Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help removing SnapDo/WebSearch. [Closed] [Solved]


  • This topic is locked This topic is locked

#1
Admirgency

Admirgency

    Member

  • Member
  • PipPip
  • 97 posts
Nec Powermate VL4 Flex01-Galileo ;

Windows XP Home SP3 (x32) OEM ;

MS SQLserver 2005 compact edition (ENU);

Windows Firewall ;

Microsoft Security Essentials :
  • Engine Version 1.1.9506.6
  • AntiVirus definition 1.151.554.0
  • AntiSpyware defdefinition 1.151.554.0 ;
Spybot Search & Destroy 1.6.2.46,update 15-5-2013 ;

MS IE 8.0.6001.18702, 0 updates ;

Google Chrome 26.0.1410.64 m ;

Mozilla Firefox 20.0.1
  • + (amongst other add-ons) BrowserProtect 1.1.3 ;
VLC mediaplayer 2.0.6 Twoflower.




Problem : feed.snapdo, search.snapdo, websearch : search-engine, start-pages and new-tab-pages in all 3 browsers. It doesn't appear in Configscreen → Software. Maybe there also is the SnapDo toolbar but it is not vissible in the browsers.

IE, Chrome and Firefox all are affected in 1 useraccount. Guest-acc. & admin- and owner-acc.'s seem to be unaffected.




We used Guest-acc. as work-accountbecouse of unwillingness of former employees to use passwords. Last week i made the user-account with limited privileges to act aswork-acc..




[I thought i got SnapDo with installing VLC at the 18th of this month but now i know it was already present at the 16th, see remark above the OTL.txt about 1 entry in OTL extra.txt. (Not realizing this pc doesn't have aDVD-player) I downloaded VLC Mediaplayer from what appeared to be theSoftonic-website.]

Day before yesterday (the 21st) when i opened the work-account i wanted to use Firefox but got awarning from BrowserProtect against ??*.*SnapDo\Softonic/*.*??. I regret i did not take a screenshot. BrowserProtect advised to block SnapDo and i did, but it's startingpage opened in FF anyway. Likewise it did in IE and Chrome. In Chrome i got an advertisement from what i see as Rogue-AV or Rogue-PCcleaner, warning me the pc was about to crash. The ad appeared to be from Adchoises/info,

  • see screenshot 21 mei 2013 – 1aI


I could change the standardsearch-engines, startpages and new-tab-pages in the browsers to what they should be and after reboot the propper search & startpages remained standard.




In Safe Modus Admin acc. MS SE andMSERT did not find anything mallicious.

There-after Spybot Search & Destroy (scan = only Spyware) found some SnapDo-files that could be neutralized.

  • see screenshot 21 mei 2013 – 3aI


Yesterdaymorning i seemed to be able to"remove" Websearch from IE but i don't think that's realy thecase.

Sb S&D (scan = check all) found some more but together the files found are not the complete malware-programme.

  • see screenshot 22 mei 2013 – 1aI + 1aIII
It is stil present in Chrome and Firefox and i presume also in IE.




This afternoon (gees it's past midnight already) i thought i'ld have time for a scan with Kaspersky ResQdisk 10. It did not find anything with scanning Root- and Hidden files.Then, scanning C:, after roughly 3½ hours at about 64%, a fuse blew and electricity in the building turned off. With – as far as i know– nothing found i did not believe Kaspersky ResQ would find anything anyway, hence my post here.




&*&*&*&*&*&*&*&*&*&*&*&*&*&*&

OTL : I hope you don't mind i ticked "scan all users", running the scan from Owner-account.




Extra.txt normaly doesn't need to be posted unless specificly asked, but i thought i'ld mention 1 of the errors since it occured the 16th, = 2nd Tuesday (in the Netherlands just before the MS security updates) :

[ Application Events ]

Error - 16-5-2013 3:20:18 | ComputerName = POWERMATE | Source = MsiInstaller | ID = 11304

Description = Product: Snap.Do -- Error1304. Error writing to file: Interop.SHDocVw.dll.

Verify that you have access to thatdirectory.



&*&*&*&*&*&*&*&*&*&*&*&*&*&*&

OTL logfile created on: 22-5-2013 23:15:14 - Run 1

OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\All Users\Documenten\aReebok Maintenance\Mei 2013 feed.snap.do

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy



759.48 Mb Total Physical Memory | 364.89 Mb Available Physical Memory | 48.04% Memory free

1.81 Gb Paging File | 1.49 Gb Available in Paging File | 82.22% Paging File free

Paging file location(s): C:\pagefile.sys 1140 1140 [binary data]



%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 37.27 Gb Total Space | 21.60 Gb Free Space | 57.97% Space Free | Partition Type: NTFS



Computer Name: POWERMATE | User Name: Eigenaar | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days



========== Processes (SafeList) ==========



PRC - [2013-05-22 23:06:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Documenten\aReebok Maintenance\Mei 2013 feed.snap.do\OTL.exe

PRC - [2013-05-13 20:26:07 | 000,216,968 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.21.145\GoogleCrashHandler.exe

PRC - [2013-05-12 10:55:16 | 000,181,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe

PRC - [2013-03-08 11:24:22 | 000,708,721 | ---- | M] ( ) -- C:\Program Files\TSST Korea\FW LiveUpdate\FWManager.exe

PRC - [2013-01-27 12:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe

PRC - [2013-01-27 12:11:06 | 000,947,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe

PRC - [2012-08-13 10:57:02 | 010,376,704 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe

PRC - [2012-08-13 10:57:02 | 010,368,512 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin

PRC - [2012-07-25 10:46:42 | 000,681,056 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\sua.exe

PRC - [2012-06-28 17:40:52 | 000,074,752 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Winamp\winampa.exe

PRC - [2012-06-11 16:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) -- C:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE

PRC - [2009-09-24 09:51:38 | 000,032,873 | ---- | M] () -- C:\Program Files\Wireless\WPS\jswtrayutil.exe

PRC - [2009-09-21 11:48:10 | 000,188,416 | ---- | M] (Wireless) -- C:\Program Files\Wireless\WPS\jswpbapi.exe

PRC - [2008-04-15 02:33:00 | 001,037,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe





========== Modules (No Company Name) ==========



MOD - [2013-03-08 11:23:16 | 002,641,920 | ---- | M] () -- C:\Program Files\TSST Korea\FW LiveUpdate\LiveUpdate.dat

MOD - [2012-09-06 10:19:35 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll

MOD - [2009-09-24 10:20:36 | 000,798,720 | ---- | M] () -- C:\Program Files\Wireless\WPS\jswscapploc.dll

MOD - [2009-09-24 09:51:38 | 000,032,873 | ---- | M] () -- C:\Program Files\Wireless\WPS\jswtrayutil.exe





========== Services (SafeList) ==========



SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)

SRV - [2013-05-16 13:56:48 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)

SRV - [2013-05-12 10:55:16 | 000,181,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)

SRV - [2013-05-12 10:13:08 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)

SRV - [2013-03-01 12:11:32 | 000,161,384 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)

SRV - [2013-01-27 12:11:46 | 000,020,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)

SRV - [2012-07-25 10:46:44 | 001,326,176 | ---- | M] (Secunia) [On_Demand | Stopped] -- C:\Program Files\Secunia\PSI\psia.exe -- (Secunia PSI Agent)

SRV - [2012-07-25 10:46:42 | 000,681,056 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files\Secunia\PSI\sua.exe -- (Secunia Update Agent)

SRV - [2012-06-11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE -- (BBUpdate)

SRV - [2012-06-11 16:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE -- (BBSvc)

SRV - [2009-09-21 11:48:12 | 000,360,529 | ---- | M] (wireless) [On_Demand | Stopped] -- C:\Program Files\Wireless\WPS\jswpsapi.exe -- (jswpsapi)

SRV - [2009-09-21 11:48:10 | 000,188,416 | ---- | M] (Wireless) [Auto | Running] -- C:\Program Files\Wireless\WPS\jswpbapi.exe -- (jswpbapi)





========== Driver Services (SafeList) ==========



DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)

DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)

DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)

DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)

DRV - File not found [Kernel | System | Stopped] -- -- (Changer)

DRV - [2011-08-01 15:56:42 | 000,045,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dc3d.sys -- (dc3d)

DRV - [2011-06-02 12:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv)

DRV - [2010-09-01 10:30:58 | 000,015,544 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)

DRV - [2010-04-28 08:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)

DRV - [2009-09-21 11:48:10 | 000,057,440 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jswscimd.sys -- (JSWSCIMD)

DRV - [2009-09-16 11:54:34 | 001,668,352 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athuw.sys -- (AR9271)

DRV - [2009-06-10 01:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)

DRV - [2002-07-07 13:53:32 | 000,296,179 | ---- | M] (SigmaTel Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97na.sys -- (STAC97NA)

DRV - [2002-07-07 13:52:46 | 000,231,983 | ---- | M] (SigmaTel Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97nh.sys -- (STAC97NH)

DRV - [2000-07-24 02:01:00 | 000,019,537 | ---- | M] (Brother Industries Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\BRPAR.SYS -- (BrPar)





========== Standard Registry (SafeList) ==========





========== Internet Explorer ==========



IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7





IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.avira....EU&locale=nl_NL

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.avira....EU&locale=nl_NL

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0





IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://nl.msn.com/?ocid=iehp

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = nl

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 04 48 20 B2 A1 5C CD 01 [binary data]

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes\{BB158C41-8D3C-4264-89E0-2FF0FC5C2849}: "URL" = http://websearch.ask...51-DACF8FED586C

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



========== FireFox ==========



FF - prefs.js..browser.search.defaultengine: "Ask.com"

FF - prefs.js..browser.search.defaultenginename: "Ask.com"

FF - prefs.js..browser.search.defaulturl: ""

FF - prefs.js..browser.search.order.1: "Ask.com"

FF - prefs.js..browser.search.selectedEngine: "Ask.com"

FF - prefs.js..browser.search.useDBForOrder: true

FF - prefs.js..browser.startup.homepage: "http://search.avira....U&locale=nl_NL"

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1

FF - prefs.js..extensions.enabledItems: [email protected]:1.0

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30

FF - prefs.js..extensions.enabledItems: {EEE6C361-6118-11DC-9C72-001320C79847}:1.5.0.2

FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.1912

FF - prefs.js..keyword.URL: "http://websearch.ask...YYYY^YY^NL&&q="

FF - prefs.js..sweetim.toolbar.previous.browser.search.defaultenginename: ""

FF - prefs.js..sweetim.toolbar.previous.browser.search.defaulturl: ""

FF - prefs.js..sweetim.toolbar.previous.browser.search.selectedEngine: "Bing"

FF - prefs.js..browser.startup.homepage: "http://www.google.nl/"

FF - prefs.js..sweetim.toolbar.previous.keyword.URL: "http://www.bing.com/...?FORM=IEFM1&q="

FF - user.js - File not found



FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)

FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2013-05-16 09:07:38 | 000,000,000 | ---D | M]

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2166.3772\npCIDetect14.dll (Google)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013-05-12 10:13:12 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013-05-16 09:35:26 | 000,000,000 | ---D | M]



[2010-05-11 15:00:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Extensions

[2012-10-30 10:34:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions

[2012-07-08 11:38:38 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi

[2011-04-01 11:10:10 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\searchplugins\bing.xml

[2011-12-16 20:22:07 | 000,003,915 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\searchplugins\SweetIM Search.xml

[2013-05-12 10:11:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

[2013-05-12 10:13:11 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll

[2012-06-28 17:42:00 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll

[2013-03-13 12:19:33 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

[2013-03-13 12:19:33 | 000,002,616 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bolcom-nl.xml

[2013-03-13 12:19:33 | 000,004,771 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\marktplaats-nl.xml

[2011-12-24 21:58:59 | 000,001,111 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\vandale-nl.xml

[2013-03-13 12:19:33 | 000,001,262 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-nl.xml

[2011-12-24 21:58:59 | 000,001,106 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-nl.xml



O1 HOSTS File: ([2012-09-12 15:36:44 | 000,444,266 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 15259 more lines...

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)

O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)

O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)

O3 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.

O3 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [jswtrayutil] C:\Program Files\Wireless\WPS\jswtrayutil.exe ()

O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [Name of App] C:\Program Files\TSST Korea\FW LiveUpdate\FWManager.exe ( )

O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)

O4 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003..\Run: [Microsoft® Windows System] C:\Documents and Settings\Eigenaar\S-2-52-3192-6512-3816\winope.exe File not found

O4 - Startup: C:\Documents and Settings\Eigenaar\Menu Start\Programma's\Opstarten\OpenOffice.org 3.4.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

O4 - Startup: C:\Documents and Settings\Gast\Menu Start\Programma's\Opstarten\OpenOffice.org 3.4.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)

O8 - Extra context menu item: Zoek op het web - C:\Program Files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html File not found

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1271944706703 (WUWebControl Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1341578474781 (MUWebControl Class)

O16 - DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.micr...loadManager.cab (Microsoft Download Manager ActiveX control)

O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.syste...el_4.5.11.0.cab (SysInfo Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3C14C12F-FE35-4086-8935-5AD09B3BDF73}: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F414C247-0F38-435E-8997-36B5A343C769}: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)

O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home

O24 - Desktop WallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2010-04-22 13:42:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{d1d624c8-2b1d-11e1-ae36-000ae6026320}\Shell - "" = AutoRun

O33 - MountPoints2\{d1d624c8-2b1d-11e1-ae36-000ae6026320}\Shell\AutoRun\command - "" = E:\iStudio.exe

O34 - HKLM BootExecute: (autocheck autochk *)

O34 - HKLM BootExecute: (pgdfgsvc C 1)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)



========== Files/Folders - Created Within 30 Days ==========



[2013-05-16 09:44:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eigenaar\Application Data\vlc

[2013-05-16 09:44:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\VideoLAN

[2013-05-16 09:42:00 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN

[2013-05-12 10:56:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2013-05-12 10:11:39 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2013-05-07 12:11:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eigenaar\Application Data\Oracle

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]



========== Files - Modified Within 30 Days ==========



[2013-05-22 23:20:29 | 000,000,386 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job

[2013-05-22 23:17:00 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job

[2013-05-22 23:13:35 | 000,000,460 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{19634F2B-6041-4CFB-B933-71C9576E8275}.job

[2013-05-22 23:12:02 | 000,000,479 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\TSSTLiveUpdateConfig.ini

[2013-05-22 23:11:11 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2013-05-22 23:10:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2013-05-22 22:56:32 | 000,000,940 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2013-05-22 22:33:20 | 000,001,048 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2013-05-21 14:40:13 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Gedeelde documenten.lnk

[2013-05-21 14:38:01 | 000,000,737 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Mozilla Firefox.lnk

[2013-05-21 14:37:47 | 000,000,810 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Internet Explorer.lnk

[2013-05-21 11:56:27 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2013-05-16 14:02:45 | 000,000,283 | ---- | M] () -- C:\WINDOWS\Brownie.ini

[2013-05-15 09:30:53 | 000,168,304 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2013-05-15 09:23:36 | 000,598,768 | ---- | M] () -- C:\WINDOWS\System32\perfh013.dat

[2013-05-15 09:23:36 | 000,500,072 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2013-05-15 09:23:36 | 000,120,562 | ---- | M] () -- C:\WINDOWS\System32\perfc013.dat

[2013-05-15 09:23:36 | 000,087,406 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2013-05-15 09:04:17 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2013-05-12 11:27:07 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2013-05-12 10:03:36 | 000,000,420 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Downloads.lnk

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]



========== Files Created - No Company Name ==========



[2013-05-21 14:40:13 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Gedeelde documenten.lnk

[2013-05-21 14:38:01 | 000,000,737 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Mozilla Firefox.lnk

[2013-05-21 14:37:47 | 000,000,810 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Internet Explorer.lnk

[2013-05-12 11:25:57 | 000,000,940 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job

[2013-05-12 10:03:36 | 000,000,420 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Downloads.lnk

[2013-04-03 16:39:36 | 000,168,304 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2013-03-14 11:29:25 | 000,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI

[2013-03-14 11:29:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini

[2013-03-14 11:29:23 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\brlmw03a.ini

[2013-03-14 11:29:21 | 000,014,496 | ---- | C] () -- C:\WINDOWS\HL-5240.INI

[2013-03-14 11:28:40 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\bd5240.dat

[2013-03-14 11:27:45 | 000,000,283 | ---- | C] () -- C:\WINDOWS\Brownie.ini

[2013-03-13 11:46:36 | 000,000,479 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Application Data\TSSTLiveUpdateConfig.ini

[2012-09-12 15:43:07 | 000,004,706 | ---- | C] () -- C:\WINDOWS\wininit.ini

[2012-08-10 15:06:30 | 000,268,519 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\census.cache

[2012-08-10 15:05:52 | 000,180,312 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\ars.cache

[2012-08-10 12:48:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\housecall.guid.cache

[2012-07-07 23:13:52 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\fusioncache.dat

[2012-07-06 14:44:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll

[2012-07-05 04:40:25 | 000,294,527 | ---- | C] () -- C:\WINDOWS\System32\shimg.dll

[2011-11-20 20:10:40 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat



========== ZeroAccess Check ==========



[2011-03-24 11:50:20 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini



[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]



[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]



[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

"" = %SystemRoot%\system32\shdocvw.dll -- [2008-04-15 02:32:40 | 001,499,136 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Apartment



[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]

"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009-02-09 12:56:06 | 000,473,600 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Free



[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008-04-15 02:32:46 | 000,273,920 | ---- | M] (Microsoft Corporation)

"ThreadingModel" = Both



========== LOP Check ==========



[2011-12-16 17:56:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ask

[2012-07-08 18:19:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012

[2012-02-09 13:26:06 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files

[2012-08-10 12:42:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HitmanPro

[2010-11-10 13:13:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ICIDU

[2012-08-07 15:56:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kingsoft

[2012-07-08 18:17:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData

[2011-11-14 18:39:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Playrix Entertainment

[2012-07-08 17:10:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2012-07-06 17:16:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\AskToolbar

[2012-07-09 22:38:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\ElevatedDiagnostics

[2012-08-07 15:44:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Foxit Software

[2010-11-15 14:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\ICAClient

[2012-08-07 15:57:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Kingsoft

[2010-05-11 15:08:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\OpenOffice.org

[2013-05-07 12:11:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Oracle

[2013-05-12 15:39:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Uniblue

[2012-07-07 21:28:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Windows Desktop Search

[2012-07-09 17:46:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Eigenaar\Application Data\Windows Search

[2012-07-17 10:48:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gast\Application Data\AskToolbar

[2012-07-25 15:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gast\Application Data\OpenOffice.org

[2012-11-26 11:51:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gast\Application Data\Uniblue

[2012-07-17 06:49:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gast\Application Data\Windows Desktop Search

[2013-02-19 13:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gast\Application Data\Windows Search

[2013-05-14 14:47:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Werkaccount\Application Data\Windows Desktop Search



========== Purity Check ==========







========== Alternate Data Streams ==========



@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2




< End of report >




Thanks in advance for helping me/us,

(not exactly qualified but the "best"we have) Admirgency.

Attached Thumbnails

  • 21 mei 2013 - 1aI.JPG
  • 21 mei 2013 - 1aII.JPG
  • 21 mei 2013 - 1aIII.JPG
  • 21 mei 2013 - 3aI.JPG
  • 22 mei 2013 - 1aI.JPG
  • 22 mei 2013 - 1aII.JPG
  • 22 mei 2013 - 1aIII.JPG

Edited by Admirgency, 22 May 2013 - 05:19 PM.

  • 0

Advertisements


#2
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
After a good nights rest, reviewingOTL.txt, i notice :

  • Websearch = mentioned as Avira.ask, then that would not be part of the infection. ;
  • Under 01 – HOSTS, there are entries that should not be on a work-computer, f.e. 100Sexlinks.com. That will be from (more then a few) forced entries we suffered. Perp = arrested and either still in jail or in psychiatric custody. As far as we know he does not know how to hack. Other entries that should not be on a workcomp will be from former employees. ;
  • I guess i need to uninstall SweetIM,
  • <a name="yui_3_3_0_1_1369295391062415"> Viewing SweetIM searchresults in Guest-acc./FF/Yahoo i notice answers.yahoo doesn't have a WOT-rating like the other searchresults do have.


  • 04 HKU\S1-5-21........ no results for Winope.exe in Guest-acc./Firefox/Yahoo, /Google or /Bing and no results inGuestacc./IE/Bing, /Yahoo, /Google or /Avira/Ask. ;


Reviewing my post, i see screenshot 21mei 3aI should have been ScrSh 3aIb, see new attachement below.21 mei 2013 - 3aIB.JPG




I forgot to mention :
  • (see tabs in Screenshot 21 mei 2013 – 1aII) searching with Firefox/Yahoo from infected account for SnapDo, i got a lot of sites – incl.SanpDo – wich are not to be trusted according to WOT, and poor results in general. Searching here at GeeksToGo i see a lot more ppl suffered SnapDo.
  • Last week, prepairing for 2nd Tuesday MS Sec. Updates, new version Adobe Flash Active X would not install, Flashplayer for other browsers did.

Though i checked that the new password for my GeeksToGo-acc. worked, yesterday, today i again needed a new password.

Edited by Admirgency, 23 May 2013 - 03:17 AM.

  • 0

#3
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Admirgency

the links you refer tyo are part of a host file and is good to have on the computer - here is a short read aboput it --> http://winhelp2002.mvps.org/hosts.htm

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo
  • 0

#4
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Thank you ever so much Gringo.

OK, this time the password here @ Geeks To Go still works.



After running Adw Cleaner and JRT, IEis noticably faster in Owner- and User-account (named Werkaccount) alike. Don't know that for sure with the faster browsers Chrome and Firefox. In Guest-acc. IE still is slow to start in Guest-account, but when started the browsing is faster indeed.




In the user-account Snap-Do is still visible in Chrome, not in IE or FF,
See ScrSh 20bI
24 mei 2013 - 20bI.JPG





Randomly browsing some sites in User-acc/IE, the Microsoft Survey pop-up opened at Technet, but the survey itself did not start when i closed Technet. The immage was like am used to see it. However in Guest-acc this pop-up looked much diferent, never seen it like that before. And if the diferent versions of this MS pop-up both are ok, one would expect the most beautifull version to show in an account with limited rights instead of in the Guest-account.
See ScrSh 20cI
24 mei 2013 - 20cI.JPG





I should have mentioned that before i'm ashamed to say, there still is a warning from Windows Security Center that MS SE is turned off while MS SE itself remains green, safe. Security Center states that it can not recognize all AV. This happens most of the time in Guest-acc. and only sometimes in Owner or the infected User-acc.. However Microsoft not recognizing Microsoft is strange indeed.
See ScrSh 20aI.
24 mei 2013 - 20aI.JPG


Also, when Security Center opened early in start-up, sometimes it mentioned there is no Firewall active, but that message always disapears before Open Office (always the laststart-up-item) starts when the firewall activates. I did not notice this after AdwC & JRT, i closed and started the comp several times in the various accounts to check.




In Guest-acc, Chrome → options →Search-engine Management shows (didn't notice that before) more engines to install, clearly suited to our preferences (incl. 1 former employee, awfully glad her searches for astrology and psychics don't show). They seem legit with no doubtfull engines.

The list of in Chrome installed search-engines in this Guest-acc. now show Isearch for AVG Secure search, while before that was Ask/Avira search. From the logfiles it is clear that AdwareCleaner stumbled upon Ask several times. What should it be? Is this alsowrongdoings of SnapDo or might they be remnants of older infections*?

Speaking about Isearch (more or less offtopic), our other computers have remnants of Imesh/Isearch &Bearsearch present*. Is it safe to run Adware Cleaner on them, without supervision from you or one of your peers?


*When i started work here a year ago, all computers were heavilly infected with various malware-families and multiple non-compatible Anti Malware software was installed on every-one of these computers. I took them out with MS Tool for Removal of Malicious Software, MS SE, MS mr. Fix It's, KasperskyResQdisk, Kaspersky TDSSkiller and dr Web bootscan (sory i don't know the propper name for the dr. Web scan out of the top of my head). Sad to say the expiration-date of dr Web licence (the most intrusive scan i know) co-exsists with the time SnapDo showed up.

Becouse, like OTL shows, SnapDo is not from Softonic-download of VLC, SnapDo might be from our offline computer, with a passibly illegit XP SP1 Pro edition while it has a legit licence for XP Home edition. If so then this SnapDo-version might be 5 or more years old. That computer is not in use anymore but i had to get some files copied, which did not succeed.

See ScrSh's 20dI and 20dII
24 mei 2013 - 20dI.JPG

24 mei 2013 - 20dII.JPG


BrowserProtect is gone while this warned me against SnapDo, &
Configuration Screen -> Software shows Avira and not AVG,
see ScrSh 20eI and a the allinea above about Chrome-installed search-engines. Also compare ScrSh 20eI with ScrSh 20bI about SnapDo remaining present in User-acc -> Chrome -> Options -> Search Engines, where SnapDo has 1st entry in contrast with Guest Acc. -> Chrome -> Options -> Search Engines -> AVG/Isearch what used to be Avira/Ask Search.
24 mei 2013 - 20eI.JPG


Don't get warning anymore that there's not enough space for all items in Start Menu.




The logfiles : I can recognize only 1entry for SnapDo (in Adware Cleaner), while there are a lot for SweetIM and (websearch/)Ask(/Avira). Are the 4 (i incl. Isearch/Imeshin this question) connected or hiding behind one-another or what?



Last question for now : on our computers (all Nec Powermate VL4 - Flex's & Desktops with XP Home SP3) we have MS .NET Framework versions 1.1 up to version 4. Language pack for v 3.5 doesn't install. Do we need all of these versions and their respective language packs?



&*&*&*&*&*&*&*&*&*&*&*&&*&*&*&*&*&*&*&*&*&*&*&
Adware Cleaner :




# AdwCleaner v2.301 - Verslag gemaaktop 24/05/2013 om 16:24:02

# Geactualiseerd op 16/05/2013 doorXplode

# Besturingssysteem : Microsoft WindowsXP Service Pack 3 (32 bits)

# Gebruiker : Eigenaar - POWERMATE

# Opstarten Modus : Normale modus

# Gelanceerd vanaf : C:\Documents andSettings\Eigenaar\Bureaublad\2 AdwCleaner.exe

# Optie [Verwijderen]





***** [Diensten] *****





***** [Files / Mappen] *****




File Verwijdert : C:\Documents andSettings\Eigenaar\ApplicationData\Mozilla\Firefox\Profiles\bjvlnrw9.default\searchplugins\SweetIMSearch.xml

File Verwijdert : C:\Documents andSettings\Werkaccount\ApplicationData\Mozilla\Firefox\Profiles\b8ca57pm.default\extensions\[email protected]

File Verwijdert : C:\Documents andSettings\Werkaccount\ApplicationData\Mozilla\Firefox\Profiles\b8ca57pm.default\searchplugins\WebSearch.xml

File Verwijdert :C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

Map Verwijdert : C:\Documents andSettings\All Users\Application Data\Ask

Map Verwijdert : C:\Documents andSettings\All Users\Application Data\Trymedia

Map Verwijdert : C:\Documents andSettings\Eigenaar\Application Data\AskToolbar

Map Verwijdert : C:\Documents andSettings\Eigenaar\ApplicationData\Mozilla\Firefox\Profiles\bjvlnrw9.default\SweetIMToolbarData

Map Verwijdert : C:\Documents andSettings\Eigenaar\ApplicationData\Mozilla\Firefox\Profiles\bjvlnrw9.default\SweetPacksToolbarData

Map Verwijdert : C:\Documents andSettings\Eigenaar\Local Settings\Application Data\AskToolbar

Map Verwijdert : C:\Documents andSettings\Eigenaar\Local Settings\Application Data\PackageAware

Map Verwijdert : C:\Documents andSettings\Gast\Application Data\AskToolbar

Map Verwijdert : C:\Documents andSettings\Gast\Local Settings\Application Data\AskToolbar

Map Verwijdert : C:\Documents andSettings\LocalService\Local Settings\Application Data\APN

Map Verwijdert : C:\Documents andSettings\Werkaccount\Local Settings\Application Data\AskToolbar

Map Verwijdert :C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}




***** [Register] *****




Sleutel Verwijdert : HKCU\Software\APN

Sleutel Verwijdert :HKCU\Software\AskToolbar

Sleutel Verwijdert :HKCU\Software\Microsoft\Windows\CurrentVersion\AppManagement\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}

Sleutel Verwijdert :HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}

Sleutel Verwijdert :HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35C-6118-11DC-9C72-001320C79847}

Sleutel Verwijdert :HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}

Sleutel Verwijdert :HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35C-6118-11DC-9C72-001320C79847}

Sleutel Verwijdert :HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35D-6118-11DC-9C72-001320C79847}

Sleutel Verwijdert :HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains\grusskartencenter.com

Sleutel Verwijdert :HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\EscDomains\grusskartencenter.com

Sleutel Verwijdert :HKCU\Software\YahooPartnerToolbar

Sleutel Verwijdert : HKLM\Software\APN

Sleutel Verwijdert :HKLM\Software\AskToolbar

Sleutel Verwijdert :HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}

Sleutel Verwijdert :HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL

Sleutel Verwijdert :HKLM\SOFTWARE\Microsoft\Internet Explorer\LowRights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}

Sleutel Verwijdert :HKLM\SOFTWARE\Microsoft\Internet Explorer\LowRights\ElevationPolicy\{EEE6C367-6118-11DC-9C72-001320C79847}

Sleutel Verwijdert :HKLM\SOFTWARE\Microsoft\Internet Explorer\LowRights\ElevationPolicy\{F994E0D9-8335-48F1-99C2-A712C21F8D5F}

Sleutel Verwijdert :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppManagement\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

Sleutel Verwijdert :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppManagement\ARPCache\{A7BC02AF-1128-4A31-BCF8-1A3EE803D3B3}

Sleutel Verwijdert :HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467

Sleutel Verwijdert :HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fe5428c802eeb35edb047d5d26e0fd5f




***** [Browsers] *****




-\\ Internet Explorer v8.0.6001.18702



[OK] Het register bevat geen enkele ongeoorloofde invoer.




-\\ Mozilla Firefox v20.0.1 (nl)



File : C:\Documents andSettings\Eigenaar\ApplicationData\Mozilla\Firefox\Profiles\bjvlnrw9.default\prefs.js



Verwijdert :user_pref("browser.search.defaultengine", "Ask.com");

Verwijdert :user_pref("browser.search.defaultenginename", "Ask.com");

Verwijdert :user_pref("browser.search.order.1", "Ask.com");

Verwijdert :user_pref("browser.search.selectedEngine", "Ask.com");

Verwijdert :user_pref("browser.startup.homepage","hxxp://search.avira.com/?l=dis&o=APN10399&gct=hp&dc=EU&locale[...]

Verwijdert :user_pref("extensions.asktb.ff-original-keyword-url","hxxp://search.sweetim.com/search.asp?src=2&q=[...]

Verwijdert : user_pref("keyword.URL","hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10399&loc[...]

Verwijdert :user_pref("sweetim.toolbar.dialogs.0.enable", "true");

Verwijdert :user_pref("sweetim.toolbar.dialogs.0.handler","chrome://sim_toolbar_package/content/optionsdialog-h[...]

Verwijdert :user_pref("sweetim.toolbar.dialogs.0.height", "335");

Verwijdert :user_pref("sweetim.toolbar.dialogs.0.id","id_options_dialog");

Verwijdert :user_pref("sweetim.toolbar.dialogs.0.title","$string.config.label;");

Verwijdert :user_pref("sweetim.toolbar.dialogs.0.url","hxxp://www.sweetim.com/simffbar/options_remote_ff.html")[...]

Verwijdert :user_pref("sweetim.toolbar.dialogs.0.width", "761");

Verwijdert :user_pref("sweetim.toolbar.dialogs.1.enable", "true");

Verwijdert :user_pref("sweetim.toolbar.dialogs.1.handler","chrome://sim_toolbar_package/content/exampledialog-h[...]

Verwijdert :user_pref("sweetim.toolbar.dialogs.1.height", "300");

Verwijdert :user_pref("sweetim.toolbar.dialogs.1.id","id_example_dialog");

Verwijdert :user_pref("sweetim.toolbar.dialogs.1.title", "Example(unit-test) dialog");

Verwijdert :user_pref("sweetim.toolbar.dialogs.1.url","chrome://sim_toolbar_package/content/exampledialog.html"[...]

Verwijdert :user_pref("sweetim.toolbar.dialogs.1.width", "500");

Verwijdert :user_pref("sweetim.toolbar.dnscatch.domain-blacklist",".*.sweetim.com/.*|.*.facebook.com/.*|.*.goog[...]

Verwijdert :user_pref("sweetim.toolbar.highlight.colors","#FFFF00,#00FFE4,#5AFF00,#0087FF,#FFCC00,#FF00F0");

Verwijdert :user_pref("sweetim.toolbar.logger.ConsoleHandler.MinReportLevel","7");

Verwijdert :user_pref("sweetim.toolbar.logger.FileHandler.FileName","ff-toolbar.log");

Verwijdert :user_pref("sweetim.toolbar.logger.FileHandler.MaxFileSize","200000");

Verwijdert :user_pref("sweetim.toolbar.logger.FileHandler.MinReportLevel","7");

Verwijdert :user_pref("sweetim.toolbar.mode.debug", "false");

Verwijdert :user_pref("sweetim.toolbar.prad.initialized_by_rc","true");

Verwijdert :user_pref("sweetim.toolbar.previous.browser.search.defaultenginename","");

Verwijdert :user_pref("sweetim.toolbar.previous.browser.search.defaulturl","");

Verwijdert :user_pref("sweetim.toolbar.previous.browser.search.selectedEngine","Bing");

Verwijdert :user_pref("sweetim.toolbar.previous.browser.startup.homepage","hxxp://www.google.nl/");

Verwijdert :user_pref("sweetim.toolbar.previous.keyword.URL","hxxp://www.bing.com/search?FORM=IEFM1&q=");

Verwijdert :user_pref("sweetim.toolbar.scripts.0.addcontextdiv","true");

Verwijdert :user_pref("sweetim.toolbar.scripts.0.callback","simVerification");

Verwijdert :user_pref("sweetim.toolbar.scripts.0.domain-blacklist","");

Verwijdert :user_pref("sweetim.toolbar.scripts.0.domain-whitelist","hxxp://(www.|apps.)?facebook\\.com.*");

Verwijdert :user_pref("sweetim.toolbar.scripts.0.elementid","id_script_sim_fb");

Verwijdert :user_pref("sweetim.toolbar.scripts.0.enable", "true");

Verwijdert :user_pref("sweetim.toolbar.scripts.0.id", "id_script_fb");

Verwijdert :user_pref("sweetim.toolbar.scripts.0.url","hxxp://sc.sweetim.com/apps/in/fb/infb.js");

Verwijdert :user_pref("sweetim.toolbar.scripts.1.addcontextdiv","false");

Verwijdert :user_pref("sweetim.toolbar.scripts.1.callback", "");

Verwijdert :user_pref("sweetim.toolbar.scripts.1.domain-blacklist",".*.google..*|.*.bing..*|.*.live..*|.*.msn..[...]

Verwijdert :user_pref("sweetim.toolbar.scripts.1.domain-whitelist","");

Verwijdert :user_pref("sweetim.toolbar.scripts.1.elementid","id_predict_include_script");

Verwijdert :user_pref("sweetim.toolbar.scripts.1.enable", "true");

Verwijdert :user_pref("sweetim.toolbar.scripts.1.id","id_script_prad");

Verwijdert :user_pref("sweetim.toolbar.scripts.1.url","hxxp://cdn1.certified-apps.com/scripts/shared/enable.js?[...]

Verwijdert :user_pref("sweetim.toolbar.search.external", "<?xmlversion=\"1.0\"?><TOOLBAR><EXTERNAL_SEARCHengin[...]

Verwijdert :user_pref("sweetim.toolbar.search.history","the%20yarbirds,youtabe,brazil,touareg%20music,touareg,t[...]

Verwijdert :user_pref("sweetim.toolbar.search.history.capacity", "10");

Verwijdert :user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS","1");

Verwijdert :user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP","1");

Verwijdert :user_pref("sweetim.toolbar.searchguard.enable", "true");

Verwijdert :user_pref("sweetim.toolbar.simapp_id","{A2404725-FFE0-4949-8191-A546A7BAF19A}");

Verwijdert :user_pref("sweetim.toolbar.urls.homepage","hxxp://home.sweetim.com/?barid={A2404725-FFE0-4949-8191-[...]

Verwijdert :user_pref("sweetim.toolbar.version", "1.5.0.2");




File : C:\Documents andSettings\Werkaccount\ApplicationData\Mozilla\Firefox\Profiles\b8ca57pm.default\prefs.js




Verwijdert :user_pref("browser.newtab.url","hxxp://feed.snap.do/?publisher=SnapdoSoftonicYB&dpid=SnapdoSoftonic[...]

Verwijdert :user_pref("extensions.browserprotect.searchProviderExceptions","hxxp://en.wikipedia.org/wiki/Specia[...]




File : C:\Documents andSettings\Gast\ApplicationData\Mozilla\Firefox\Profiles\269yn026.default\prefs.js




Verwijdert :user_pref("browser.search.defaultengine", "Ask.com");

Verwijdert :user_pref("browser.search.defaultenginename", "Ask.com");

Verwijdert :user_pref("browser.search.order.1", "Ask.com");

Verwijdert :user_pref("extensions.asktb.ff-original-keyword-url", "");

Verwijdert : user_pref("keyword.URL","hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10399&loc[...]




*************************




AdwCleaner[S1].txt - [10802 octets] -[24/05/2013 16:24:02]




########## EOF - C:\AdwCleaner[S1].txt- [10863 octets] ##########





&*&*&*&*&*&*&*&*&*&*&*&&*&*&*&*&*&*&*&*&*&*&*&
JRT :

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 4.9.4 (05.06.2013:1)

OS: Microsoft Windows XP x86

Ran by Eigenaar on vr 24-05-2013 at16:44:17.21

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





~~~ Services






~~~ Registry Values




Successfully repaired: [Registry Value]HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName

Successfully repaired: [Registry Value]HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL





~~~ Registry Keys




Successfully deleted: [Registry Key]HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\SearchScopes\{BB158C41-8D3C-4264-89E0-2FF0FC5C2849}





~~~ Files




Successfully deleted: [File]C:\eula.1028.txt

Successfully deleted: [File]C:\eula.1031.txt

Successfully deleted: [File]C:\eula.1033.txt

Successfully deleted: [File]C:\eula.1036.txt

Successfully deleted: [File]C:\eula.1040.txt

Successfully deleted: [File]C:\eula.1041.txt

Successfully deleted: [File]C:\eula.1042.txt

Successfully deleted: [File]C:\eula.1049.txt

Successfully deleted: [File]C:\eula.2052.txt

Successfully deleted: [File]C:\install.res.1028.dll

Successfully deleted: [File]C:\install.res.1031.dll

Successfully deleted: [File]C:\install.res.1033.dll

Successfully deleted: [File]C:\install.res.1036.dll

Successfully deleted: [File]C:\install.res.1040.dll

Successfully deleted: [File]C:\install.res.1041.dll

Successfully deleted: [File]C:\install.res.1042.dll

Successfully deleted: [File]C:\install.res.1049.dll

Successfully deleted: [File]C:\install.res.2052.dll

Successfully deleted: [File]C:\install.res.3082.dll





~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on vr 24-05-2013 at16:48:39.07

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by Admirgency, 24 May 2013 - 04:02 PM.

  • 0

#5
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Admirgency

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
  • 0

#6
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hi Gringo.

Yes,Thank You! When Combofix run it's course and i rebooted into Guest-account, MS SE came up 1st in System Tray. No warning it's disabled like i got before running Combofix in Owner-acc.. 0 hidden processes, 0 hidden autostart items and 0 hidden files found, looks promissing.

Downloading Combofix was no problem but moving it's installer from the Downloads folder into the Shared Files folder was. It said it was read only and could not be moved. Some seconds later it did appear but for safety i downloaded it again to desktop and re-named. Then moving it was no problem. Combofix renamed itself back to it's original name at installation (well, with a warning it couldn't install with another name after which i had to initiate installation again).

(But those MS translations, installing Recovery Console..... ....MS/Bing & Google translations are a bit better then the translations spammers use....most of the time..........When will they learn?)

Viewing the Combofix Logfile i noticed one entry that i ment to ask about in my initial post : under ORPHANS VERWIJDERD (Orphans removed), "winope.exe", could not find any info on that using Bing, Google, Yahoo and Ask searches in IE FF and Chrome (forgot to use Wikkipedia search).

Anyway, the CF-log :


ComboFix 13-05-24.01 - Eigenaar 25-05-2013 2:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.759.383 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
C:\install.exe
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2013-04-25 to 2013-05-25 ))))))))))))))))))))))))))))))
.
.
2013-05-24 14:49 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CFDB045C-0268-4E9A-A6E2-99C028E4C329}\mpengine.dll
2013-05-24 14:44 . 2013-05-24 14:44 -------- d-----w- c:\windows\ERUNT
2013-05-24 14:43 . 2013-05-24 14:43 -------- dc----w- C:\JRT
2013-05-24 07:57 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-23 17:06 . 2013-05-23 17:06 -------- d-----w- c:\documents and settings\Gast\Local Settings\Application Data\Sun
2013-05-16 07:44 . 2013-05-22 19:37 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\vlc
2013-05-16 07:42 . 2013-05-16 07:42 -------- d-----w- c:\program files\VideoLAN
2013-05-14 12:46 . 2013-05-14 12:50 -------- d-----w- c:\documents and settings\Werkaccount
2013-05-12 09:25 . 2013-05-16 11:56 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-12 09:25 . 2013-05-16 11:56 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-12 08:56 . 2013-05-12 08:56 -------- d-----w- c:\program files\Common Files\Java
2013-05-12 08:55 . 2013-05-12 08:55 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-12 08:55 . 2013-05-12 08:55 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-07 10:42 . 2010-06-02 02:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2013-05-07 10:42 . 2010-06-02 02:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2013-05-07 10:42 . 2010-06-02 02:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2013-05-07 10:42 . 2010-05-26 09:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2013-05-07 10:40 . 2009-09-04 15:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2013-05-07 10:39 . 2008-05-30 12:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2013-05-07 10:38 . 2007-10-22 01:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2013-05-07 10:34 . 2013-05-07 10:36 -------- d--h--w- c:\windows\msdownld.tmp
2013-05-07 10:11 . 2013-05-07 10:11 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Oracle
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-23 17:06 . 2012-07-17 15:26 664 ----a-w- c:\documents and settings\Gast\Local Settings\Application Data\d3d9caps.tmp
2013-05-12 08:55 . 2013-03-14 09:07 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-12 08:55 . 2010-05-11 12:21 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-02 15:28 . 2012-07-19 07:55 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-16 22:26 . 2010-04-22 13:26 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:26 . 2010-04-22 13:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:26 . 2010-04-22 13:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:30 . 2010-04-22 13:25 385024 ----a-w- c:\windows\system32\html.iec
2013-04-12 14:01 . 2010-04-22 13:26 1876480 ----a-w- c:\windows\system32\win32k.sys
2013-04-02 14:09 . 2013-04-02 14:09 4550656 ----a-w- c:\windows\system32\GPhotos.scr
2013-03-08 08:36 . 2010-04-22 13:26 293888 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 15:56 . 2010-04-22 13:25 2154496 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 15:56 . 2008-04-14 22:11 2033152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-27 07:58 . 2010-04-22 11:38 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-05-12 08:13 . 2013-05-12 08:11 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"jswtrayutil"="c:\program files\Wireless\WPS\jswtrayutil.exe" [2009-09-24 32873]
"Name of App"="c:\program files\TSST Korea\FW LiveUpdate\FWManager.exe" [2013-03-08 708721]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2012-06-28 74752]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
c:\documents and settings\Gast\Menu Start\Programma's\Opstarten\
OpenOffice.org 3.4.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\documents and settings\Eigenaar\Menu Start\Programma's\Opstarten\
OpenOffice.org 3.4.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 jswpbapi;JumpStart Push-Button Service;c:\program files\Wireless\WPS\jswpbapi.exe [11-11-2010 14:00 188416]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [25-7-2012 10:46 681056]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE [2-4-2013 3:01 240264]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [8-8-2012 7:10 45288]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [11-11-2010 14:00 57440]
R3 STAC97NA;SigmaTel 3D Environmental Audio;c:\windows\system32\drivers\stac97na.sys [7-7-2002 13:53 296179]
R3 STAC97NH;STAC97NH;c:\windows\system32\drivers\stac97nh.sys [7-7-2002 13:52 231983]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE [2-4-2013 3:01 193672]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1-3-2013 12:11 161384]
S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [11-11-2010 14:43 1668352]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2-6-2011 12:08 11336]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [18-3-2011 12:42 24576]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\Wireless\WPS\jswpsapi.exe [11-11-2010 14:00 360529]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [1-9-2010 10:30 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [25-7-2012 10:46 1326176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-24 10:33 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe
.
Inhoud van de 'Gedeelde Taken' map
.
2013-05-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-12 11:56]
.
2013-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-16 10:38]
.
2013-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-16 10:38]
.
2013-05-24 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 10:11]
.
2013-05-25 c:\windows\Tasks\User_Feed_Synchronization-{19634F2B-6041-4CFB-B933-71C9576E8275}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.bing.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Zoek op het web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
TCP: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
FF - ProfilePath - c:\documents and settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\
FF - prefs.js: browser.search.defaulturl -
FF - ExtSQL: !HIDDEN! 2011-03-26 18:19; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS VERWIJDERD - - - -
.
HKCU-Run-Microsoft® Windows System - c:\documents and settings\Eigenaar\S-2-52-3192-6512-3816\winope.exe
SafeBoot-22994313.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-25 02:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–}|˙˙˙˙Ą•}|ł•9~*]
"3140311900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Voltooingstijd: 2013-05-25 02:56:12
ComboFix-quarantined-files.txt 2013-05-25 00:56
.
Pre-Run: 23268220928 bytes beschikbaar
Post-Run: 23906426880 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 96C6FE3F55563D6DD75F715E9B0AF545



Thanks again and hope to hear from you tomorow,
Admirgency.
  • 0

#7
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Admirgency

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::



Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

  • 0

#8
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
hello again Gringo.

MS SE remains 1st to start in Systemtray, no Security Center warnings anymore in any account.


I'ld suggest to now remove the legittimate remnants of AVG and Avira, searches and toolbars, as well as Ask search. See how that affects SnapDo and Isearch. There's no Websearch vissible annymore. Firefox is concistent throughout the 3 computer-accounts, but IE and Chrome show different search-engines in each account.

25 mei 2013 - 10aI.JPG

25 mei 2013 - 10aII.JPG

25 mei 2013 - 10aIII.JPG


I'll go check the toolbars now.

*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(*(

ComboFix 13-05-25.02 - Eigenaar 25-05-2013 11:52:36.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.759.361 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\Eigenaar\Bureaublad\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2013-04-25 to 2013-05-25 ))))))))))))))))))))))))))))))
.
.
2013-05-25 09:42 . 2013-05-25 09:42 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5C91C337-9BD4-496E-A095-610F90E7B332}\MpKsl7c14b8b4.sys
2013-05-25 00:57 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5C91C337-9BD4-496E-A095-610F90E7B332}\mpengine.dll
2013-05-24 14:44 . 2013-05-24 14:44 -------- d-----w- c:\windows\ERUNT
2013-05-24 14:43 . 2013-05-24 14:43 -------- dc----w- C:\JRT
2013-05-24 07:57 . 2013-05-13 06:19 7016152 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-05-23 17:06 . 2013-05-23 17:06 -------- d-----w- c:\documents and settings\Gast\Local Settings\Application Data\Sun
2013-05-16 07:44 . 2013-05-22 19:37 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\vlc
2013-05-16 07:42 . 2013-05-16 07:42 -------- d-----w- c:\program files\VideoLAN
2013-05-14 12:46 . 2013-05-14 12:50 -------- d-----w- c:\documents and settings\Werkaccount
2013-05-12 09:25 . 2013-05-16 11:56 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-12 09:25 . 2013-05-16 11:56 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-05-12 08:56 . 2013-05-12 08:56 -------- d-----w- c:\program files\Common Files\Java
2013-05-12 08:55 . 2013-05-12 08:55 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-12 08:55 . 2013-05-12 08:55 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-07 10:42 . 2010-06-02 02:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2013-05-07 10:42 . 2010-06-02 02:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2013-05-07 10:42 . 2010-06-02 02:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2013-05-07 10:42 . 2010-05-26 09:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2013-05-07 10:40 . 2009-09-04 15:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2013-05-07 10:39 . 2008-05-30 12:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2013-05-07 10:38 . 2007-10-22 01:37 17928 ----a-w- c:\windows\system32\X3DAudio1_2.dll
2013-05-07 10:34 . 2013-05-07 10:36 -------- d--h--w- c:\windows\msdownld.tmp
2013-05-07 10:11 . 2013-05-07 10:11 -------- d-----w- c:\documents and settings\Eigenaar\Application Data\Oracle
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-23 17:06 . 2012-07-17 15:26 664 ----a-w- c:\documents and settings\Gast\Local Settings\Application Data\d3d9caps.tmp
2013-05-12 08:55 . 2013-03-14 09:07 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-05-12 08:55 . 2010-05-11 12:21 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-02 15:28 . 2012-07-19 07:55 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-04-16 22:26 . 2010-04-22 13:26 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:26 . 2010-04-22 13:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:26 . 2010-04-22 13:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:30 . 2010-04-22 13:25 385024 ----a-w- c:\windows\system32\html.iec
2013-04-12 14:01 . 2010-04-22 13:26 1876480 ----a-w- c:\windows\system32\win32k.sys
2013-04-02 14:09 . 2013-04-02 14:09 4550656 ----a-w- c:\windows\system32\GPhotos.scr
2013-03-08 08:36 . 2010-04-22 13:26 293888 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 15:56 . 2010-04-22 13:25 2154496 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 15:56 . 2008-04-14 22:11 2033152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-27 07:58 . 2010-04-22 11:38 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-05-12 08:13 . 2013-05-12 08:11 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-16 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"jswtrayutil"="c:\program files\Wireless\WPS\jswtrayutil.exe" [2009-09-24 32873]
"Name of App"="c:\program files\TSST Korea\FW LiveUpdate\FWManager.exe" [2013-03-08 708721]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2012-06-28 74752]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
.
c:\documents and settings\Gast\Menu Start\Programma's\Opstarten\
OpenOffice.org 3.4.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\documents and settings\Eigenaar\Menu Start\Programma's\Opstarten\
OpenOffice.org 3.4.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 MpKsl7c14b8b4;MpKsl7c14b8b4;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5C91C337-9BD4-496E-A095-610F90E7B332}\MpKsl7c14b8b4.sys [25-5-2013 11:42 29904]
R2 jswpbapi;JumpStart Push-Button Service;c:\program files\Wireless\WPS\jswpbapi.exe [11-11-2010 14:00 188416]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [25-7-2012 10:46 681056]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE [2-4-2013 3:01 240264]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [8-8-2012 7:10 45288]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [11-11-2010 14:00 57440]
R3 STAC97NA;SigmaTel 3D Environmental Audio;c:\windows\system32\drivers\stac97na.sys [7-7-2002 13:53 296179]
R3 STAC97NH;STAC97NH;c:\windows\system32\drivers\stac97nh.sys [7-7-2002 13:52 231983]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE [2-4-2013 3:01 193672]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1-3-2013 12:11 161384]
S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [11-11-2010 14:43 1668352]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2-6-2011 12:08 11336]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [18-3-2011 12:42 24576]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\Wireless\WPS\jswpsapi.exe [11-11-2010 14:00 360529]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [1-9-2010 10:30 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [25-7-2012 10:46 1326176]
.
--- Andere Services/Drivers In Geheugen ---
.
*NewlyCreated* - MPKSL7C14B8B4
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-05-24 10:33 1165776 ----a-w- c:\program files\Google\Chrome\Application\27.0.1453.94\Installer\chrmstp.exe
.
Inhoud van de 'Gedeelde Taken' map
.
2013-05-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-12 11:56]
.
2013-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-16 10:38]
.
2013-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-16 10:38]
.
2013-05-25 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 10:11]
.
2013-05-25 c:\windows\Tasks\User_Feed_Synchronization-{19634F2B-6041-4CFB-B933-71C9576E8275}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.bing.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Zoek op het web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
TCP: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
FF - ProfilePath - c:\documents and settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\
FF - prefs.js: browser.search.defaulturl -
FF - ExtSQL: !HIDDEN! 2011-03-26 18:19; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-25 12:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–}|ÿÿÿÿÀ•}|ù•9~*]
"3140311900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'explorer.exe'(1712)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Voltooingstijd: 2013-05-25 12:07:25
ComboFix-quarantined-files.txt 2013-05-25 10:07
ComboFix2.txt 2013-05-25 00:56
.
Pre-Run: 23913676800 bytes beschikbaar
Post-Run: 23949008896 bytes beschikbaar
.
- - End Of File - - 855953D5567912B6861501844F9D28F9

Edited by Admirgency, 25 May 2013 - 06:31 AM.

  • 0

#9
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Nothing vissibly wrong with toolbars in any account,. Except for Google Toolbar Notifier BHO being present in IE while Google Toolbar for IE is uninstalled. Bing Bar in IE in all accounts and Yahoo Toolbar addon only in FF Guest acc..

Problem after 1st run of Combofix : IE is not Standard Browser anymore. I clicked "Yes" at the pop-up message asking if i wanted IE to be Standard Browser to no avail in User or Guest-account. I didn't change this yet via Internet Options. In Owner acc IE became standard, at least no pop-up message appeared anymore. I am reluctant to check which browser now is standard becouse of passible browser-hijack.
  • 0

#10
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Admirgency

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
  • 0

Advertisements


#11
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
I do not experience systemtray-messages that our LAN-connection is restored anymore since yesterday. Something i also forgot to mention before and i remembered becouse in another thread here some-one writes about being offline for fractions of seconds.

When viewing the other active thread about SnapDo, Non active System Processes ran wild, disturbing my browsing for like 5+ minutes. That has not happened anymore since yesterdays scans/fixes.

It was 3+ minutes after you posted your last instructions that i wanted to print them out which did not work in guest-acc. Printer management on pc stated there was no paper present while there were about 50 sheets left. I refilled anyway and still did not print becouse of lack of paper. Statuscheck on printer itself showed everything green.There-after in Owner acc., printer worked ok and i got your instructions twice. I can print again now from Guest acc., this probably has been just a problem with the cable not propperly connected but i am not completely sure.





OTL logfile created on: 25-5-2013 22:17:18 - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Eigenaar\Bureaublad
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000413 | Country: Nederland | Language: NLD | Date Format: d-M-yyyy

759.48 Mb Total Physical Memory | 370.16 Mb Available Physical Memory | 48.74% Memory free
1.81 Gb Paging File | 1.50 Gb Available in Paging File | 82.77% Paging File free
Paging file location(s): C:\pagefile.sys 1140 1140 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 22.29 Gb Free Space | 59.81% Space Free | Partition Type: NTFS

Computer Name: POWERMATE | User Name: Eigenaar | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Eigenaar\Bureaublad\5 OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Google\Update\1.3.21.145\GoogleCrashHandler.exe (Google Inc.)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE (Microsoft Corporation.)
PRC - C:\Program Files\TSST Korea\FW LiveUpdate\FWManager.exe ( )
PRC - c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
PRC - C:\Program Files\Wireless\WPS\jswtrayutil.exe ()
PRC - C:\Program Files\Wireless\WPS\jswpbapi.exe (Wireless)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Brownie\BRSTSWND.EXE (brother)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\TSST Korea\FW LiveUpdate\LiveUpdate.dat ()
MOD - C:\Program Files\OpenOffice.org 3\program\libxml2.dll ()
MOD - C:\Program Files\Wireless\WPS\jswscapploc.dll ()
MOD - C:\Program Files\Wireless\WPS\jswtrayutil.exe ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()


========== Services (SafeList) ==========

SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (BBUpdate) -- C:\Program Files\Microsoft\BingBar\7.2.233.0\SeaPort.EXE (Microsoft Corporation.)
SRV - (BBSvc) -- C:\Program Files\Microsoft\BingBar\7.2.233.0\BBSvc.EXE (Microsoft Corporation.)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\psia.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (jswpsapi) -- C:\Program Files\Wireless\WPS\jswpsapi.exe (wireless)
SRV - (jswpbapi) -- C:\Program Files\Wireless\WPS\jswpbapi.exe (Wireless)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\catchme.sys File not found
DRV - (dc3d) -- C:\WINDOWS\system32\drivers\dc3d.sys (Microsoft Corporation)
DRV - (cpudrv) -- C:\Program Files\SystemRequirementsLab\cpudrv.sys ()
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (fssfltr) -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys (Microsoft Corporation)
DRV - (JSWSCIMD) -- C:\WINDOWS\system32\drivers\jswscimd.sys (Atheros Communications, Inc.)
DRV - (AR9271) -- C:\WINDOWS\system32\drivers\athuw.sys (Atheros Communications, Inc.)
DRV - (HTCAND32) -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys (HTC, Corporation)
DRV - (STAC97NA) -- C:\WINDOWS\system32\drivers\stac97na.sys (SigmaTel Inc.)
DRV - (STAC97NH) -- C:\WINDOWS\system32\drivers\stac97nh.sys (SigmaTel Inc.)
DRV - (BrPar) -- C:\WINDOWS\system32\drivers\BRPAR.SYS (Brother Industries Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = nl
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 04 48 20 B2 A1 5C CD 01 [binary data]
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}:6.0.30
FF - prefs.js..extensions.enabledItems: {EEE6C361-6118-11DC-9C72-001320C79847}:1.5.0.2
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.1912
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.21.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/DownloadManager,version=1.1: C:\WINDOWS\ [2013-05-25 12:03:49 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2166.3772\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.6: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013-05-12 10:13:12 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013-05-16 09:35:26 | 000,000,000 | ---D | M]

[2010-05-11 15:00:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Extensions
[2012-10-30 10:34:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions
[2012-07-08 11:38:38 | 000,020,591 | ---- | M] () (No name found) -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
[2011-04-01 11:10:10 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\Mozilla\Firefox\Profiles\bjvlnrw9.default\searchplugins\bing.xml
[2013-05-12 10:11:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013-05-12 10:13:11 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012-06-28 17:42:00 | 000,012,800 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\mozilla firefox\plugins\npwachk.dll
[2013-03-13 12:19:33 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013-03-13 12:19:33 | 000,002,616 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bolcom-nl.xml
[2013-03-13 12:19:33 | 000,004,771 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\marktplaats-nl.xml
[2011-12-24 21:58:59 | 000,001,111 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\vandale-nl.xml
[2013-03-13 12:19:33 | 000,001,262 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-nl.xml
[2011-12-24 21:58:59 | 000,001,106 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-nl.xml

O1 HOSTS File: ([2013-05-25 02:51:37 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.2.233.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.2.233.0\BingExt.dll (Microsoft Corporation.)
O3 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [jswtrayutil] C:\Program Files\Wireless\WPS\jswtrayutil.exe ()
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Name of App] C:\Program Files\TSST Korea\FW LiveUpdate\FWManager.exe ( )
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe (Nullsoft, Inc.)
O4 - Startup: C:\Documents and Settings\Eigenaar\Menu Start\Programma's\Opstarten\OpenOffice.org 3.4.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Gast\Menu Start\Programma's\Opstarten\OpenOffice.org 3.4.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Zoek op het web - C:\Program Files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1271944706703 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1341578474781 (MUWebControl Class)
O16 - DPF: {B479199A-1242-4E3C-AD81-7F0DF801B4AE} http://download.micr...loadManager.cab (Microsoft Download Manager ActiveX control)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.syste...el_4.5.11.0.cab (SysInfo Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3C14C12F-FE35-4086-8935-5AD09B3BDF73}: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F414C247-0F38-435E-8997-36B5A343C769}: DhcpNameServer = 192.168.1.254 195.241.77.55 195.241.77.58
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (Mijn huidige introductiepagina) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010-04-22 13:42:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (pgdfgsvc C 1)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013-05-25 22:11:25 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\1 OTL.exe
[2013-05-25 22:11:00 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\5 OTL.exe
[2013-05-25 02:35:06 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013-05-25 02:30:02 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013-05-25 02:30:02 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013-05-25 02:30:02 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013-05-25 02:30:02 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013-05-25 02:28:34 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013-05-25 02:28:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013-05-25 02:18:14 | 005,071,432 | R--- | C] (Swearware) -- C:\Documents and Settings\Eigenaar\Bureaublad\ComboFix.exe
[2013-05-24 16:44:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013-05-24 16:43:25 | 000,000,000 | ---D | C] -- C:\JRT
[2013-05-24 16:22:42 | 000,545,954 | ---- | C] (Oleg N. Scherbakov) -- C:\Documents and Settings\Eigenaar\Bureaublad\3 JRT.exe
[2013-05-16 09:44:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eigenaar\Application Data\vlc
[2013-05-16 09:44:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\VideoLAN
[2013-05-16 09:42:00 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2013-05-12 11:25:45 | 000,692,104 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013-05-12 11:25:45 | 000,071,048 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013-05-12 10:56:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2013-05-12 10:55:46 | 000,144,896 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2013-05-12 10:55:45 | 000,263,584 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013-05-12 10:55:39 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013-05-12 10:55:39 | 000,174,496 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013-05-12 10:55:39 | 000,094,112 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013-05-12 10:30:53 | 000,812,936 | ---- | C] (Adobe Systems Incorporated) -- C:\Documents and Settings\Eigenaar\Bureaublad\uninstall_flash_player.exe
[2013-05-12 10:11:39 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013-05-07 12:42:12 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_5.dll
[2013-05-07 12:42:11 | 000,527,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_7.dll
[2013-05-07 12:42:08 | 000,239,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_7.dll
[2013-05-07 12:42:02 | 002,106,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_43.dll
[2013-05-07 12:41:56 | 001,868,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_43.dll
[2013-05-07 12:41:48 | 000,248,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_43.dll
[2013-05-07 12:41:39 | 000,470,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_43.dll
[2013-05-07 12:41:34 | 001,998,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_43.dll
[2013-05-07 12:41:30 | 000,528,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_6.dll
[2013-05-07 12:41:30 | 000,074,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_4.dll
[2013-05-07 12:41:28 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_6.dll
[2013-05-07 12:41:26 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_7.dll
[2013-05-07 12:41:22 | 000,515,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_5.dll
[2013-05-07 12:41:19 | 000,238,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_5.dll
[2013-05-07 12:41:17 | 001,974,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_42.dll
[2013-05-07 12:41:14 | 005,501,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dcsx_42.dll
[2013-05-07 12:41:11 | 000,235,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx11_42.dll
[2013-05-07 12:41:08 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_42.dll
[2013-05-07 12:41:05 | 001,846,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_41.dll
[2013-05-07 12:41:05 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_41.dll
[2013-05-07 12:41:01 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_41.dll
[2013-05-07 12:40:55 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_4.dll
[2013-05-07 12:40:55 | 000,069,464 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_3.dll
[2013-05-07 12:40:51 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_4.dll
[2013-05-07 12:40:48 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_6.dll
[2013-05-07 12:40:46 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_40.dll
[2013-05-07 12:40:46 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_40.dll
[2013-05-07 12:40:42 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_40.dll
[2013-05-07 12:40:32 | 000,514,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_3.dll
[2013-05-07 12:40:32 | 000,070,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_2.dll
[2013-05-07 12:40:27 | 000,235,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_3.dll
[2013-05-07 12:40:25 | 000,023,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_5.dll
[2013-05-07 12:40:17 | 000,068,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_1.dll
[2013-05-07 12:40:16 | 000,509,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_2.dll
[2013-05-07 12:40:13 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_2.dll
[2013-05-07 12:40:09 | 001,493,528 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_39.dll
[2013-05-07 12:40:08 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_39.dll
[2013-05-07 12:40:04 | 003,851,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_39.dll
[2013-05-07 12:39:58 | 000,065,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAPOFX1_0.dll
[2013-05-07 12:39:57 | 000,507,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_1.dll
[2013-05-07 12:39:52 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_1.dll
[2013-05-07 12:39:50 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_4.dll
[2013-05-07 12:39:47 | 001,491,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_38.dll
[2013-05-07 12:39:47 | 000,467,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_38.dll
[2013-05-07 12:39:34 | 003,850,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_38.dll
[2013-05-07 12:39:31 | 000,479,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\XAudio2_0.dll
[2013-05-07 12:39:28 | 000,238,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine3_0.dll
[2013-05-07 12:39:27 | 000,025,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_3.dll
[2013-05-07 12:39:25 | 001,420,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_37.dll
[2013-05-07 12:39:24 | 000,462,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_37.dll
[2013-05-07 12:39:20 | 003,786,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DX9_37.dll
[2013-05-07 12:39:17 | 000,267,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_10.dll
[2013-05-07 12:39:12 | 001,374,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_36.dll
[2013-05-07 12:39:12 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_36.dll
[2013-05-07 12:39:10 | 003,734,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_36.dll
[2013-05-07 12:39:06 | 000,267,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_9.dll
[2013-05-07 12:39:04 | 001,358,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_35.dll
[2013-05-07 12:39:04 | 000,444,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_35.dll
[2013-05-07 12:39:02 | 003,727,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_35.dll
[2013-05-07 12:38:58 | 000,266,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_8.dll
[2013-05-07 12:38:58 | 000,017,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\X3DAudio1_2.dll
[2013-05-07 12:38:55 | 001,124,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_34.dll
[2013-05-07 12:38:55 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_34.dll
[2013-05-07 12:38:52 | 003,497,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_34.dll
[2013-05-07 12:38:47 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_3.dll
[2013-05-07 12:38:40 | 000,261,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_7.dll
[2013-05-07 12:38:35 | 001,123,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\D3DCompiler_33.dll
[2013-05-07 12:38:35 | 000,443,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx10_33.dll
[2013-05-07 12:38:28 | 003,495,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_33.dll
[2013-05-07 12:38:27 | 000,255,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_6.dll
[2013-05-07 12:38:26 | 000,251,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_5.dll
[2013-05-07 12:38:25 | 000,237,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_4.dll
[2013-05-07 12:38:25 | 000,015,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_1.dll
[2013-05-07 12:38:24 | 000,236,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_3.dll
[2013-05-07 12:38:24 | 000,062,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_2.dll
[2013-05-07 12:38:23 | 000,230,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_2.dll
[2013-05-07 12:38:22 | 000,062,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput1_1.dll
[2013-05-07 12:38:21 | 000,229,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_1.dll
[2013-05-07 12:38:15 | 002,388,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_30.dll
[2013-05-07 12:38:13 | 000,230,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xactengine2_0.dll
[2013-05-07 12:38:13 | 000,014,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\x3daudio1_0.dll
[2013-05-07 12:38:12 | 002,332,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_29.dll
[2013-05-07 12:38:11 | 002,323,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_28.dll
[2013-05-07 12:38:09 | 000,061,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xinput9_1_0.dll
[2013-05-07 12:38:08 | 002,319,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_27.dll
[2013-05-07 12:38:08 | 002,297,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_26.dll
[2013-05-07 12:38:07 | 002,337,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_25.dll
[2013-05-07 12:38:03 | 002,222,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\d3dx9_24.dll
[2013-05-07 12:11:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Eigenaar\Application Data\Oracle
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013-05-25 22:18:46 | 000,000,386 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013-05-25 22:13:19 | 000,000,297 | ---- | M] () -- C:\WINDOWS\Brownie.ini
[2013-05-25 22:12:30 | 000,000,460 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{19634F2B-6041-4CFB-B933-71C9576E8275}.job
[2013-05-25 22:09:19 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013-05-25 22:08:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013-05-25 21:56:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\5 OTL.exe
[2013-05-25 21:56:17 | 000,000,940 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013-05-25 21:33:01 | 000,001,048 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013-05-25 15:39:11 | 000,000,479 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Application Data\TSSTLiveUpdateConfig.ini
[2013-05-25 11:41:23 | 005,071,432 | R--- | M] (Swearware) -- C:\Documents and Settings\Eigenaar\Bureaublad\ComboFix.exe
[2013-05-25 11:38:09 | 000,000,751 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Mei 2013 feed.snap.do.lnk
[2013-05-25 11:37:59 | 000,000,593 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar aReebok Maintenance.lnk
[2013-05-25 02:51:37 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013-05-25 02:35:12 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013-05-24 16:20:41 | 000,000,448 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Gedeelde documenten.lnk
[2013-05-24 12:37:19 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\All Users\Bureaublad\Google Chrome.lnk
[2013-05-24 10:07:53 | 000,545,954 | ---- | M] (Oleg N. Scherbakov) -- C:\Documents and Settings\Eigenaar\Bureaublad\3 JRT.exe
[2013-05-24 10:06:20 | 000,632,031 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\2 AdwCleaner.exe
[2013-05-22 23:53:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013-05-22 23:06:49 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Eigenaar\Bureaublad\1 OTL.exe
[2013-05-21 14:38:01 | 000,000,737 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Mozilla Firefox.lnk
[2013-05-21 14:37:47 | 000,000,810 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Internet Explorer.lnk
[2013-05-21 11:56:27 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013-05-16 13:56:45 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013-05-16 13:56:45 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013-05-15 09:30:53 | 000,168,304 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013-05-15 09:23:36 | 000,598,768 | ---- | M] () -- C:\WINDOWS\System32\perfh013.dat
[2013-05-15 09:23:36 | 000,500,072 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013-05-15 09:23:36 | 000,120,562 | ---- | M] () -- C:\WINDOWS\System32\perfc013.dat
[2013-05-15 09:23:36 | 000,087,406 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013-05-15 09:04:17 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013-05-12 10:55:18 | 000,094,112 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2013-05-12 10:55:13 | 000,263,584 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2013-05-12 10:55:13 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2013-05-12 10:55:13 | 000,174,496 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2013-05-12 10:55:13 | 000,144,896 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2013-05-12 10:55:11 | 000,866,720 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npdeployJava1.dll
[2013-05-12 10:55:11 | 000,788,896 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2013-05-12 10:30:58 | 000,812,936 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Eigenaar\Bureaublad\uninstall_flash_player.exe
[2013-05-12 10:03:36 | 000,000,420 | ---- | M] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Downloads.lnk
[2013-05-07 06:22:15 | 006,015,488 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2013-05-02 17:28:50 | 000,238,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013-05-25 11:38:09 | 000,000,751 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Mei 2013 feed.snap.do.lnk
[2013-05-25 11:37:58 | 000,000,593 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar aReebok Maintenance.lnk
[2013-05-25 02:35:12 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013-05-25 02:35:07 | 000,261,936 | RHS- | C] () -- C:\cmldr
[2013-05-25 02:30:02 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013-05-25 02:30:02 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013-05-25 02:30:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013-05-25 02:30:02 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013-05-25 02:30:02 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013-05-24 16:22:42 | 000,632,031 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\2 AdwCleaner.exe
[2013-05-21 14:40:13 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Gedeelde documenten.lnk
[2013-05-21 14:38:01 | 000,000,737 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Mozilla Firefox.lnk
[2013-05-21 14:37:47 | 000,000,810 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Internet Explorer.lnk
[2013-05-12 11:25:57 | 000,000,940 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013-05-12 10:03:36 | 000,000,420 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Bureaublad\Snelkoppeling naar Downloads.lnk
[2013-04-03 16:39:36 | 000,168,304 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013-03-14 11:29:25 | 000,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2013-03-14 11:29:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2013-03-14 11:29:23 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\brlmw03a.ini
[2013-03-14 11:29:21 | 000,014,496 | ---- | C] () -- C:\WINDOWS\HL-5240.INI
[2013-03-14 11:28:40 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\bd5240.dat
[2013-03-14 11:27:45 | 000,000,297 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2013-03-13 11:46:36 | 000,000,479 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Application Data\TSSTLiveUpdateConfig.ini
[2012-09-12 15:43:07 | 000,004,706 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2012-08-10 15:06:30 | 000,268,519 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\census.cache
[2012-08-10 15:05:52 | 000,180,312 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\ars.cache
[2012-08-10 12:48:24 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\housecall.guid.cache
[2012-07-07 23:13:52 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Eigenaar\Local Settings\Application Data\fusioncache.dat
[2012-07-06 14:44:15 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012-07-05 04:40:25 | 000,294,527 | ---- | C] () -- C:\WINDOWS\System32\shimg.dll
[2011-11-20 20:10:40 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat

========== ZeroAccess Check ==========

[2011-03-24 11:50:20 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008-04-15 02:32:40 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009-02-09 12:56:06 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008-04-15 02:32:46 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

Edited by Admirgency, 25 May 2013 - 02:50 PM.

  • 0

#12
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Hum, the "Non Active System Processes gone wild" was a MS SE update, sory for this mistake.
  • 0

#13
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
Reading other threads here on GeeksToGo, my mouse-cursor can wander off on its own. It slowly drifts to the left and a bit down. It doesn't happen all of the time. Before, this happend only during both the Combofix-scans.

Edited by Admirgency, 25 May 2013 - 04:27 PM.

  • 0

#14
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Admirgency

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image text box.
    :OTL
    IE - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    FF - user.js - File not found
    O3 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKU\S-1-5-21-1606980848-1788223648-2146830767-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O8 - Extra context menu item: Zoek op het web - C:\Program Files\SweetIM\Toolbars\Internet
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo
  • 0

#15
Admirgency

Admirgency

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
(after the fix)
In Owner-acc.,
IE : Bing Search = disabled ;


Chrome :
  • Opened for a small part to the right and down the bottom of the screen ;
  • Avira still startpage ;
  • Ask still present amongst search engines.


In Werk acc,
Chrome :
  • feed.snap.do/?publisher=SnapdoSoftonic still present amongst searchangines ;
  • Ask still present amongst search engines ;
IE is not standard browser.



In Guest acc,
IE is not standard browser ;
  • double Bing is still present amongst search engines ;
  • Ask is still present amongst search engines.
Chrome :
  • isearch.avg.com is still present amongst search engines ;
  • ask.com is still present amongst search engines.
[edit] Reviewing this last post mouse wanders off straight to the left. note, it is not the MS wireless optical for which drivers are installed, it's a logitech wired optical for which (to my knowledge) there are no drivers installed yet .


[2nd edit] hey, mouse now wandered in 45 degrees angle to the left and top of the screen, didn't experience that yet. (i checked there's no dirt on the table).


========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-1606980848-1788223648-2146830767-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Zoek op het web\ deleted successfully.
File C:\Program Files\SweetIM\Toolbars\Internet not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP-configuratie
De DNS-omzettingscache is leeggemaakt.
C:\Documents and Settings\Eigenaar\Bureaublad\cmd.bat deleted successfully.
C:\Documents and Settings\Eigenaar\Bureaublad\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: Eigenaar
->Java cache emptied: 0 bytes

User: Gast

User: LocalService

User: NetworkService

User: Werkaccount

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Eigenaar
->Flash cache emptied: 528 bytes

User: Gast
->Flash cache emptied: 506 bytes

User: LocalService

User: NetworkService

User: Werkaccount
->Flash cache emptied: 492 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 05262013_010529

Edited by Admirgency, 25 May 2013 - 05:54 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP