03 11:50 . 2012-08-03 11:50 466632 c:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.dll
    + 2012-07-11 12:28 . 2012-08-03 12:50 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    - 2012-07-11 12:28 . 2012-07-12 15:50 250056 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    + 2010-08-18 08:17 . 2012-08-03 14:00 367132 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
    - 2009-07-14 09:16 . 2012-07-18 09:33 714012 c:\windows\system32\perfh013.dat
    + 2009-07-14 09:16 . 2012-08-07 12:22 714012 c:\windows\system32\perfh013.dat
    + 2009-07-14 02:36 . 2012-08-07 12:22 628496 c:\windows\system32\perfh009.dat
    - 2009-07-14 02:36 . 2012-07-18 09:33 628496 c:\windows\system32\perfh009.dat
    - 2009-07-14 09:16 . 2012-07-18 09:33 139356 c:\windows\system32\perfc013.dat
    + 2009-07-14 09:16 . 2012-08-07 12:22 139356 c:\windows\system32\perfc013.dat
    + 2009-07-14 02:36 . 2012-08-07 12:22 112188 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2012-07-18 09:33 112188 c:\windows\system32\perfc009.dat
    + 2012-08-03 12:50 . 2012-08-03 12:50 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_Plugin.exe
    + 2012-08-03 11:50 . 2012-08-03 11:50 417992 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_ActiveX.exe
    + 2012-08-03 11:50 . 2012-08-03 11:50 513224 c:\windows\system32\Macromed\Flash\FlashUtil64_11_3_300_270_ActiveX.dll
    + 2010-08-08 01:31 . 2012-08-08 06:04 409600 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-08-08 01:31 . 2012-07-23 10:22 409600 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-08 06:04 147456 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-07-23 10:22 147456 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 05:01 . 2012-08-08 06:22 301188 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01 . 2012-07-23 10:55 301188 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2012-08-04 14:08 . 2012-08-04 14:26 190063 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCalla36.exe
    + 2012-08-04 14:08 . 2012-08-04 14:26 175992 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCalla34.dll
    + 2012-08-04 14:08 . 2012-08-04 14:26 176035 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCalla33.dll
    + 2012-08-04 14:08 . 2012-08-04 14:26 176545 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCalla32.dll
    + 2012-08-04 14:08 . 2012-08-04 14:08 184966 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCalla31.exe
    + 2012-08-04 14:26 . 2012-08-04 14:26 184966 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCalla31.dll
    + 2012-08-04 14:08 . 2012-08-04 14:26 189776 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCalla21.dll
    + 2012-08-04 14:08 . 2012-08-04 14:26 176035 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCalla2.dll
    + 2012-08-04 14:08 . 2012-08-04 14:26 179526 c:\windows\F896D02690164122B9BD957FF092FFE9.TMP\WiseCustomCalla.dll
    + 2012-08-03 12:50 . 2012-08-03 12:50 9465032 c:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_270.dll
    + 2012-08-03 12:50 . 2012-08-03 12:50 1536712 c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_270.exe
    + 2012-08-03 12:50 . 2012-08-03 12:50 12315336 c:\windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll
    + 2011-03-28 14:04 . 2012-08-08 06:23 53880672 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1533824660-63877345-1307092320-1000-12288.dat
    + 2012-08-03 12:28 . 2012-08-03 12:28 48523776 c:\windows\Installer\3e1ce4.msi
    .
    -- Snapshot teruggezet naar huidige datum --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{B7CF5C23-CA56-440B-8E87-8E2D05BE2113}]
    2010-09-13 23:35 3088896 ----a-w- c:\program files (x86)\SaveVid Toolbar\VideoDownloader.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-01-03 14:31 1514152 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
    2012-01-15 11:27 1330480 ----a-w- c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{283B4AA3-1B7A-46E6-B56D-90EF4743FB2C}"= "c:\program files (x86)\SaveVid Toolbar\VideoDownloader.dll" [2010-09-13 3088896]
    "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2012-01-15 1330480]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{283b4aa3-1b7a-46e6-b56d-90ef4743fb2c}]
    [HKEY_CLASSES_ROOT\VideoDownloader.VideoDownloaderBand.1]
    [HKEY_CLASSES_ROOT\TypeLib\{1EA80D6E-79D4-483F-AF7C-52851C945761}]
    [HKEY_CLASSES_ROOT\VideoDownloader.VideoDownloaderBand]
    .
    [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IncrediMail"="c:\program files (x86)\IncrediMail\bin\IncMail.exe" [2011-10-27 366024]
    "PrinterProDesktop"="c:\program files (x86)\Printer Pro Desktop\PrinterProDesktop.exe" [2012-02-02 2132992]
    "KiesHelper"="c:\program files (x86)\Samsung\Kies\KiesHelper.exe" [2012-05-04 955792]
    "KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-05-04 3521424]
    "KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-05-04 21392]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-23 39408]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
    "BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
    "NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-20 106496]
    "AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
    "Reader Library Launcher"="c:\program files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SweetIM"="c:\program files (x86)\SweetIM\Messenger\SweetIM.exe" [2012-01-19 114992]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
    "F-Secure Manager"="c:\program files (x86)\Internetbeveiliging\Common\FSM32.EXE" [2009-08-05 199264]
    "F-Secure TNB"="c:\program files (x86)\Internetbeveiliging\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    c:\users\Sytske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2011-12-2 1000288]
    Mediacontrole Picture Motion Browser.lnk - c:\program files (x86)\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2011-1-30 200704]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux2"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Updateservice (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-11 136176]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]
    R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [x]
    R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
    R3 gupdatem;Google Update-service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-11 136176]
    R3 SG762_64;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\DRIVERS\WlanBZ64.sys [2009-08-27 493440]
    R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-06-02 157672]
    R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-06-02 16872]
    R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-06-02 177640]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
    R3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-10 1255736]
    R4 F-Secure Filter;F-Secure File System Filter;c:\program files (x86)\Internetbeveiliging\Anti-Virus\Win2K\FSfilter.sys [2009-08-05 39776]
    R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files (x86)\Internetbeveiliging\Anti-Virus\Win2K\FSrec.sys [2009-08-05 25184]
    S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2012-05-09 55960]
    S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files (x86)\Internetbeveiliging\HIPS\drivers\fshs.sys [2009-08-05 57920]
    S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2012-04-04 45624]
    S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2012-04-04 94280]
    S1 fsvista;F-Secure Vista Support Driver;c:\program files (x86)\Internetbeveiliging\Anti-Virus\minifilter\fsvista.sys [2009-08-05 14904]
    S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-07 202752]
    S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-08-04 219360]
    S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-08-24 68136]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080]
    S2 Realtek11nSU;Realtek11nSU;c:\program files (x86)\SITECOM\300N USB Wireless LAN Utility\RtlService.exe [2010-04-16 36864]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-07 6659072]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-07 195584]
    S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files (x86)\Internetbeveiliging\Anti-Virus\minifilter\fsgk.sys [2012-06-07 199848]
    S3 FSORSPClient;F-Secure ORSP Client;c:\program files (x86)\Internetbeveiliging\ORSP Client\fsorsp.exe [2012-04-04 61088]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-11-20 75776]
    S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-11-20 177152]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
    S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-02-06 690208]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    .
    .
    Inhoud van de 'Gedeelde Taken' map
    .
    2012-08-07 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 12:50]
    .
    2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-11 07:11]
    .
    2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-11 07:11]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-08 9642528]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1609296]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
    .
    ------- Bijkomende Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.nu.nl/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xporteren naar Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    LSP: c:\program files (x86)\Internetbeveiliging\FSPS\program\FSLSP.DLL
    TCP: DhcpNameServer = 212.54.40.25 212.54.35.25
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    DPF: {B4A41BDB-320A-4AF4-8DBC-846866A62657} - hxxp://www.mijnalbum.nl/v3/skinsrc/core/system/ma7.0.43/ImageUploader7.cab
    DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
    FF - ProfilePath - c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.geocaching.nl/index/
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=100&systemid=102&sr=0&q=
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS VERWIJDERD - - - -
    .
    Toolbar-10 - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1533824660-63877345-1307092320-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*‘%Æ*€%]
    @Class="Shell"
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_USERS\S-1-5-21-1533824660-63877345-1307092320-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*‘%Æ*€%\OpenWithList]
    @Class="Shell"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andere Aktieve Processen ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Internetbeveiliging\Anti-Virus\fsgk32st.exe
    c:\program files (x86)\Internetbeveiliging\Common\FSMA32.EXE
    c:\program files (x86)\Internetbeveiliging\Anti-Virus\FSGK32.EXE
    c:\program files (x86)\Internetbeveiliging\Common\FSHDLL32.EXE
    c:\program files (x86)\Internetbeveiliging\Anti-Virus\fssm32.exe
    c:\program files (x86)\SITECOM\300N USB Wireless LAN Utility\RtWlan.exe
    c:\program files (x86)\Internetbeveiliging\Anti-Virus\fsav32.exe
    c:\program files (x86)\IncrediMail\Bin\ImApp.exe
    c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    .
    **************************************************************************
    .
    Voltooingstijd: 2012-08-08 08:34:26 - machine werd herstart
    ComboFix-quarantined-files.txt 2012-08-08 06:34
    ComboFix2.txt 2012-07-23 11:07
    .
    Pre-Run: 809.856.643.072 bytes beschikbaar
    Post-Run: 809.715.757.056 bytes beschikbaar
    .
    - - End Of File - - 48629B88EE71C85DB1424EF403360A4D
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.


    Scan for malware

    [​IMG] Please download Malwarebytes Anti-Malware from HERE.


    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Copy and paste the entire report in your next reply.
  13. MorgothG

    MorgothG TS Rookie Topic Starter

    Next is the malware scan




    ComboFix 12-08-09.01 - Sytske 09-08-2012 18:06:16.3.6 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.31.1043.18.4094.2416 [GMT 2:00]
    Gestart vanuit: c:\users\Sytske\Desktop\ComboFix.exe
    gebruikte Opdracht switches :: c:\users\Sytske\Desktop\CFScript.txt
    AV: Ziggo uitgebreide internetbeveiliging 9.01 *Disabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
    FW: Ziggo uitgebreide internetbeveiliging 9.01 *Enabled* {2D7AC0A6-6241-D774-E168-461178D9686C}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Ziggo uitgebreide internetbeveiliging 9.01 *Disabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
    .
    .
    (((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Sytske\AppData\Local\Temp\c25e8b3d-33a7-42bf-85e6-6880c6753136\CliSecureRT.dll
    .
    .
    (((((((((((((((((((( Bestanden Gemaakt van 2012-07-09 to 2012-08-09 ))))))))))))))))))))))))))))))
    .
    .
    2012-08-09 16:13 . 2012-08-09 16:13 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-08-09 16:01 . 2012-08-09 16:01 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1CDA9EA7-A232-40A4-80B8-296BAE9A5F96}\offreg.dll
    2012-08-09 16:00 . 2012-08-09 16:00 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    2012-08-09 15:59 . 2012-08-09 16:00 -------- d-----w- c:\program files\Adobe
    2012-08-09 15:55 . 2012-08-09 16:00 -------- d-----w- c:\program files\Common Files\Adobe
    2012-08-04 16:55 . 2012-08-04 16:56 -------- d-----w- C:\FRST
    2012-08-04 14:27 . 2012-08-04 14:27 -------- d-----w- c:\users\Sytske\AppData\Roaming\Malwarebytes
    2012-08-04 14:26 . 2012-08-04 14:26 -------- d-----w- c:\programdata\Malwarebytes
    2012-08-04 14:26 . 2012-08-04 14:26 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-08-04 14:26 . 2012-07-03 11:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-08-04 13:44 . 2012-08-04 13:44 -------- d-----w- c:\program files\Enigma Software Group
    2012-08-04 13:43 . 2012-08-04 14:27 -------- d-----w- c:\windows\F896D02690164122B9BD957FF092FFE9.TMP
    2012-08-04 13:43 . 2012-08-04 13:43 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
    2012-08-04 13:35 . 2012-08-04 13:35 -------- d-----w- c:\users\Sytske\AppData\Roaming\F-Secure
    2012-08-03 12:50 . 2012-08-03 12:50 9827016 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2012-07-25 16:40 . 2012-07-25 16:40 -------- d-----w- c:\programdata\Lavasoft
    2012-07-25 16:40 . 2012-07-25 18:09 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus
    2012-07-25 16:39 . 2012-07-25 16:40 -------- d-----w- c:\users\Sytske\AppData\Local\adawarebp
    2012-07-25 16:38 . 2012-07-25 17:04 -------- d-----w- c:\users\Sytske\AppData\Roaming\Ad-Aware Antivirus
    2012-07-24 13:35 . 2012-07-24 13:44 -------- d-----w- c:\program files\Babylon
    2012-07-24 09:09 . 2012-07-24 09:09 -------- d-----w- c:\windows\SysWow64\searchplugins
    2012-07-24 09:09 . 2012-07-24 09:09 -------- d-----w- c:\windows\SysWow64\Extensions
    2012-07-24 09:03 . 2012-07-25 16:30 -------- d-----w- c:\programdata\Tarma Installer
    2012-07-24 09:03 . 2012-07-24 09:03 -------- d-----w- c:\programdata\IBUpdaterService
    2012-07-24 09:03 . 2012-07-24 09:03 -------- d-----w- c:\programdata\Sidekick Manager
    2012-07-24 09:03 . 2012-07-24 14:36 -------- d-----w- c:\users\Sytske\AppData\Roaming\calibre
    2012-07-24 09:02 . 2012-08-03 12:29 -------- d-----w- c:\program files (x86)\Calibre2
    2012-07-23 10:17 . 2012-07-23 10:17 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-20 09:24 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1CDA9EA7-A232-40A4-80B8-296BAE9A5F96}\mpengine.dll
    2012-07-16 17:33 . 2012-07-16 17:33 -------- d-----w- c:\programdata\RVLGames
    2012-07-15 12:57 . 2012-07-15 12:57 -------- d-----w- c:\users\Sytske\AppData\Local\Macromedia
    2012-07-11 13:36 . 2012-07-11 13:36 -------- d-----w- c:\users\Sytske\AppData\Local\My Games
    2012-07-11 12:28 . 2012-08-03 12:50 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-07-11 12:28 . 2012-07-11 12:28 -------- d-----w- c:\windows\system32\Macromed
    2012-07-11 12:07 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
    2012-07-11 07:22 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
    2012-07-11 07:22 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll
    2012-07-11 07:22 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
    2012-07-11 07:22 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
    2012-07-11 07:22 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
    2012-07-11 07:22 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-09 16:15 . 2010-08-08 21:50 25640 ----a-w- c:\windows\gdrv.sys
    2012-08-03 12:50 . 2011-06-12 09:40 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-18 17:25 . 2011-08-01 08:54 88480 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2012-07-18 17:25 . 2011-08-01 08:54 46400 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2012-07-11 12:05 . 2010-08-11 06:47 59701280 ----a-w- c:\windows\system32\MRT.exe
    2012-06-02 22:19 . 2012-06-21 08:26 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 08:27 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-21 08:27 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 08:27 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 08:26 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:15 . 2012-06-21 08:27 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-21 08:26 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 13:19 . 2012-06-21 08:26 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 13:15 . 2012-06-21 08:26 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-31 10:25 . 2010-08-08 20:29 279656 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2012-08-08_06.24.11 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-19 21:03 . 2011-02-19 21:03 51024 c:\windows\SysWOW64\vcomp100.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 81744 c:\windows\SysWOW64\mfcm100u.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 81744 c:\windows\SysWOW64\mfcm100.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 60752 c:\windows\SysWOW64\mfc100rus.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 43344 c:\windows\SysWOW64\mfc100kor.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 43856 c:\windows\SysWOW64\mfc100jpn.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 62288 c:\windows\SysWOW64\mfc100ita.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 64336 c:\windows\SysWOW64\mfc100fra.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 63824 c:\windows\SysWOW64\mfc100esn.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 55120 c:\windows\SysWOW64\mfc100enu.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 64336 c:\windows\SysWOW64\mfc100deu.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 36176 c:\windows\SysWOW64\mfc100cht.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 36176 c:\windows\SysWOW64\mfc100chs.dll
    + 2010-08-08 20:13 . 2012-08-09 16:17 71308 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-08-09 16:17 33620 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-08-08 19:44 . 2012-08-09 16:17 22952 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1533824660-63877345-1307092320-1000_UserData.bin
    + 2011-02-19 20:51 . 2011-02-19 20:51 57168 c:\windows\system32\vcomp100.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 93008 c:\windows\system32\mfcm100u.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 93008 c:\windows\system32\mfcm100.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 60752 c:\windows\system32\mfc100rus.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 43344 c:\windows\system32\mfc100kor.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 43856 c:\windows\system32\mfc100jpn.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 62288 c:\windows\system32\mfc100ita.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 64336 c:\windows\system32\mfc100fra.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 63824 c:\windows\system32\mfc100esn.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 55120 c:\windows\system32\mfc100enu.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 64336 c:\windows\system32\mfc100deu.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 36176 c:\windows\system32\mfc100cht.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 36176 c:\windows\system32\mfc100chs.dll
    - 2010-08-08 01:31 . 2012-08-08 06:04 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-08-08 01:31 . 2012-08-09 14:12 49152 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-08-08 20:18 . 2012-08-09 14:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-08-08 20:18 . 2012-07-31 08:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-08-08 20:18 . 2012-08-09 14:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-08-08 20:18 . 2011-05-23 08:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-08-09 15:54 . 2012-08-09 15:54 10134 c:\windows\Installer\{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}\ARPPRODUCTICON.exe
    + 2012-08-09 15:54 . 2012-08-09 15:54 10134 c:\windows\Installer\{08D2E121-7F6A-43EB-97FD-629B44903403}\ARPPRODUCTICON.exe
    - 2012-08-08 06:23 . 2012-08-08 06:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-09 16:15 . 2012-08-09 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-08-09 16:15 . 2012-08-09 16:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-08-08 06:23 . 2012-08-08 06:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-02-18 22:40 . 2011-02-18 22:40 773968 c:\windows\SysWOW64\msvcr100.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 421200 c:\windows\SysWOW64\msvcp100.dll
    + 2012-03-12 18:56 . 2012-03-12 18:56 947472 c:\windows\SysWOW64\msjava.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 138056 c:\windows\SysWOW64\atl100.dll
    - 2009-07-14 09:16 . 2012-08-07 12:22 714012 c:\windows\system32\perfh013.dat
    + 2009-07-14 09:16 . 2012-08-09 15:02 714012 c:\windows\system32\perfh013.dat
    - 2009-07-14 02:36 . 2012-08-07 12:22 628496 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-08-09 15:02 628496 c:\windows\system32\perfh009.dat
    - 2009-07-14 09:16 . 2012-08-07 12:22 139356 c:\windows\system32\perfc013.dat
    + 2009-07-14 09:16 . 2012-08-09 15:02 139356 c:\windows\system32\perfc013.dat
    + 2009-07-14 02:36 . 2012-08-09 15:02 112188 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2012-08-07 12:22 112188 c:\windows\system32\perfc009.dat
    + 2011-02-18 22:52 . 2011-02-18 22:52 829264 c:\windows\system32\msvcr100.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 608080 c:\windows\system32\msvcp100.dll
    - 2010-08-08 01:31 . 2012-08-08 06:04 409600 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-08-08 01:31 . 2012-08-09 14:12 409600 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-08-09 14:12 147456 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-08-08 06:04 147456 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-02-19 20:51 . 2011-02-19 20:51 158536 c:\windows\system32\atl100.dll
    - 2010-11-22 19:11 . 2011-02-17 19:13 262144 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2010-11-22 19:11 . 2012-08-09 14:21 262144 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2009-07-14 05:01 . 2012-08-09 16:13 394116 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-02-19 20:57 . 2011-02-19 20:57 177664 c:\windows\Installer\6b03f.msi
    + 2011-02-19 21:08 . 2011-02-19 21:08 163840 c:\windows\Installer\562aa.msi
    + 2011-02-19 21:03 . 2011-02-19 21:03 4422992 c:\windows\SysWOW64\mfc100u.dll
    + 2011-02-19 21:03 . 2011-02-19 21:03 4397384 c:\windows\SysWOW64\mfc100.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 5601616 c:\windows\system32\mfc100u.dll
    + 2011-02-19 20:51 . 2011-02-19 20:51 5574472 c:\windows\system32\mfc100.dll
    + 2009-07-14 04:45 . 2012-08-09 16:15 4978440 c:\windows\system32\FNTCACHE.DAT
    + 2011-04-15 22:14 . 2011-04-15 22:14 3186176 c:\windows\Installer\7d092.msi
    + 2012-08-09 15:26 . 2012-08-09 15:26 2259968 c:\windows\Installer\7d08c.msi
    + 2012-08-09 15:26 . 2012-08-09 15:26 1997312 c:\windows\Installer\562a4.msi
    + 2012-08-09 15:26 . 2012-08-09 15:26 2211328 c:\windows\Installer\5629e.msi
    + 2011-03-28 14:04 . 2012-08-09 16:13 66646076 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1533824660-63877345-1307092320-1000-12288.dat
    + 2012-08-09 16:04 . 2012-08-09 16:04 10878976 c:\windows\erdnt\Hiv-backup\schema.dat
    .
    -- Snapshot teruggezet naar huidige datum --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{B7CF5C23-CA56-440B-8E87-8E2D05BE2113}]
    2010-09-13 23:35 3088896 ----a-w- c:\program files (x86)\SaveVid Toolbar\VideoDownloader.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2012-01-03 14:31 1514152 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
    2012-01-15 11:27 1330480 ----a-w- c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{283B4AA3-1B7A-46E6-B56D-90EF4743FB2C}"= "c:\program files (x86)\SaveVid Toolbar\VideoDownloader.dll" [2010-09-13 3088896]
    "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2012-01-15 1330480]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
    .
    [HKEY_CLASSES_ROOT\clsid\{283b4aa3-1b7a-46e6-b56d-90ef4743fb2c}]
    [HKEY_CLASSES_ROOT\VideoDownloader.VideoDownloaderBand.1]
    [HKEY_CLASSES_ROOT\TypeLib\{1EA80D6E-79D4-483F-AF7C-52851C945761}]
    [HKEY_CLASSES_ROOT\VideoDownloader.VideoDownloaderBand]
    .
    [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IncrediMail"="c:\program files (x86)\IncrediMail\bin\IncMail.exe" [2011-10-27 366024]
    "PrinterProDesktop"="c:\program files (x86)\Printer Pro Desktop\PrinterProDesktop.exe" [2012-02-02 2132992]
    "KiesHelper"="c:\program files (x86)\Samsung\Kies\KiesHelper.exe" [2012-05-04 955792]
    "KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2012-05-04 3521424]
    "KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-05-04 21392]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-23 39408]
    "MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-06 102400]
    "BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-08-04 346320]
    "NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2009-11-20 106496]
    "AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
    "Reader Library Launcher"="c:\program files (x86)\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2010-07-13 906648]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "SweetIM"="c:\program files (x86)\SweetIM\Messenger\SweetIM.exe" [2012-01-19 114992]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
    "F-Secure Manager"="c:\program files (x86)\Internetbeveiliging\Common\FSM32.EXE" [2009-08-05 199264]
    "F-Secure TNB"="c:\program files (x86)\Internetbeveiliging\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
    .
    c:\users\Sytske\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2011-12-2 1000288]
    Mediacontrole Picture Motion Browser.lnk - c:\program files (x86)\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2011-1-30 200704]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux2"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate;Google Updateservice (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-11 136176]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-03 250056]
    R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [x]
    R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
    R3 gupdatem;Google Update-service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-11 136176]
    R3 SG762_64;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\DRIVERS\WlanBZ64.sys [2009-08-27 493440]
    R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [2011-06-02 157672]
    R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [2011-06-02 16872]
    R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [2011-06-02 177640]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
    R3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-10 1255736]
    R4 F-Secure Filter;F-Secure File System Filter;c:\program files (x86)\Internetbeveiliging\Anti-Virus\Win2K\FSfilter.sys [2009-08-05 39776]
    R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files (x86)\Internetbeveiliging\Anti-Virus\Win2K\FSrec.sys [2009-08-05 25184]
    S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2012-05-09 55960]
    S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files (x86)\Internetbeveiliging\HIPS\drivers\fshs.sys [2009-08-05 57920]
    S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2012-04-04 45624]
    S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2012-04-04 94280]
    S1 fsvista;F-Secure Vista Support Driver;c:\program files (x86)\Internetbeveiliging\Anti-Virus\minifilter\fsvista.sys [2009-08-05 14904]
    S1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-07 202752]
    S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-08-04 219360]
    S2 ES lite Service;ES lite Service for program management.;c:\program files (x86)\Gigabyte\EasySaver\ESSVR.EXE [2009-08-24 68136]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe [2010-05-04 503080]
    S2 Realtek11nSU;Realtek11nSU;c:\program files (x86)\SITECOM\300N USB Wireless LAN Utility\RtlService.exe [2010-04-16 36864]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-07 6659072]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-07 195584]
    S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files (x86)\Internetbeveiliging\Anti-Virus\minifilter\fsgk.sys [2012-06-07 199848]
    S3 FSORSPClient;F-Secure ORSP Client;c:\program files (x86)\Internetbeveiliging\ORSP Client\fsorsp.exe [2012-04-04 61088]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2009-11-20 75776]
    S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2009-11-20 177152]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-08-20 239616]
    S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-02-06 690208]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
    .
    .
    Inhoud van de 'Gedeelde Taken' map
    .
    2012-08-09 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-11 12:50]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-11 07:11]
    .
    2012-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-11 07:11]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-12-08 9642528]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1609296]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
    .
    ------- Bijkomende Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.nu.nl/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xporteren naar Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    LSP: c:\program files (x86)\Internetbeveiliging\FSPS\program\FSLSP.DLL
    TCP: DhcpNameServer = 212.54.40.25 212.54.35.25
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
    DPF: {B4A41BDB-320A-4AF4-8DBC-846866A62657} - hxxp://www.mijnalbum.nl/v3/skinsrc/core/system/ma7.0.43/ImageUploader7.cab
    DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game.zylom.com/activex/zylomgamesplayer.cab
    FF - ProfilePath - c:\users\Sytske\AppData\Roaming\Mozilla\Firefox\Profiles\a6qfmd7m.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.geocaching.nl/index/
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=100&systemid=102&sr=0&q=
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS VERWIJDERD - - - -
    .
    Toolbar-10 - (no file)
    Wow6432Node-HKCU-Run-AdobeBridge - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1533824660-63877345-1307092320-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*‘%Æ*€%]
    @Class="Shell"
    @Allowed: (Read) (RestrictedCode)
    .
    [HKEY_USERS\S-1-5-21-1533824660-63877345-1307092320-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*‘%Æ*€%\OpenWithList]
    @Class="Shell"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_270_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_270.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Andere Aktieve Processen ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Internetbeveiliging\Anti-Virus\fsgk32st.exe
    c:\program files (x86)\Internetbeveiliging\Common\FSMA32.EXE
    c:\program files (x86)\Internetbeveiliging\Anti-Virus\FSGK32.EXE
    c:\program files (x86)\Internetbeveiliging\Common\FSHDLL32.EXE
    c:\program files (x86)\Internetbeveiliging\Anti-Virus\fssm32.exe
    c:\program files (x86)\Internetbeveiliging\Anti-Virus\fsav32.exe
    c:\program files (x86)\SITECOM\300N USB Wireless LAN Utility\RtWlan.exe
    c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\program files (x86)\IncrediMail\Bin\ImApp.exe
    .
    **************************************************************************
    .
    Voltooingstijd: 2012-08-09 18:25:38 - machine werd herstart
    ComboFix-quarantined-files.txt 2012-08-09 16:25
    ComboFix2.txt 2012-08-08 06:34
    ComboFix3.txt 2012-07-23 11:07
    .
    Pre-Run: 802.374.791.168 bytes beschikbaar
    Post-Run: 802.340.274.176 bytes beschikbaar
    .
    - - End Of File - - 1A818D95A4C787C11032F2015E3FF8DD
  14. MorgothG

    MorgothG TS Rookie Topic Starter

    Malwarebytes Anti-Malware (-evaluatieversie-) 1.62.0.1300
    www.malwarebytes.org

    Databaseversie: v2012.08.09.07

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Sytske :: SYTSKE-PC [administrator]

    Realtime bescherming: Uitgeschakeld

    9-8-2012 18:36:31
    mbam-log-2012-08-09 (18-36-31).txt

    Scantype: Snelle scan
    Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
    Uitgeschakelde scanopties: P2P
    Objecten gescand: 199670
    Verstreken tijd: 1 minuut/minuten, 58 seconde(n)

    Geheugenprocessen gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Geheugenmodulen gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Registersleutels gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Registerwaarden gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Registerdata gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Mappen gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Bestanden gedetecteerd: 1
    C:\Users\Sytske\Downloads\installer_adobe_photoshop.exe (PUP.BundleInstaller.BT) -> Succesvol in quarantaine geplaatst en verwijderd.

    (einde)
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Cool!

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
  16. MorgothG

    MorgothG TS Rookie Topic Starter

    Got to go to work,
    So this one: Click Scan (This scan can take several hours, so please be patient) Will have to wait till tomorrow. But many thanks so far!!!!
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okie dokie. Can't wait. *nerd*
  18. MorgothG

    MorgothG TS Rookie Topic Starter

    Running the online scan. And the weird thing.. My f-Secure just found ZereAcces.B, but was able to delete it.

    So weird... but I am waiting for ESET to finish :)
  19. MorgothG

    MorgothG TS Rookie Topic Starter

    My mom finished the scan and made a screendump. But I will post the log.txt here instead :)

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=995f13dbb65b2e42b885d3b0408e272a
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-08-11 02:04:59
    # local_time=2012-08-11 04:04:59 (+0100, West-Europa (zomertijd))
    # country="Netherlands"
    # lang=1033
    # osver=6.1.7601 NT Service Pack 1
    # compatibility_mode=1024 16777215 100 0 63384061 63384061 0 0
    # compatibility_mode=2304 16777215 100 0 0 0 0 0
    # compatibility_mode=5893 16776573 100 94 111988 96318626 0 0
    # compatibility_mode=8192 67108863 100 0 138 138 0 0
    # scanned=283406
    # found=1
    # cleaned=1
    # scan_time=5123
    C:\Users\Sytske\AppData\LocalLow\TelevisionFanaticEI\Installr\Cache\0012A968.exe a variant of Win32/Toolbar.MyWebSearch.O application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please run a full system scan with the F-Secure program. Take a screenshot of results, if it detects anything.
  21. MorgothG

    MorgothG TS Rookie Topic Starter

    Manually deleted the infected files. So I should be clean now. I guess :)







    Scanrapport

    zondag 12 augustus 2012 21:39:50 - 22:07:05

    Computernaam: SYTSKE-PC
    Scantype: Volledige scan
    Doel: C:\ E:\ + systeem + rootkits
    Resultaat: 3 malware aangetroffen

    Gen:Variant.Graftor.6000(virus)
    • C:\Users\Sytske\Documents\Diversen\Bewaren\bejeweled2setup.exe\Bejeweled 2 Deluxe\bejeweled2.dll
    Gen:Variant.Graftor.19079(virus)
    • C:\Users\Sytske\Documents\Diversen\Bewaren\bejeweled2setup.exe\Bejeweled 2 Deluxe\bejeweled2.exe
    Exploit.MSExcel.Gen(Vermoede infectie)
    • C:\Users\Sytske\Documents\NBSV\Ledenadministratie 2009\NBSV_jaarrekening_2009_1overzicht.xls Actie: Mislukt



    Statistieken

    Gescand:
    • Bestanden: 87313
    • Niet gescand: 5
    Resultaat:
    • Virussen: 2
    • Spyware: 0
    • Verdachte items: 1
    • Riskware: 0
    Acties:
    • Gedesinfecteerd: 0
    • Naam gewijzigd: 0
    • Verwijderd: 0
    • Geïsoleerd: 0
    • Mislukt: 1
    Bootsectoren:
    • Gescand: 3
    • Geïnfecteerd: 0
    • Verdachte items: 0
    • Gedesinfecteerd: 0
    Bestanden niet gescand:

    Opties

    Versie definities:
    • Virussen: 2012-08-12_06
    • Spyware: 2012-08-12_06
    Scanengines:
    • F-Secure Aquarius: 11.00.01, 2012-08-12
    • F-Secure Hydra: 5.07.7855, 2012-08-11
    • F-Secure Online: 11.00.18140, 2012-05-29
    • F-Secure Gemini: 3.02.101, 2012-08-09
    • F-Secure BlackLight: 2.04.1099, 2009-09-22
    Scanopties:
    • Opgegeven bestanden scannen: ANI ASP AX BAT BIN BOO CHM CMD COM CPL DLL DOC DOT DRV EML EXE HLP HTA HTM HTML HTT INF INI JOB JS JSE LNK LSP MDB MHT MPP MPT MSG MSO OCX PDF PHP PIF POT PPT RTF SCR SHS SWF SYS TD0 TMP VBE VBS VXD WBK WMA WMV WMF WSC WSF WSH WRI XLS XLT XML CLASS ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
    • Scannen binnen archieven
    Acties:
    • Virussen: Vragen na scannen
    • Spyware: Vragen na scannen
    • Verdachte items weergeven na een volledige scan
    Foutinformatie

    De fout 'Kan bestand niet openen' is opgetreden.

    Het foutbericht 'Kan bestand niet openen' betekent dat de scanner het bestand niet kon openen en dat het niet is gescand. U kunt dit foutbericht meestal negeren, omdat dit bericht vaak wordt weergegeven om andere redenen dan beveiligingsdreigingen, zoals:
    • Het bestand was een systeembestand. Deze bestanden worden beschermd door het besturingssysteem. In dit geval kunt u dit bericht negeren.
    • U hebt geen toestemming om het bestand te lezen. Als u het bestand wilt scannen. , moet u zich aanmelden met een gebruikersaccount met voldoende rechten (zoals de beheerdersaccount van de computer) en voert u de scan opnieuw uit.
    • Het bestand was tijdens de scan in gebruik. Als u dit bestand wilt scannen, sluit u alle toepassingen en voert u de scan opnieuw uit.
    Copyright © 1998-2009 Productondersteuning | Virusvoorbeeld verzenden naar F-Secure

    F-Secure aanvaardt geen aansprakelijkheid voor materiaal dat is vervaardigd of gepubliceerd door derden die bereikbaar zijn vanaf de website van F-Secure. Tenzij u duidelijk anderszins verklaart, gaat u door het inzenden van materiaal naar een van onze servers, bijvoorbeeld via e-mail of de CGI e-mail van F-Secure, ermee akkoord dat het toegezonden materiaal mag worden gepubliceerd op de webpagina's van F-Secure of in gedrukte publicaties. U kunt de openbare website van F-Secure bereiken door te klikken op een van de onderstreepte koppelingen. Wanneer u dat doet, wordt uw bezoek geregistreerd in onze eigen toegangsstatistieken, inclusief uw domeinnaam. Deze informatie wordt niet doorgegeven aan derden. U stemt ermee in dat u geen actie tegen ons zult ondernemen in verband met door u ingezonden materiaal. Tenzij u duidelijk anderszins verklaart, machtigt u F-Secure door het inzenden van het materiaal om de beginselen die erin worden beschreven, zonder verdere verplichtingen op te nemen in producten en publicaties van F-Secure.
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! Your logs appear to be clean. If there are no more issues, then we shall clean up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Tell me in your next reply, if you have completed these tasks:
    • Cleaned System Restore
    • Ran OTC
    • Ran CCleaner
    • Ran Security Check
    Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello. Are you still with us?

    Your thread has been marked as "Inactive" because of your lack of reply. Please let us know how your computer is running, or if you want to continue in this topic.

    Thanks.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.