Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Is my laptop hacked or infected with a root kit!? [Solved]


  • This topic is locked This topic is locked

#1
SpyCatsher

SpyCatsher

    Member

  • Member
  • PipPipPip
  • 141 posts
Hallo everyone,

Summary: Sorry for the long story below, too much details can make a post unpopular; at the same time I didn’t want to ommit some details keeping the last judgment to more experienced people on this great forum. I’ll of course edit my post if it is required. Its a report of about 3 long weeks of troubleshooting and my question is if you very kindly can help me sort it out if I have a hacker or a rootkit on my lap top, or not. I’ve some reasons to suspect that, as I tried to explain in the story below. I must also say that all security programs that I use are freeware and Laptop functions good.


...............................................................................................................


On 5 December 2011 I did a routine scan with SuperAntispyware (Free Edition) which resulted in sfloppy.sys, as a rootkit that must be deleted immediately, with a reboot. But after couple of hours about 20 programs, mostly security or Microsoft, began to disappear according to the continuous messages from Secunia; then didn’t take too long when the desktop froze and I couldn’t open any program with the mouse arrow which was not locked. I navigated with success to the Save Mode where all options worked, but couldn’t recover the system. It took not too long for a BSOD (0*000 00023a) Fatal_System_Error when I tried to boot to a Normal Mode.
According to http://answers.micro...47-2b4e118e1ffd
“This error occurs when a user-mode subsystem, such as WinLogon or the Client Server Run-Time Subsystem (CSRSS), has been fatally compromised and security can no longer be guaranteed. In response, the operating system switches to kernel mode…Mismatched system files can also cause this error. This can occur if you have restored your hard disk from a backup. Some backup programs might skip restoring system files that they determine are in use.”

I spent days on the web, where I learned among other things that sfloppy.sys was a False-Positive. After lots of troubleshooting I installed Service Pack 3, thinking it gets the messed up software in order. It did work in the Normal Mode but my laptop was very slow and lots of noise from the processor which ran almost all the time 100%. The task manager had 12 possesses more and the Memory was almost all the time full. I checked also on the 20 disappeared programs, but they were there. I was puzzled. I couldn’t do much. Avast was all the time disabled, was difficult to remove also.

I managed to install AVG which after couple of days was not able to update. SuperAntiSpyWare fond to items and removed them with success(Psisetup_EXE.EXE, Cnet2_REVOSETUP_EXE.EXE). I saved the last log from AVG and I was worried why so many files or folders can’t be open for scan and control. I understand that some essentials from Windows are standard out of reach. But with the though of a root kit I became unsure. I’ve attached this log at the end of this story, sorry that it’s becoming too long. I realize now that all other logs are deleted because of the checked utilities entry in Ccleaner and all other programs under it. I’ve unchecked them.
It is still a riddle for me, did I get the BSOD because of the faulty deletion of sfloppy.sys, because the failed recovery tries that I did or much more worrying because of a stealthy intruder. I must admit that a day earlier, 4 december, I couldn’t log in with my very long password. After about 6 or 7 tries I gave it up and I made new one by logon in Safe Mode as administrator. Now I ask myself sometimes if I was hacked then my administrator password, which I’ve none till than, was also blocked, but it wasn’t . I also downloaded a Codec for Media Player a couple of days earlier but much later I checked the CLSD and it was genuine. So anyway after about a week I gave it up…I was so tired.

I keep a logbook for my laptop, so on 26 December (about 11 days later) I thought I’m going to give another try, to my great amazement I was immediately after powering the laptop welcomed by another sort BSOD:
 Unmountable_Boot_Volume (0*000000ED). The desktop was full of information about wrong hardware and software configuration\ installation. I had to think about the cause of the new installation of SP3 and the possibility of a root kit; so being not able to search the web this time I resorted to my computer books and my common sense at that moment. My only tool was the OS original CD, so I thought I had nothing to lose. I ran Fixboot in the Recovery Console which wrote new start-up sector after giving the message that the old one was damaged and I refrained from running Fixmbr after what I though was a very serious warning. Then I ran Chkdsk \p \r and exit, to my great amazement and relief also it booted in the Normal Mode.

It is now about a month since than and my laptop is doing very good, but I’ve been working on it the whole time and by doing so I come across something for example in the registry, services, different security program then I check it on the web, but I noticed few things that I’ve question about not much discussed with a convincing answer, like the following examples:

 WinPatrol lists the followings in services, Recent and History, respectively:

HNM:
Service with these two sub-keys Enum and Security. It has something to do with LEGACY and Local Machine. It’s not from Microsoft and there is no mention of a company name, enz. Being suspicious of a root kit I have disabled it; the HNM.exe can’t be found in the Temp Directory.
Path: HKLM\ System\ CurrentControlSet\ Services\ HNM
C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\HNM.exe

crypt32chain:

It’s confusing what to make of it:

According to http://www.processli...t32chain/23461/

crypt32chain.dll is a module belonging to the Crpytnet trojan and should be removed immediately Non-system processes like crypt32chain.dll originate from software you installed on your system.

But http://forums.spybot...read.php?t=2600

Finds the program and all the group that goes with it good. Considering this is dated to 2006, probably things had changed since then and Process library is correct. I couldn’t find other trusty sources to confirm either of the above, so I left it for the time being as it is until my laptop will be scanned, hopefully you find the time to help me with it.

JGK: I couldn’t find any reference on the web.

 slrundell.exe
According to Prevx.com is a malicious program, but other websites say its ok.

Critical Windows Update
About a week ago I got 6 updates, similar to this, to protect against “vulnerability in MPEG-4 Codec Could Allow Remote Code Execution (975558)”…”An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.” Having downloaded the Codec earlier in December as I stated earlier I became very suspicious, because the problem with my laptop began days after that.

 WinPatrol
I get sometimes a message from Scotty if I should allow certain program to run, but I don’t dare; even if I check on the web or the logo of Microsoft is on the message. Maybe I got paranoid but if there is a rootkit and a hijacker/ attacker behind it, I gather they can make all sort programs that might look genuine. This is the only example I’ve safed:
Command.com /c del C:\Windows\SchedLgU.Txt
Cmd.exe /c del C:\Windows\SchedLgU.Txt

sfloppy.sys: 10 files in different subfolders of Windows. I scanned on location, were ok. Some are copies. Could it be a root kit, taking in consideration that the scan couldn’t detect the behaviour and the alarming orange colour from Security Essentials which shows only when malicious activity taking place in the background. However He found nothings yet, (since about 10 days MS Security is green).

 Autorun: Registry Entries with missing files:

Changer.sys: not found
lbrtfdc.sys: idem
iZomgmt.sys: no result
ir32_32.dll: idem

mscoree.dll: missing

 HTTPS Add-on for Firefox was uninstalled than after 3 or 4 days become again installed. I get the messages from Secunia.

Microsoft Security Essentials turns orange all the time even after updating and scanning, (since about 10 days MS Security is green).

 Other items at random:
- Window Maximizer 2011 was detected and removed on 5 December
- MSConfig appeared once on 7 December, possibly more times, on the Task Manager. On the web could not found reference. I use msconfig but what I’ve learned that processes names are case sensitive.
- I removed all System Restore Points and Files (*.reg) to dispose of any maleware.
- I disabled sensitive services to block any malicious software activity.
- I changed the Setting of DEP (Data Execution Prevention) to include all programs and services.
- 2 trojan.dropper.BCM:fsquirt.exe detected by Malwarebytes (False/ Positive)
- I scanned also with Virustotal and Jutti, nothing was found.
- I’ve read Hijack This 2.0 couple of times and I’ve been checking registry entries en Windows Folder but I’ve seen no irregularity yet.
- There are cookies in my profile that clone themselves and made light sound like (uukchick) when I remove them; even when the mouse arrow goes over their *.txt files. The same sound can be also heard sometimes when the laptop is on, example:
UserData…overture.com/
ETJLC96O.txt eyeblaster…bs.serving-sys.com/
3853ZR00.txt…m.webtrends.com

 Scan regularly mostly clean, except the one below, very worrisome :
Malwarebytes: found PUM.Hijjack.Homepage.Controle 5 days ago, but it was difficult to remove (even on reboot); not sure if it comes back. This was detected after I enabled the P2P Function in the program key in the registry, which was disabled. The thing is I’ve never done P2P activity, so who else then. Also I’m the only person who uses the laptop, to my knowledge that’s.
SuperAntiSpyWare: Clean scan, except cookies
Ad-Aware: Clean scan.
Microsoft Security Essentials: Clean scan.
Spybot Search & Destroy/ Advanced Mode/ Time critical: No immediate threats.

Very recently ONLY Spybot Search & Destroy in safe mode has detected and removed 3 entries out registry: AdwareC: W3iIQ5.fraud.


AVG Log 8 December 2011
Note: some words are in Dutch. I translate it to English in bold letters:
AVG 2012 Anti-Virus opdrachtregelscanner
Copyright © 1992 - 2011 AVG Technologies
Programmaversie 2012.0.1873, engine 2012.0.2102
Virusdatabase: versie 2102/4667 2011-12-08

C:\Documents and Settings\Administrator.CREATIEF\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Vergrendeld bestand Niet gecontroleerd . Locked File not controled.
C:\Documents and Settings\Administrator.CREATIEF\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controlled.
C:\Documents and Settings\Administrator.CREATIEF\Local Settings\Temp\mmc3C3DA6D8.xml Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\Administrator.CREATIEF\NTUSER.DAT Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\Administrator.CREATIEF\NTUSER.DAT.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\Eigenaar\ Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\NetworkService\ntuser.dat Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\pagefile.sys Vergrendeld bestand. Niet gecontroleerd.
C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.ilg Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\RECYCLER\S-1-5-21-1085031214-436374069-1060284298-1003\Dc1.doc Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\RECYCLER\S-1-5-21-1085031214-436374069-1060284298-1003\Dc2\ Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\System Volume Information\ Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\default Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\default.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\SAM Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\SAM.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\SECURITY Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\SECURITY.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\software Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\software.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\system Vergrendeld bestand. Niet gecontroleerd. Locked File not controled
C:\WINDOWS\system32\config\system.LOG Vergrendeld bestand. Niet gecontroleerd. Locked File not controled

------------------------------------------------------------
Test gestart: 8.12.2011 18:47:59
Duur van de test: 1 uur (uren) 46 min. 38 seconde (n)
------------------------------------------------------------
Gescande objecten scaned objects: 648350
Gevonden infecties found infections: 0
Gevonden PUP’s Found PUP’s: 0
Herstelde infecties: 0
Herstelde PUP's: 0
Waarschuwingen Warnings: 0
------------------------------------------------------------
If you have managed to read through all the pages, I would like to thank you for your time; and if you see signs of a possible foul play, I would like to ask very kindly for your help.

Edited by SpyCatsher, 31 January 2012 - 03:59 PM.

  • 0

Advertisements


#2
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • Please tell me if you have your original Windows CD/DVD available
  • When in doubt, please stop and ask first. There's no harm in asking questions!

If you have since resolved the original problem you were having, I would appreciate you letting me know. If not please perform the following steps below so I can have a look at the current condition of your machine.

Step 1

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.
  • Also on Desktop there should be a file called MBR.dat after that, zip it and then attach it here

How to add an attachment to a new topic or reply

Step 2

Posted Image OTL Custom Scan

  • Download OTL to your desktop.
  • Double click on the Posted Image icon to run it.
  • Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top, make sure Stadard output is selected.
  • Select Scan all users
  • Under the Extra Registry section, check Use SafeList
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scans/Fixes box copy and paste this in:

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    consrv.dll
    /md5stop
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT
  • Click the Posted Image button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

When completed the above, please post back the following in the order asked for:
  • aswMBR log and attached zipped MBR.dat file
  • OTL scan log
  • Extras log

  • 0

#3
SpyCatsher

SpyCatsher

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 141 posts
Hi Render and many thanks for your help already, and to this great forum. I truly consider myself a lucky person at this moment that my post is being looked at, and hope very much that this will lead to solving/ removing the suspected elements. I've sent you already a PM. I've read and will be following the instructions through the end carefully. And with any luck will run the fix's and post the results today. Also I still have the original Windows CD, and the Drivers and Utilities CD eventually if needed.
  • 0

#4
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK :)
  • 0

#5
SpyCatsher

SpyCatsher

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 141 posts
Hallow again Render,

I am back with the 4 logs you requested; however the MBR.dat came with sort of gibberish language:

aswMBR.txt

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-06 19:02:20
-----------------------------
19:02:20.614 OS Version: Windows 5.1.2600 Service Pack 3
19:02:20.614 Number of processors: 1 586 0x209
19:02:20.614 ComputerName: CREATIEF UserName: Eigenaar
19:02:23.348 Initialize success
19:03:53.538 AVAST engine defs: 12020600
19:05:14.054 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
19:05:14.094 Disk 0 Vendor: IC25N060ATMR04-0 MO3OAD0A Size: 57231MB BusType: 3
19:05:14.094 Disk 0 MBR read successfully
19:05:14.094 Disk 0 MBR scan
19:05:14.575 Disk 0 Windows XP default MBR code
19:05:14.605 Disk 0 Partition 1 00 07 HPFS/NTFS 7 MB offset 63
19:05:14.705 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 5992 MB offset 16065
19:05:14.715 Disk 0 Partition - 00 0F Extended LBA 31996 MB offset 12289725
19:05:14.735 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 19226 MB offset 77818860
19:05:14.845 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 11993 MB offset 12289788
19:05:14.855 Disk 0 Partition - 00 05 Extended 1004 MB offset 36853110
19:05:14.875 Disk 0 Partition 5 00 07 HPFS/NTFS NTFS 1004 MB offset 36853173
19:05:14.885 Disk 0 Partition - 00 05 Extended 996 MB offset 63472815
19:05:15.256 Disk 0 Partition 6 00 07 HPFS/NTFS NTFS 996 MB offset 38909493
19:05:15.256 Disk 0 Partition - 00 05 Extended 18002 MB offset 67569390
19:05:15.286 Disk 0 Partition 7 00 07 HPFS/NTFS NTFS 18002 MB offset 40949748
19:05:15.296 Disk 0 scanning sectors +117194175
19:05:15.456 Disk 0 scanning C:\WINDOWS\system32\drivers
19:05:46.701 Service scanning
19:05:47.412 Service MpKsldc0dcd7b C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C4AE8D28-FEAB-4555-A7CE-AA5A9EB2B296}\MpKsldc0dcd7b.sys **LOCKED** 32
19:05:48.023 Modules scanning
19:05:55.413 Disk 0 trace - called modules:
19:05:55.443 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
19:05:55.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83b8cab8]
19:05:55.453 3 CLASSPNP.SYS[f77a3fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x83bdab00]
19:05:57.386 AVAST engine scan C:\WINDOWS
19:06:03.385 AVAST engine scan C:\WINDOWS\system32
19:09:49.220 AVAST engine scan C:\WINDOWS\system32\drivers
19:10:21.206 AVAST engine scan C:\Documents and Settings\Eigenaar
19:12:22.820 AVAST engine scan C:\Documents and Settings\All Users
19:13:08.396 Scan finished successfully
19:14:49.161 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Eigenaar\Bureaublad\MBR.dat"
19:14:49.211 The log file has been saved successfully to "C:\Documents and Settings\Eigenaar\Bureaublad\aswMBR.txt"

-----------------------------------------------------------------------------------------------------------------

MBR.dat


3ZѬ |P P|PWӫ 8n | u<䟒It8,t <Ъ< t ^NF s*F_~
t
_~ t u_FFV
! s _>}Ut
_~ t <W<Ө SV r#S$?~SSC<řB9V
w#r9Fs |<N<V sQOtN2SV SV `UAr6_Uu0t+a`j j v
vj h |jjB<aasOt
2SV aOngeldige partitietabel Fout tijdens laden van besturingssysteem Het besturingssysteem ontbreekt ,Dmzn_  ? ? '>  稁> G _瘘ů /_ 瘘kXU

------------

Sorry for the messed up print! I could open the file only by using MFC-form. Please if it was meant to be otherwise let me know than I try to open and post it. At the end of the gibberish thing, there are some words in Dutch which say: Incorrect partitietable Fault during booting of Operating System The Operating System is missing


-----------------------------------------------------------------------------------------------------------------


OTL.Txt


OTL logfile created on: 6-2-2012 19:40:35 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Eigenaar\Bureaublad
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

766,33 Mb Total Physical Memory | 554,33 Mb Available Physical Memory | 72,34% Memory free
1,83 Gb Paging File | 1,60 Gb Available in Paging File | 87,24% Paging File free
Paging file location(s): C:\pagefile.sys 1149 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18,78 Gb Total Space | 11,00 Gb Free Space | 58,56% Space Free | Partition Type: NTFS
Drive D: | 11,71 Gb Total Space | 11,63 Gb Free Space | 99,27% Space Free | Partition Type: NTFS
Drive E: | 1004,03 Mb Total Space | 634,95 Mb Free Space | 63,24% Space Free | Partition Type: NTFS
Drive F: | 996,18 Mb Total Space | 980,83 Mb Free Space | 98,46% Space Free | Partition Type: NTFS
Drive G: | 17,58 Gb Total Space | 17,52 Gb Free Space | 99,64% Space Free | Partition Type: NTFS
Drive I: | 5,85 Gb Total Space | 5,81 Gb Free Space | 99,34% Space Free | Partition Type: NTFS

Computer Name: CREATIEF | User Name: Eigenaar | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012-02-06 19:27:47 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\OTL.exe
PRC - [2011-06-21 17:57:40 | 000,196,912 | ---- | M] (Nitro PDF Software) -- C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe
PRC - [2011-06-15 15:16:48 | 000,997,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2011-05-15 20:53:20 | 000,325,512 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2011-04-27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2011-04-19 07:44:40 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psia.exe
PRC - [2011-04-19 07:44:40 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi_tray.exe
PRC - [2011-04-14 20:46:44 | 000,082,280 | ---- | M] () -- C:\Program Files\TweakNow PowerPack 2011\Module32\RAM2_XP.exe
PRC - [2008-04-14 21:33:00 | 001,037,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003-06-02 19:50:58 | 000,053,248 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
PRC - [2003-06-02 19:22:54 | 000,270,336 | ---- | M] (Dell Computer Corporation) -- C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe


========== Modules (No Company Name) ==========

MOD - [2011-04-15 02:01:33 | 000,548,854 | ---- | M] () -- C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll
MOD - [2011-04-14 20:46:44 | 000,082,280 | ---- | M] () -- C:\Program Files\TweakNow PowerPack 2011\Module32\RAM2_XP.exe
MOD - [2003-06-02 20:05:38 | 000,048,128 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBKUI5C.DLL
MOD - [2003-06-02 20:05:24 | 000,087,040 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBKDR5C.DLL
MOD - [2003-04-30 20:43:32 | 000,078,336 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\DLBKPP5C.DLL
MOD - [2003-03-11 20:41:06 | 000,198,144 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\DLBKFC5C.DLL
MOD - [2003-02-11 19:56:20 | 000,049,152 | ---- | M] () -- C:\Program Files\Dell AIO Printer A920\ConvDIB.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (MySQLS1)
SRV - File not found [Disabled | Stopped] -- -- (HNM)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - File not found [Disabled | Stopped] -- -- (ApacheS1)
SRV - [2011-12-08 01:40:13 | 000,246,624 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe -- (vToolbarUpdater)
SRV - [2011-12-08 00:54:28 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011-11-03 12:06:56 | 002,152,152 | ---- | M] (Lavasoft Limited) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2011-06-21 17:57:40 | 000,196,912 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe -- (NitroReaderDriverReadSpool2)
SRV - [2011-04-27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2011-04-19 07:44:40 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\PSIA.exe -- (Secunia PSI Agent)
SRV - [2011-04-19 07:44:40 | 000,399,416 | ---- | M] (Secunia) [Auto | Stopped] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)


========== Driver Services (SafeList) ==========

DRV - [2012-02-06 17:51:26 | 000,029,904 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C4AE8D28-FEAB-4555-A7CE-AA5A9EB2B296}\MpKsldc0dcd7b.sys -- (MpKsldc0dcd7b)
DRV - [2011-08-17 12:56:32 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2011-08-17 12:56:30 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2011-08-17 12:56:26 | 000,023,168 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2011-08-17 12:56:22 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2011-07-22 17:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2011-07-12 22:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010-09-01 09:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2003-11-07 18:23:58 | 000,248,752 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2003-09-26 08:41:12 | 000,044,032 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2003-08-29 04:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMSM.sys -- (BCMModem)
DRV - [2002-10-09 08:20:52 | 000,017,153 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1085031214-436374069-1060284298-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKU\S-1-5-21-1085031214-436374069-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "WOT Safe Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - prefs.js..network.proxy.socks_version: 4
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\NitroPDF: C:\Program Files\Nitro PDF\Reader 2\npnitromozilla.dll ( )

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}:
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012-02-04 12:27:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011-11-01 16:12:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: K:\Mozilla\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: K:\Mozilla\plugins

[2011-09-10 18:04:00 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Extensions
[2012-02-06 18:04:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\6szjk2rx.default\extensions
[2011-12-28 20:21:35 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\6szjk2rx.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011-12-08 01:40:34 | 000,000,000 | ---D | M] (AVG Security Toolbar) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\6szjk2rx.default\extensions\[email protected]
[2012-01-10 23:48:32 | 000,000,000 | ---D | M] (HTTPS-Everywhere) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\6szjk2rx.default\extensions\[email protected]
[2012-01-10 11:31:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\kkayrnn2.default\extensions
[2012-02-04 12:21:03 | 000,002,306 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\6szjk2rx.default\searchplugins\wot-safe-search.xml
[2012-02-04 12:27:05 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\EIGENAAR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\6SZJK2RX.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\EIGENAAR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\6SZJK2RX.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\EIGENAAR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\6SZJK2RX.DEFAULT\EXTENSIONS\{D40F5E7B-D2CF-4856-B441-CC613EEFFBE3}.XPI
[2012-01-29 16:55:53 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010-12-31 00:39:47 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012-01-29 14:36:35 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012-01-29 14:36:35 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012-01-05 22:03:15 | 000,439,962 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15128 more lines...
O4 - HKLM..\Run: [Dell AIO Printer A920] C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe (Dell Computer Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RAM Idle Professional] C:\Program Files\TweakNow PowerPack 2011\Module32\RAM2_XP.exe ()
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKU\S-1-5-21-1085031214-436374069-1060284298-1003..\Run: [ccleaner] C:\Program Files\CCleaner\ccleaner.exe (Piriform Ltd)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1085031214-436374069-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1085031214-436374069-1060284298-1003\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{35751F28-AEA5-4E74-B19B-CA68D7DF5B51}: DhcpNameServer = 192.168.2.254
O18 - Protocol\Handler\viprotocol {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011-09-09 11:50:21 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010-11-11 10:32:48 | 000,000,000 | RHSD | M] - E:\Autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2010-11-11 10:32:48 | 000,000,000 | RHSD | M] - F:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Error creating restore point.

========== Files/Folders - Created Within 30 Days ==========

[2012-02-06 19:27:40 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\OTL.exe
[2012-02-06 19:01:14 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Eigenaar\Bureaublad\aswMBR.exe
[2012-02-06 17:57:58 | 000,298,496 | ---- | C] (InstallShield Corporation, Inc.) -- C:\WINDOWS\unin0413.exe
[2012-02-06 17:57:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eigenaar\WINDOWS
[2012-02-06 17:51:21 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Eigenaar\Onlangs geopend
[2012-01-20 13:45:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2012-01-11 09:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eigenaar\Menu Start\Programma's\Speccy
[2012-01-11 09:52:23 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2012-01-11 09:25:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eigenaar\Mijn documenten\WEBBEELDEN120111
[2011-12-02 12:15:40 | 000,637,240 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Program Files\autoruns.exe
[2011-12-02 12:15:40 | 000,557,368 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Program Files\autorunsc.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012-02-06 19:27:47 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\OTL.exe
[2012-02-06 19:14:49 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\MBR.dat
[2012-02-06 19:14:00 | 000,001,046 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012-02-06 19:02:03 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Eigenaar\Bureaublad\aswMBR.exe
[2012-02-06 18:54:06 | 000,000,449 | ---- | M] () -- C:\WINDOWS\dellstat.ini
[2012-02-06 18:34:22 | 000,000,486 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2012-02-06 18:33:53 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\rp_stats.dat
[2012-02-06 18:33:53 | 000,000,044 | ---- | M] () -- C:\WINDOWS\System32\rp_rules.dat
[2012-02-06 17:55:51 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012-02-06 17:51:10 | 000,001,042 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012-02-06 17:50:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012-02-06 14:52:21 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012-02-04 12:27:14 | 000,000,752 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012-02-04 12:27:13 | 000,000,734 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\Mozilla Firefox.lnk
[2012-01-31 13:44:05 | 000,237,072 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2012-01-26 22:38:22 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\CCleaner.lnk
[2012-01-20 16:10:14 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012-01-20 13:52:19 | 000,001,743 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\Dell printersupplies - inkjet.lnk
[2012-01-11 23:20:21 | 000,003,012 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\cc_20120111_232010.reg
[2012-01-11 11:18:00 | 000,001,046 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar SpyCatcher0.jpeg.lnk
[2012-01-11 09:52:31 | 000,000,664 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Speccy.lnk
[2012-01-10 17:07:35 | 000,001,010 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\Avg.reg
[2012-01-09 16:31:17 | 000,000,172 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2012-01-09 14:52:46 | 000,001,873 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Spybot - Search & Destroy.lnk
[2012-01-08 21:36:05 | 000,000,162 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\bestanden met de naam fsquirt.exe.fnd
[2012-01-08 19:24:47 | 000,000,165 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\bestanden met de naam rundll32.exe (2).fnd
[2012-01-08 18:35:07 | 000,000,159 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\bestanden met de naam rundll.exe.fnd
[2012-01-08 15:23:46 | 000,000,162 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\bestanden met de naam sfloppy.sys.fnd
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012-02-06 19:14:49 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\MBR.dat
[2012-01-11 23:20:19 | 000,003,012 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\cc_20120111_232010.reg
[2012-01-11 11:18:00 | 000,001,046 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar SpyCatcher0.jpeg.lnk
[2012-01-11 09:52:31 | 000,000,664 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Speccy.lnk
[2012-01-10 17:07:35 | 000,001,010 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\Avg.reg
[2012-01-09 14:52:46 | 000,001,873 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Spybot - Search & Destroy.lnk
[2012-01-08 21:36:05 | 000,000,162 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\bestanden met de naam fsquirt.exe.fnd
[2012-01-08 19:24:47 | 000,000,165 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\bestanden met de naam rundll32.exe (2).fnd
[2012-01-08 18:35:07 | 000,000,159 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\bestanden met de naam rundll.exe.fnd
[2012-01-08 15:23:46 | 000,000,162 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Mijn documenten\bestanden met de naam sfloppy.sys.fnd
[2012-01-05 01:11:43 | 000,000,172 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012-01-04 18:06:07 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2012-01-04 18:06:07 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2011-12-23 18:35:22 | 000,364,882 | ---- | C] () -- C:\WINDOWS\System32\prfh0413.dat
[2011-12-23 18:35:22 | 000,053,850 | ---- | C] () -- C:\WINDOWS\System32\prfc0413.dat
[2011-12-15 20:09:54 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011-11-09 12:28:08 | 000,000,049 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2011-11-05 12:52:32 | 000,049,648 | ---- | C] () -- C:\Program Files\autoruns.chm
[2011-09-18 21:45:53 | 000,000,449 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2011-09-09 15:05:50 | 058,948,168 | ---- | C] () -- C:\Program Files\setup_av_free.exe
[2011-09-09 13:41:33 | 000,004,207 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011-09-09 13:34:44 | 000,000,395 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011-09-09 11:57:24 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011-09-09 11:47:33 | 000,021,748 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006-12-31 06:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003-07-23 22:33:15 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2003-07-23 22:33:13 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2003-07-23 22:19:22 | 000,318,670 | ---- | C] () -- C:\WINDOWS\System32\perfi013.dat
[2003-07-23 22:19:21 | 000,364,882 | ---- | C] () -- C:\WINDOWS\System32\perfh013.dat
[2003-07-23 22:19:21 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2003-07-23 22:19:20 | 000,311,938 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003-07-23 22:19:19 | 000,039,178 | ---- | C] () -- C:\WINDOWS\System32\perfd013.dat
[2003-07-23 22:19:18 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2003-07-23 22:19:17 | 000,053,850 | ---- | C] () -- C:\WINDOWS\System32\perfc013.dat
[2003-07-23 22:19:16 | 000,040,326 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003-07-23 22:17:37 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003-07-23 22:12:12 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2003-07-23 22:11:59 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2003-07-23 22:04:45 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2003-07-23 22:03:04 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003-01-07 22:15:26 | 000,000,255 | ---- | C] () -- C:\WINDOWS\System32\dlbkcoin.ini
[2002-11-13 20:40:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\dlbkvs.dll

========== LOP Check ==========

[2011-12-14 22:46:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.CREATIEF\Application Data\TweakNow PowerPack 2011
[2011-12-07 06:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.CREATIEF\Application Data\WinPatrol
[2011-09-11 16:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\!SASCORE
[2011-09-18 21:49:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2011-09-10 19:30:23 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011-09-11 19:12:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2011-12-26 22:55:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011-09-19 15:25:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nitro PDF
[2012-01-05 16:29:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaInstallerCache
[2012-01-14 16:40:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011-12-09 04:04:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Agics
[2011-09-11 22:34:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Auslogics
[2011-12-31 16:46:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Downloaded Installations
[2011-09-28 19:36:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Nitro PDF
[2011-12-28 21:55:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Thunderbird
[2011-11-28 20:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\TweakNow PowerPack 2011
[2011-12-30 00:51:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\WinPatrol
[2012-02-06 18:34:22 | 000,000,486 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2012-02-06 17:55:51 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008-04-14 21:33:00 | 001,037,312 | ---- | M] (Microsoft Corporation) MD5=AA04F042A820BF1868E643575887E1A6 -- C:\WINDOWS\explorer.exe
[2008-04-14 22:33:00 | 001,037,312 | ---- | M] (Microsoft Corporation) MD5=AA04F042A820BF1868E643575887E1A6 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe

< MD5 for: SVCHOST.EXE >
[2003-07-23 22:25:32 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=133733E07EF4FDA582BC56F3B281E0BC -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2011-12-24 17:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2008-04-14 21:33:16 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=E410EC73E2BE2A41D923B006F51C8427 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008-04-14 21:33:16 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=E410EC73E2BE2A41D923B006F51C8427 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2003-07-23 22:27:55 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=54EB9CE26234AE9116555C587FAED658 -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008-04-14 21:33:18 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6818A533ED3B2FA9936DF3DAF45352DF -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008-04-14 21:33:18 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6818A533ED3B2FA9936DF3DAF45352DF -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008-04-14 21:33:18 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6818A533ED3B2FA9936DF3DAF45352DF -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2008-04-14 21:33:20 | 000,510,464 | ---- | M] (Microsoft Corporation) MD5=1247D4D5444E28519BBE31BE8AB4C029 -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008-04-14 21:33:20 | 000,510,464 | ---- | M] (Microsoft Corporation) MD5=1247D4D5444E28519BBE31BE8AB4C029 -- C:\WINDOWS\system32\winlogon.exe
[2011-12-24 17:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2003-07-23 22:30:07 | 000,519,168 | ---- | M] (Microsoft Corporation) MD5=D375231CCA973A06C43E4B6087BFA706 -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012-01-29 16:55:53 | 000,834,800 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012-01-29 16:55:53 | 000,834,800 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012-01-29 16:55:53 | 000,834,800 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012-01-29 16:55:53 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012-01-29 16:55:53 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012-01-29 16:55:53 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011-11-04 12:25:39 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011-11-04 12:25:39 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011-11-04 12:25:39 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009-03-08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009-03-08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\MSN Explorer\shell\open\command\\: "C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE" [2003-07-23 22:14:45 | 000,090,112 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2012-01-29 16:55:53 | 000,834,800 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2012-01-29 16:55:53 | 000,834,800 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2012-01-29 16:55:53 | 000,834,800 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2012-01-29 16:55:53 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2012-01-29 16:55:53 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2012-01-29 16:55:53 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011-11-04 12:25:39 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011-11-04 12:25:39 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011-11-04 12:25:39 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009-03-08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009-03-08 13:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\MSN Explorer\shell\open\command\\: "C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE" [2003-07-23 22:14:45 | 000,090,112 | ---- | M] (Microsoft Corporation)

========== Alternate Data Streams ==========

@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >


-----------------------------------------------------------------------------------------------------------------


Extras.Txt


OTL Extras logfile created on: 6-2-2012 19:40:35 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Eigenaar\Bureaublad
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

766,33 Mb Total Physical Memory | 554,33 Mb Available Physical Memory | 72,34% Memory free
1,83 Gb Paging File | 1,60 Gb Available in Paging File | 87,24% Paging File free
Paging file location(s): C:\pagefile.sys 1149 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18,78 Gb Total Space | 11,00 Gb Free Space | 58,56% Space Free | Partition Type: NTFS
Drive D: | 11,71 Gb Total Space | 11,63 Gb Free Space | 99,27% Space Free | Partition Type: NTFS
Drive E: | 1004,03 Mb Total Space | 634,95 Mb Free Space | 63,24% Space Free | Partition Type: NTFS
Drive F: | 996,18 Mb Total Space | 980,83 Mb Free Space | 98,46% Space Free | Partition Type: NTFS
Drive G: | 17,58 Gb Total Space | 17,52 Gb Free Space | 99,64% Space Free | Partition Type: NTFS
Drive I: | 5,85 Gb Total Space | 5,81 Gb Free Space | 99,34% Space Free | Partition Type: NTFS

Computer Name: CREATIEF | User Name: Eigenaar | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1085031214-436374069-1060284298-1003\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007811BF-E310-4285-BFC6-55DB29B3EDDE}" = WinPatrol
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{350C9413-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7959721D-8268-4565-9E0E-C41A9F4848A9}" = SigmaTel AC97 audiostuurprogramma's
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90110413-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Editie 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{932D0FC7-6DF1-4136-A2EC-166E8DEFD6A4}" = Ad-Aware
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{AF88496B-4BBA-4922-97E9-2582D3A28358}" = Nokia Connectivity Cable Driver
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E3B64CC5-C011-40C0-92BC-7316CD5E5688}" = Microsoft_VC100_CRT_SP1_x86
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{F5ED909F-8571-4B03-B200-6087F32CD973}" = Nitro PDF Reader 2
"Agics Hashscan" = Agics Hashscan 1.9.2.0
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"CCleaner" = CCleaner
"Dell AIO Printer A920" = Dell AIO Printer A920
"FileASSASSIN" = FileASSASSIN
"ie8" = Windows Internet Explorer 8
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.0.1800
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 10.0 (x86 en-US)" = Mozilla Firefox 10.0 (x86 en-US)
"Revo Uninstaller" = Revo Uninstaller 1.93
"Secunia PSI" = Secunia PSI (2.0.0.3003)
"Speccy" = Speccy
"SpywareBlaster_is1" = SpywareBlaster 4.5
"TweakNow PowerPack 2011_is1" = TweakNow PowerPack 2011
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 30-12-2011 20:15:14 | Computer Name = CREATIEF | Source = crypt32 | ID = 131080
Description = Het bij <http://www.download....uthrootseq.txt>
opvragen van de automatische update van het basislijstvolgordenummer van derden
is mislukt met de fout: Deze bewerking is geretourneerd omdat de time-outperiode
verlopen is.

Error - 4-1-2012 13:06:26 | Computer Name = CREATIEF | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 5-1-2012 13:27:58 | Computer Name = CREATIEF | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 9-1-2012 13:27:57 | Computer Name = CREATIEF | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 16-1-2012 8:10:43 | Computer Name = CREATIEF | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 16-1-2012 8:12:26 | Computer Name = CREATIEF | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4
3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 20-1-2012 8:32:59 | Computer Name = CREATIEF | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 20-1-2012 8:45:25 | Computer Name = CREATIEF | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 20-1-2012 9:01:56 | Computer Name = CREATIEF | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 21-1-2012 14:04:32 | Computer Name = CREATIEF | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 14-12-2011 19:10:21 | Computer Name = CREATIEF | Source = NETLOGON | ID = 3095
Description = Deze computer is geconfigureerd als lid van een werkgroep, niet als
lid
van een domein. De NetLogon-service hoeft niet te worden gestart in deze configuratie.

Error - 14-12-2011 19:22:42 | Computer Name = CREATIEF | Source = DCOM | ID = 10005
Description = DCOM kreeg foutmelding '%1058' bij het starten van de MSIServer-service
met de argumenten '' om de server {000C101C-0000-0000-C000-000000000046} te starten

Error - 14-12-2011 19:22:46 | Computer Name = CREATIEF | Source = DCOM | ID = 10005
Description = DCOM kreeg foutmelding '%1058' bij het starten van de MSIServer-service
met de argumenten '' om de server {000C101C-0000-0000-C000-000000000046} te starten

Error - 14-12-2011 19:22:46 | Computer Name = CREATIEF | Source = Windows Update Agent | ID = 20
Description = Installatiefout: de volgende update kan niet worden genstalleerd,
foutcode 0x80070641: KB2553084: Beveiligingsupdate voor Microsoft Office Publisher
2003.

Error - 14-12-2011 19:22:51 | Computer Name = CREATIEF | Source = Windows Update Agent | ID = 20
Description = Installatiefout: de volgende update kan niet worden genstalleerd,
foutcode 0x80070641: KB2596954: Beveiligingsupdate voor Microsoft Office Excel
2003.

Error - 14-12-2011 19:34:04 | Computer Name = CREATIEF | Source = NETLOGON | ID = 3095
Description = Deze computer is geconfigureerd als lid van een werkgroep, niet als
lid
van een domein. De NetLogon-service hoeft niet te worden gestart in deze configuratie.

Error - 14-12-2011 20:40:46 | Computer Name = CREATIEF | Source = NETLOGON | ID = 3095
Description = Deze computer is geconfigureerd als lid van een werkgroep, niet als
lid
van een domein. De NetLogon-service hoeft niet te worden gestart in deze configuratie.

Error - 14-12-2011 20:42:11 | Computer Name = CREATIEF | Source = DCOM | ID = 10005
Description = DCOM kreeg foutmelding '%1084' bij het starten van de EventSystem-service
met de argumenten '' om de server {1BE1F766-5536-11D1-B726-00C04FB926AF} te starten

Error - 14-12-2011 20:56:57 | Computer Name = CREATIEF | Source = DCOM | ID = 10005
Description = DCOM kreeg foutmelding '%1084' bij het starten van de EventSystem-service
met de argumenten '' om de server {1BE1F766-5536-11D1-B726-00C04FB926AF} te starten

Error - 14-12-2011 20:58:00 | Computer Name = CREATIEF | Source = NETLOGON | ID = 3095
Description = Deze computer is geconfigureerd als lid van een werkgroep, niet als
lid
van een domein. De NetLogon-service hoeft niet te worden gestart in deze configuratie.


< End of report >

-----------------------------------------------------------------------------------------------------------------
Much of regards of what you do and I'll be waiting your answer. And if there will be needed more programs to run I'll glad of course to do so. Also if translation of some of the lines to English is needed, please let me know then I'll sure make a work out of it.

Regards

  • 0

#6
SpyCatsher

SpyCatsher

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 141 posts
Hi Render,

After performing the requested scans, I started my laptop the following day and the system booted good as usual. When I clicked in the system tray on MS Essentials for update, it opened a little slower than usual. I clicked on Update button when this message flashed for couple of seconds: dont make a new update. I dont remember seeing this message earlier. The blue line moved as usual indicating update in process, but at the end it didnt complete the update and every thing froze; even the downloading movement of MS Essentials Pictogram in the System Tray. I could move the arrow of the mouse but I couldnt open any program with it; Desktop, Start, System Tray shown no sign of life. Also Task Manager was not possible to open with Ctrl+Shift+Esc or Ctrl+Alt+Delete.

I eventually shot down the power by pushing on the power button. I waited a minuet or so then booted the system again, to my amazement everything works good and well now; even the update of MS Essentials. I am still wondering what went on, that the system acted very shortly like that!? I understand of course that Ive accepted the risks if anything went wrong and this is not in no way meant as a complaint, as I'm very grateful for your help; however lets think of the sunny side of the matter.

  • 0

#7
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Posted Image Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Notes:
  • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
  • Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  • CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  • If you are using personal certificates I recommend you to export them before running ComboFix and save them to external media.
Please carefully follow all steps below:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofix. Use copy/paste.

Also please describe how your computer behaves at the moment.
  • 0

#8
SpyCatsher

SpyCatsher

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 141 posts
Hi Render,

Ive few questions before I run ComboFix:

1. If something went wrong do you think I still can recover my BOOKMARKS in Safe Mode with networking using FIREFOX my default Internet Browser. If not how should I manage them.

2. Notes 2 &3 in your post is the change permanent? Please see no especially because I dont like IE; Im not sure if will be problem using it now because I dont use it; its an old version, IE8. Im also addicted to Firefox and have many addons on it.

About the Autorun issue, is that temporary!?

3. There are certificates that Ive never placed or done anything with, if thats what you mean. Location: Firefox  options  Advanced  Encryption  View Certificates

If Ive to export them place give me further instruction how.

4. My last question is about RECOVERY CONSOLE. Did I understand it correctly that I DONT HAVE TO INSTALL IT MYSELF!?

Thank you
  • 0

#9
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
1. Yes you can recover your bookmarks in Safe Mode.

2. Nothing is permanent on this world :). You can always revert all these settings manually.

3. It is recommended to backup your personal certificates. How to export them please read here.

4. Recovery console will be installed during Combofix run.
  • 0

#10
SpyCatsher

SpyCatsher

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 141 posts
Hi Render,

There are more than 250 certificates. There was no key to export them all at once so I had to do them one by one. If I understand the instructions correct I have to import them to archive "Window Certificate Store" also one by one, but this is really impossible, maybe I'm not doing it right; please can you give more details about these certificates before proceeding further; also how can Firefox use this archive "Window Certificate Store" later on, because Firefox is not mentioned among the other programs.

Thank you
  • 0

Advertisements


#11
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
I don't believe that you have so many personal certificates. When you are in Certificate Manager click on Your Certificates tab. How many certificates are there?
  • 0

#12
SpyCatsher

SpyCatsher

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 141 posts
Thank Goodness, I was on the wrong track. I was looking under the Authority Tab, excuses! The Tap "Your Certificates" is empty, so I assume that I have no Personal Certificates. I'll proceed now with downloading ComboFix hoping that everything goes well to post ComboFix.txt in my next reply.
  • 0

#13
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
OK :)
  • 0

#14
SpyCatsher

SpyCatsher

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 141 posts
Hi Render,

I must say everything went fine and well, thankfully. Also so far so good with the lap top, as of now. The link ForoSpyware didn't work well after downloading; so I downloaded from the other link with success as you can see from the scan result, but I had to rename the program as you can see on top of the report. I didn't dare to remove the first download. Probably thats for later on.

Thank you

ComboFix 12-02-07.01 - Eigenaar 07-02-2012 21:50:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.766.338 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFixFix.exe
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Eigenaar\WINDOWS
c:\windows\unin0413.exe
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2012-01-07 to 2012-02-07 ))))))))))))))))))))))))))))))
.
.
2012-02-07 17:01 . 2012-01-06 04:19 6557240 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8C583C7E-4685-4801-8E0D-71872927ED5C}\mpengine.dll
2012-02-07 09:30 . 2012-02-07 18:07 -------- dc-h--r- c:\documents and settings\Eigenaar\Onlangs geopend
2012-01-20 12:45 . 2012-01-20 12:45 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-11 08:52 . 2012-01-11 08:52 -------- dc----w- c:\program files\Speccy
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2011-12-23 18:32 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-01-06 04:19 . 2011-12-24 14:41 6557240 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-26 17:28 . 2011-12-26 17:28 101720 -c--a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-10 14:24 . 2012-01-04 18:11 20464 -c--a-w- c:\windows\system32\drivers\mbam.sys
2011-12-07 18:16 . 2011-12-02 11:15 637240 -c--a-w- c:\program files\autoruns.exe
2011-12-07 18:16 . 2011-12-02 11:15 557368 -c--a-w- c:\program files\autorunsc.exe
2011-11-28 18:01 . 2011-12-07 21:46 41184 -c--a-w- c:\windows\avastSS.scr
2011-11-25 21:57 . 2003-07-23 21:30 293888 -c--a-w- c:\windows\system32\winsrv.dll
2011-11-23 14:40 . 2003-07-23 21:29 1859712 -c--a-w- c:\windows\system32\win32k.sys
2011-11-20 06:12 . 2003-07-23 21:18 60928 -c--a-w- c:\windows\system32\packager.exe
2011-11-16 14:22 . 2003-07-23 21:30 354816 -c--a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:22 . 2003-07-23 21:22 152064 -c--a-w- c:\windows\system32\schannel.dll
2011-09-09 14:05 . 2011-09-09 14:05 58948168 -c--a-w- c:\program files\setup_av_free.exe
2012-01-29 15:55 . 2011-09-10 15:17 134104 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2012-01-24 2716992]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-27 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-27 118784]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"RAM Idle Professional"="c:\program files\TweakNow PowerPack 2011\Module32\RAM2_XP.exe" [2011-04-14 82280]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22-7-2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12-7-2011 22:55 67664]
R2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [21-6-2011 17:57 196912]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [19-4-2011 7:44 993848]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [1-9-2010 9:30 15544]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [19-4-2011 7:44 399416]
S3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [19-7-2011 1:02 116608]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3-11-2011 12:06 2152152]
S4 ApacheS1;ApacheS1;"c:\uniserver\usr\local\apache2\bin\Apache.exe" -k runservice --> c:\uniserver\usr\local\apache2\bin\Apache.exe [?]
S4 HNM;HNM;c:\docume~1\Eigenaar\LOCALS~1\Temp\HNM.exe --> c:\docume~1\Eigenaar\LOCALS~1\Temp\HNM.exe [?]
S4 MySQLS1;MySQLS1;c:\uniserver\usr\local\mysql\bin\mysqld-opt.exe --defaults-file=C:/UniServer/usr/local/mysql/my.ini MySQLS1 --> c:\uniserver\usr\local\mysql\bin\mysqld-opt.exe --defaults-file=C:/UniServer/usr/local/mysql/my.ini MySQLS1 [?]
S4 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [8-12-2011 1:40 246624]
.
Inhoud van de 'Gedeelde Taken' map
.
2012-02-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 11:06]
.
2012-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 15:57]
.
2012-02-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
.
------- Bijkomende Scan -------
.
uLocal Page =
TCP: DhcpNameServer = 192.168.2.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\6szjk2rx.default\
FF - prefs.js: browser.search.selectedEngine - WOT Safe Search
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS VERWIJDERD - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-07 21:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RAM Idle Professional = c:\program files\TweakNow PowerPack 2011\Module32\RAM2_XP.exe?????????=?c:\program files\TweakNow PowerPack 2011\Module32\
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQLS1]
"ImagePath"="c:\uniserver\usr\local\mysql\bin\mysqld-opt.exe --defaults-file=C:/UniServer/usr/local/mysql/my.ini MySQLS1"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\}|}|9~*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Voltooingstijd: 2012-02-07 21:58:06
ComboFix-quarantined-files.txt 2012-02-07 20:58
.
Pre-Run: 11.972.284.416 bytes beschikbaar
Post-Run: 11.961.270.272 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut
.
- - End Of File - - 71B657AA4A699CC6BD4C0ACDAA314B80
  • 0

#15
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\docume~1\Eigenaar\LOCALS~1\Temp\HNM.exe

Driver::
HNM


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP