trage laptop

[paddepoel]

Ik vind een map terug onder:

D:\Documents and Settings\pgadebac\Application Data\Schmap

Mag ik de mpa gewoon verwijderen ?

[kweezie wabbit]

Niets van schmap onder D:\program files?

Dan gaan we even dieper graven naar malware.

Download ComboFix van één van deze locaties:

Link 1

Link 2

* BELANGRIJK !!! Sla ComboFix.exe op je Bureaublad op

• Schakel alle antivirus- en antispywareprogramma's uit, want anders kunnen ze misschien conflicteren met ComboFix. Hier is een handleiding over hoe je ze kan uitschakelen:
  Klik hier
  Als het je niet lukt om ze uit te schakelen, ga dan gewoon door naar de volgende stap.
  
• Dubbelklik op ComboFix.exe en volg de meldingen op het scherm.
  
• ComboFix zal controleren of dat de Microsoft Windows Recovery Console reeds is geïnstalleerd.
  **Let op: Als de Microsoft Windows Recovery Console al is geïnstalleerd, dan krijg je de volgende schermen niet te zien en zal ComboFix automatisch verder gaan met het scannen naar malware.
  
• Volg de meldingen op het scherm om ComboFix de Microsoft Windows Recovery Console te laten downloaden en installeren.
  

Je krijgt de volgende melding te zien wanneer ComboFix de Microsoft Windows Recovery Console succesvol heeft geïnstalleerd:

Klik op Ja om verder te gaan met het scannen naar malware.

Noot !!! Als er een error wordt getoond met de melding "Illegal operation attempted on a registery key that has been marked for deletion", herstart dan de computer.

Wanneer ComboFix klaar is, zal het het een logbestand voor je maken. Post de inhoud van dit logbestand (te vinden als C:\ComboFix.txt) in je volgende bericht.

Indien je problemen hebt bij het uitvoeren van ComboFix, gelieve dit te melden.

[paddepoel]

Ik heb dus een map onder:\Documents and Settings\pgadebac\Application Data\Schmap, maar niet onder Program files (de program files staan trouwens onder C: en niet D:).

Mag ik de map onder Application Data gewoon wissen ?

Nadien draai ik dan wel Combofix.

[kweezie wabbit]

OK, doe maar.

Map wissen en dan combofix uitvoeren.

[paddepoel]

Ik heb ComboFix gedraaid. Hierbij het logje:

ComboFix 11-10-20.08 - pgadebac 21/10/2011 7:58.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.32.1043.18.2942.2216 [GMT 2:00]

Gestart vanuit: d:\documents and settings\pgadebac\Bureaublad\ComboFix.exe

AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Aanwezig AV is actief

.

.

.

(((((((((((((((((((( Bestanden Gemaakt van 2011-09-21 to 2011-10-21 ))))))))))))))))))))))))))))))

.

.

2011-10-21 05:51 . 2011-10-21 05:51 -------- d--h--r- d:\documents and settings\pgadebac\Onlangs geopend

2011-10-18 07:26 . 2011-10-18 07:26 -------- d-----w- d:\documents and settings\pgadebac\Application Data\smkits

2011-10-17 08:00 . 2011-10-17 08:00 -------- d-----w- c:\program files\Foxit Software

2011-10-17 05:57 . 2011-10-17 07:56 -------- d-----w- d:\documents and settings\pgadebac\Local Settings\Application Data\Solid State Networks

2011-10-04 15:40 . 2011-10-04 15:40 388096 ----a-r- d:\documents and settings\pgadebac\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-10-04 13:16 . 2011-10-04 13:16 -------- d-----w- d:\documents and settings\All Users\Application Data\Brother

2011-10-04 13:09 . 2010-05-10 08:45 103736 ----a-w- c:\winnt\system32\BRRBTOOL.EXE

2011-10-04 13:09 . 2005-01-17 07:10 45056 ----a-w- c:\winnt\system32\BRTCPCON.DLL

2011-10-04 13:09 . 2006-12-21 02:23 176128 ----a-w- c:\winnt\system32\BROSNMP.DLL

2011-10-04 13:09 . 2004-08-09 06:42 77824 ----a-w- c:\winnt\system32\BRLMW03A.DLL

2011-10-04 13:09 . 2010-04-02 05:33 25299 ----a-w- c:\winnt\system32\BRLM03A.DLL

2011-09-26 11:34 . 2011-09-26 11:34 -------- d-----w- d:\documents and settings\debacker\Application Data\McAfee

2011-09-26 10:03 . 2011-10-17 13:18 -------- d-----w- C:\Temp_Backup

2011-09-26 10:02 . 2011-09-26 10:03 -------- d-----w- d:\documents and settings\adm_1sd21

2011-09-26 08:37 . 2011-09-26 08:37 -------- d-sh--w- d:\documents and settings\Administrator\PrivacIE

2011-09-26 08:36 . 2011-09-26 08:36 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\IBM

2011-09-26 08:25 . 2011-09-26 08:25 -------- d-----w- d:\documents and settings\Administrator\Application Data\McAfee

2011-09-26 08:25 . 2011-09-26 08:25 -------- d-----w- d:\documents and settings\Administrator\Application Data\Stardock

2011-09-26 08:23 . 2011-09-26 08:23 -------- d-sh--w- d:\documents and settings\Administrator\IETldCache

2011-09-23 18:01 . 2006-10-26 17:56 33104 ----a-w- c:\winnt\system32\Spool\prtprocs\w32x86\msonpppr.dll

2011-09-23 18:01 . 2006-10-26 17:56 32592 ----a-w- c:\winnt\system32\msonpmon.dll

2011-09-23 17:59 . 2011-09-23 17:59 -------- d-----w- c:\program files\Microsoft Works

2011-09-23 17:54 . 2011-09-23 17:54 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2011-09-23 17:52 . 2011-09-23 17:52 -------- d-----w- d:\documents and settings\pgadebac\Local Settings\Application Data\Microsoft Help

2011-09-23 17:52 . 2011-10-18 11:22 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help

.

.

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-18 12:01 . 2011-03-24 05:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-02-04 18:07 . 2010-06-18 16:02 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-02-04 124224]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-02-20 1191936]

"Logon"="c:\winnt\system32\loglogon.exe" [2008-07-23 199989]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-06-08 333120]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\winnt\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe" [2010-10-12 232912]

.

d:\documents and settings\pgadebac\Menu Start\Programma's\Opstarten\

Stickies.lnk - c:\program files\Stickies\stickies.exe [2008-8-28 765952]

.

d:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Adobe Acrobat Snelle start.lnk - c:\winnt\Installer\{AC76BA86-1030-D700-7760-100000000002}\SC_Acrobat.exe [2008-10-22 25214]

Taakbalkpictogram van Connected.LNK - c:\program files\Connected\CBSysTray.exe [2008-9-30 114688]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SoftwareSASGeneration"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoFileAssociate"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2008-02-20 14:13 49152 ----a-w- c:\winnt\system32\pcsinst.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-12977\Scripts\Logon\0\0]

"Script"=\\10.20.129.10\backuppc\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-28925\Scripts\Logon\0\0]

"Script"=\\10.20.129.10\backuppc\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-6869\Scripts\Logon\0\0]

"Script"=deontologieLaunch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-6869\Scripts\Logon\1\0]

"Script"=\\finbel\findata\minfin\Deployment\BackupPC\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-83173\Scripts\Logon\0\0]

"Script"=\\10.20.129.10\backuppc\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-83611\Scripts\Logon\0\0]

"Script"=\\finbel\findata\minfin\Deployment\BackupPC\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

.

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]

backup=c:\winnt\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Bluetooth Manager.lnk]

backup=c:\winnt\pss\Bluetooth Manager.lnkCommon Startup

.

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Windows Search.lnk]

backup=c:\winnt\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\beid]

2010-02-05 11:29 2056192 ----a-w- c:\program files\Belgium Identity Card\beid35gui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2007-02-20 10:29 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-12-01 05:12 133104 ----atw- d:\documents and settings\pgadebac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intoan]

2005-09-29 17:34 4549632 ----a-w- c:\program files\Intoan\Agent\IntoanAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2006-09-11 02:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-07-06 17:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NOTESMON]

2006-12-12 15:39 80896 ----a-w- c:\program files\AddInForLotusNotes\notesmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]

2011-02-04 18:07 124224 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-01-07 11:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\communicatork9.exe"=

"c:\\WINNT\\system32\\mmc.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"d:\\Data\\Mijn documenten\\PATRICK NIOD\\ONDERHOUD PC\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

.

R0 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [26/08/2010 18:37 691696]

R1 HttpDisk;HttpDisk;c:\winnt\system32\drivers\httpdisk.sys [17/07/2008 9:54 14592]

R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\winnt\system32\drivers\CdpPacket.sys [24/01/2008 18:47 35692]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [19/03/2009 19:10 712048]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [19/03/2009 19:10 712048]

R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\winnt\system32\drivers\pdlndldl6.sys [20/02/2008 16:13 70656]

R2 vnccom;vnccom;c:\winnt\system32\drivers\vnccom.SYS [17/07/2008 9:12 6016]

R3 bbcap;bbcap;c:\winnt\system32\drivers\bbcap.sys [15/01/2009 21:11 4096]

S0 crpf;crpf;c:\winnt\system32\drivers\crpf.sys --> c:\winnt\system32\drivers\crpf.sys [?]

S0 csdf;cdsf;c:\winnt\system32\drivers\csdf.sys --> c:\winnt\system32\drivers\csdf.sys [?]

S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2010 7:39 135664]

S2 gupdate1c9c883e3eb492;Google Updateservice (gupdate1c9c883e3eb492);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2010 7:39 135664]

S2 SSPORT;SSPORT;\??\c:\winnt\system32\Drivers\SSPORT.sys --> c:\winnt\system32\Drivers\SSPORT.sys [?]

S3 ACSSCR;ACR38 Smart Card Reader;c:\winnt\system32\drivers\a38usb.sys [29/09/2008 20:55 33536]

S3 GTUQBUS;GT UQ BUS;c:\winnt\system32\drivers\gtuqbus.sys [13/02/2009 15:32 37120]

S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2010 7:39 135664]

S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\winnt\system32\drivers\ewusbmdm.sys [12/02/2009 14:47 65152]

S3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;c:\winnt\system32\drivers\ewusbapp.sys [12/02/2009 14:47 65152]

S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\winnt\system32\drivers\ewusbser.sys [12/02/2009 14:47 65152]

S3 ImDisk;ImDisk Virtual Disk Driver;c:\winnt\system32\drivers\imdisk.sys [17/03/2008 19:50 19840]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\winnt\system32\drivers\massfilter.sys --> c:\winnt\system32\drivers\massfilter.sys [?]

S3 mferkdet;McAfee Inc. mferkdet;c:\winnt\system32\drivers\mferkdet.sys [18/06/2010 18:02 67240]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Inhoud van de 'Gedeelde Taken' map

.

2011-10-21 c:\winnt\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2010-11-21 09:47]

.

2011-10-21 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-15 05:39]

.

2011-10-21 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-15 05:39]

.

2011-10-19 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-3712614485-1044013603-244294945-1006Core.job

- d:\documents and settings\debacker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 20:08]

.

2011-10-21 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-3712614485-1044013603-244294945-1006UA.job

- d:\documents and settings\debacker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 20:08]

.

2011-10-20 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-667808998-3646381641-2365837644-6869Core.job

- d:\documents and settings\pgadebac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-01 05:12]

.

2011-10-21 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-667808998-3646381641-2365837644-6869UA.job

- d:\documents and settings\pgadebac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-01 05:12]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://intranet/index.php?page=&langue=nl

mStart Page = hxxp://dutch.toggle.com/nl/index.php?rvs=google

uInternet Connection Wizard,ShellNext = hxxp://10.2.31.212/homenl

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200

IE: Converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Converteren naar bestaande PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Geselecteerde koppelingen converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Geselecteerde koppelingen converteren naar bestaande PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Koppelingsdoel converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Koppelingsdoel converteren naar bestaande PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Selectie converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Selectie converteren naar bestaande PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: { - c:\program files\Messenger\msmsgs.exe

Trusted Zone: intranet

TCP: DhcpNameServer = 192.168.2.1

DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mail07-57.finbel.intra/dwa85W.cab

FF - ProfilePath - d:\documents and settings\pgadebac\Application Data\Mozilla\Firefox\Profiles\mn9m13ub.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.be

FF - prefs.js: network.proxy.http - http://intranet/proxy.pac

FF - prefs.js: network.proxy.http_port - 80

FF - prefs.js: network.proxy.type - 2

FF - user.js: browser.blink_allowed - true

FF - user.js: network.prefetch-next - true

FF - user.js: layout.spellcheckDefault - 1

FF - user.js: browser.urlbar.autoFill - false

FF - user.js: browser.search.openintab - false

FF - user.js: browser.tabs.closeButtons - 1

FF - user.js: browser.tabs.opentabfor.middleclick - true

FF - user.js: browser.tabs.tabMinWidth - 100

FF - user.js: browser.urlbar.hideGoButton - true

.

- - - - ORPHANS VERWIJDERD - - - -

.

MSConfigStartUp-Acronis Scheduler2 Service - c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

MSConfigStartUp-Advanced SystemCare 4 - c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2011-10-21 08:06

Windows 5.1.2600 Service Pack 3 NTFS

.

scannen van verborgen processen ...

.

scannen van verborgen autostart items ...

.

scannen van verborgen bestanden ...

.

Scan succesvol afgerond

verborgen bestanden: 0

.

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5d,56,2c,24,e9,d7,d5,43,9c,d4,1b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5d,56,2c,24,e9,d7,d5,43,9c,d4,1b,\

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINNT\\system32\\FM20ENU.DLL"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–}|ÿÿÿÿÀ•}|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINNT\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

.

- - - - - - - > 'winlogon.exe'(1364)

c:\winnt\system32\Ati2evxx.dll

c:\winnt\system32\pcsinst.dll

.

- - - - - - - > 'explorer.exe'(3392)

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\winnt\system32\webcheck.dll

c:\winnt\system32\WPDShServiceObj.dll

c:\winnt\system32\PortableDeviceTypes.dll

c:\winnt\system32\PortableDeviceApi.dll

c:\program files\Stardock\Fences\FencesMenu.dll

c:\program files\stardock\fences\DesktopDock.dll

.

Voltooingstijd: 2011-10-21 08:09:39

ComboFix-quarantined-files.txt 2011-10-21 06:09

.

Pre-Run: 19.438.383.104 bytes beschikbaar

Post-Run: 19.509.719.040 bytes beschikbaar

.

- - End Of File - - 16C39F9DEBB8DFADC3B8DF6E2B8C34BC

[kweezie wabbit]

Even geduld voor de analyse van het logje. Ik heb een collega om een 2de opinie gevraagd.

Hoe is het ondertussen met de snelheid van de laptop?

[kweezie wabbit]

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

DDS::

mStart Page = hxxp://dutch.toggle.com/nl/index.php?rvs=google

Sla dit bestand op je bureaublad op als CFScript.txt.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht samen met een nieuw logje van HijackThis.

Herken je deze map d:\documents and settings\adm_1sd21 ?

Als dit een correcte map is, is het OK.

Als je de map niet herkent, kijk dan eens wat er zoal in staat.

[paddepoel]

Hallo,

de map adm_1sd21 is een map die wordt aangemaakt wanneer de helpdesk een probleem tracht op te lossen. Ze lijkt mij dus niet echt abnormaal.

Hierbij het logje van Combofix :

ComboFix 11-10-24.02 - pgadebac 24/10/2011 18:41:11.8.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.32.1043.18.2942.2299 [GMT 2:00]

Gestart vanuit: d:\documents and settings\pgadebac\Bureaublad\ComboFix.exe

gebruikte Opdracht switches :: d:\documents and settings\pgadebac\Bureaublad\CFScript.txt

AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Aanwezig AV is actief

.

.

.

(((((((((((((((((((( Bestanden Gemaakt van 2011-09-24 to 2011-10-24 ))))))))))))))))))))))))))))))

.

.

2011-10-24 13:46 . 2011-10-24 13:46 -------- d-----w- d:\documents and settings\pgadebac\Application Data\Foxit Software

2011-10-21 07:24 . 2010-06-19 06:30 14848 ----a-w- c:\winnt\system32\drivers\InputFilter_FlexDef2b.sys

2011-10-21 07:23 . 2011-10-21 07:24 -------- d-----w- c:\program files\SilverCrest OMC807 Driver

2011-10-21 05:51 . 2011-10-24 16:40 -------- d--h--r- d:\documents and settings\pgadebac\Onlangs geopend

2011-10-17 08:00 . 2011-10-17 08:00 -------- d-----w- c:\program files\Foxit Software

2011-10-17 05:57 . 2011-10-17 07:56 -------- d-----w- d:\documents and settings\pgadebac\Local Settings\Application Data\Solid State Networks

2011-10-04 15:40 . 2011-10-04 15:40 388096 ----a-r- d:\documents and settings\pgadebac\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-10-04 13:16 . 2011-10-04 13:16 -------- d-----w- d:\documents and settings\All Users\Application Data\Brother

2011-10-04 13:09 . 2010-05-10 08:45 103736 ----a-w- c:\winnt\system32\BRRBTOOL.EXE

2011-10-04 13:09 . 2005-01-17 07:10 45056 ----a-w- c:\winnt\system32\BRTCPCON.DLL

2011-10-04 13:09 . 2006-12-21 02:23 176128 ----a-w- c:\winnt\system32\BROSNMP.DLL

2011-10-04 13:09 . 2004-08-09 06:42 77824 ----a-w- c:\winnt\system32\BRLMW03A.DLL

2011-10-04 13:09 . 2010-04-02 05:33 25299 ----a-w- c:\winnt\system32\BRLM03A.DLL

2011-09-26 11:34 . 2011-09-26 11:34 -------- d-----w- d:\documents and settings\debacker\Application Data\McAfee

2011-09-26 10:03 . 2011-10-17 13:18 -------- d-----w- C:\Temp_Backup

2011-09-26 10:02 . 2011-09-26 10:03 -------- d-----w- d:\documents and settings\adm_1sd21

2011-09-26 08:37 . 2011-09-26 08:37 -------- d-sh--w- d:\documents and settings\Administrator\PrivacIE

2011-09-26 08:36 . 2011-09-26 08:36 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\IBM

2011-09-26 08:25 . 2011-09-26 08:25 -------- d-----w- d:\documents and settings\Administrator\Application Data\McAfee

2011-09-26 08:25 . 2011-09-26 08:25 -------- d-----w- d:\documents and settings\Administrator\Application Data\Stardock

2011-09-26 08:23 . 2011-09-26 08:23 -------- d-sh--w- d:\documents and settings\Administrator\IETldCache

.

.

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-18 12:01 . 2011-03-24 05:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-02-04 18:07 . 2010-06-18 16:02 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-10-21_06.06.48 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-10-21 09:27 . 2011-10-21 09:27 16384 c:\winnt\Temp\Perflib_Perfdata_790.dat

+ 2011-10-04 09:02 . 2011-10-24 13:26 23040 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2011-10-04 09:02 . 2011-10-20 11:03 23040 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2011-10-04 09:02 . 2011-10-24 13:26 61440 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2011-10-04 09:02 . 2011-10-20 11:02 61440 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\pubs.exe

- 2011-10-04 09:02 . 2011-10-20 11:03 27136 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2011-10-04 09:02 . 2011-10-24 13:26 27136 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2011-08-16 08:55 . 2011-10-20 11:02 11264 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\mspicons.exe

+ 2011-08-16 08:55 . 2011-10-24 13:26 11264 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2011-10-04 09:02 . 2011-10-20 11:02 86016 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\inficon.exe

+ 2011-10-04 09:02 . 2011-10-24 13:26 86016 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\inficon.exe

- 2011-08-16 08:55 . 2011-10-20 11:02 12288 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2011-08-16 08:55 . 2011-10-24 13:26 12288 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2011-10-04 09:02 . 2011-10-24 13:26 4096 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2011-10-04 09:02 . 2011-10-20 11:03 4096 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2011-08-16 08:55 . 2011-10-24 13:26 409600 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2011-08-16 08:55 . 2011-10-20 11:02 409600 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2011-08-16 08:55 . 2011-10-24 13:26 286720 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2011-08-16 08:55 . 2011-10-20 11:02 286720 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2011-08-16 08:55 . 2011-10-20 11:02 249856 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2011-08-16 08:55 . 2011-10-24 13:26 249856 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2011-10-04 09:02 . 2011-10-24 13:26 794624 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2011-10-04 09:02 . 2011-10-20 11:03 794624 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2011-08-16 08:55 . 2011-10-20 11:02 135168 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2011-08-16 08:55 . 2011-10-24 13:26 135168 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2011-08-16 08:55 . 2011-10-20 11:02 593920 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\accicons.exe

+ 2011-08-16 08:55 . 2011-10-24 13:26 593920 c:\winnt\Installer\{90110413-6000-11D3-8CFE-0150048383C9}\accicons.exe

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-02-04 124224]

"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2007-02-20 1191936]

"Logon"="c:\winnt\system32\loglogon.exe" [2008-07-23 199989]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-06-08 333120]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"Launch SilverCrest OMC807"="c:\program files\SilverCrest OMC807 Driver\MouClient_FD2_9063RL.exe" [2010-06-28 860160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\winnt\system32\CTFMON.EXE" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\winnt\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe" [2010-10-12 232912]

.

d:\documents and settings\pgadebac\Menu Start\Programma's\Opstarten\

Stickies.lnk - c:\program files\Stickies\stickies.exe [2008-8-28 765952]

.

d:\documents and settings\All Users\Menu Start\Programma's\Opstarten\

Adobe Acrobat Snelle start.lnk - c:\winnt\Installer\{AC76BA86-1030-D700-7760-100000000002}\SC_Acrobat.exe [2008-10-22 25214]

Taakbalkpictogram van Connected.LNK - c:\program files\Connected\CBSysTray.exe [2008-9-30 114688]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SoftwareSASGeneration"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoResolveTrack"= 1 (0x1)

"NoFileAssociate"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files\Stardock\Fences\FencesMenu.dll" [2009-10-02 128360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2008-02-20 14:13 49152 ----a-w- c:\winnt\system32\pcsinst.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-12977\Scripts\Logon\0\0]

"Script"=\\10.20.129.10\backuppc\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-28925\Scripts\Logon\0\0]

"Script"=\\10.20.129.10\backuppc\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-6869\Scripts\Logon\0\0]

"Script"=deontologieLaunch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-6869\Scripts\Logon\1\0]

"Script"=\\finbel\findata\minfin\Deployment\BackupPC\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-83173\Scripts\Logon\0\0]

"Script"=\\10.20.129.10\backuppc\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-667808998-3646381641-2365837644-83611\Scripts\Logon\0\0]

"Script"=\\finbel\findata\minfin\Deployment\BackupPC\Installpcbackup.vbs

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

.

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Gamma Loader.lnk]

backup=c:\winnt\pss\Adobe Gamma Loader.lnkCommon Startup

.

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Bluetooth Manager.lnk]

backup=c:\winnt\pss\Bluetooth Manager.lnkCommon Startup

.

[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Windows Search.lnk]

backup=c:\winnt\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\beid]

2010-02-05 11:29 2056192 ----a-w- c:\program files\Belgium Identity Card\beid35gui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]

2007-02-20 10:29 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2008-12-01 05:12 133104 ----atw- d:\documents and settings\pgadebac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intoan]

2005-09-29 17:34 4549632 ----a-w- c:\program files\Intoan\Agent\IntoanAgent.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]

2006-09-11 02:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-07-06 17:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NOTESMON]

2006-12-12 15:39 80896 ----a-w- c:\program files\AddInForLotusNotes\notesmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]

2011-02-04 18:07 124224 ----a-w- c:\program files\McAfee\VirusScan Enterprise\shstat.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2011-01-07 11:12 253672 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\communicatork9.exe"=

"c:\\WINNT\\system32\\mmc.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"d:\\Data\\Mijn documenten\\PATRICK NIOD\\ONDERHOUD PC\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

.

R0 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [26/08/2010 18:37 691696]

R1 HttpDisk;HttpDisk;c:\winnt\system32\drivers\httpdisk.sys [17/07/2008 9:54 14592]

R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\winnt\system32\drivers\CdpPacket.sys [24/01/2008 18:47 35692]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [19/03/2009 19:10 712048]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [19/03/2009 19:10 712048]

R2 pdlndldl6;IBM Enterprise Extender (HPR/IPv6);c:\winnt\system32\drivers\pdlndldl6.sys [20/02/2008 16:13 70656]

R2 vnccom;vnccom;c:\winnt\system32\drivers\vnccom.SYS [17/07/2008 9:12 6016]

R3 bbcap;bbcap;c:\winnt\system32\drivers\bbcap.sys [15/01/2009 21:11 4096]

S0 crpf;crpf;c:\winnt\system32\drivers\crpf.sys --> c:\winnt\system32\drivers\crpf.sys [?]

S0 csdf;cdsf;c:\winnt\system32\drivers\csdf.sys --> c:\winnt\system32\drivers\csdf.sys [?]

S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2010 7:39 135664]

S2 gupdate1c9c883e3eb492;Google Updateservice (gupdate1c9c883e3eb492);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2010 7:39 135664]

S2 SSPORT;SSPORT;\??\c:\winnt\system32\Drivers\SSPORT.sys --> c:\winnt\system32\Drivers\SSPORT.sys [?]

S3 ACSSCR;ACR38 Smart Card Reader;c:\winnt\system32\drivers\a38usb.sys [29/09/2008 20:55 33536]

S3 GTUQBUS;GT UQ BUS;c:\winnt\system32\drivers\gtuqbus.sys [13/02/2009 15:32 37120]

S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [15/01/2010 7:39 135664]

S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\winnt\system32\drivers\ewusbmdm.sys [12/02/2009 14:47 65152]

S3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;c:\winnt\system32\drivers\ewusbapp.sys [12/02/2009 14:47 65152]

S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\winnt\system32\drivers\ewusbser.sys [12/02/2009 14:47 65152]

S3 ImDisk;ImDisk Virtual Disk Driver;c:\winnt\system32\drivers\imdisk.sys [17/03/2008 19:50 19840]

S3 massfilter;ZTE Mass Storage Filter Driver;c:\winnt\system32\drivers\massfilter.sys --> c:\winnt\system32\drivers\massfilter.sys [?]

S3 mferkdet;McAfee Inc. mferkdet;c:\winnt\system32\drivers\mferkdet.sys [18/06/2010 18:02 67240]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Inhoud van de 'Gedeelde Taken' map

.

2011-10-21 c:\winnt\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2010-11-21 09:47]

.

2011-10-24 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-15 05:39]

.

2011-10-24 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-15 05:39]

.

2011-10-19 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-3712614485-1044013603-244294945-1006Core.job

- d:\documents and settings\debacker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 20:08]

.

2011-10-24 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-3712614485-1044013603-244294945-1006UA.job

- d:\documents and settings\debacker\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-01 20:08]

.

2011-10-24 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-667808998-3646381641-2365837644-6869Core.job

- d:\documents and settings\pgadebac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-01 05:12]

.

2011-10-24 c:\winnt\Tasks\GoogleUpdateTaskUserS-1-5-21-667808998-3646381641-2365837644-6869UA.job

- d:\documents and settings\pgadebac\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-01 05:12]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://intranet/index.php?page=&langue=nl

mStart Page = hxxp://dutch.toggle.com/nl/index.php?rvs=google

uInternet Connection Wizard,ShellNext = hxxp://10.2.31.212/homenl

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200

IE: Converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Converteren naar bestaande PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Geselecteerde koppelingen converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Geselecteerde koppelingen converteren naar bestaande PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Koppelingsdoel converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Koppelingsdoel converteren naar bestaande PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Selectie converteren naar Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Selectie converteren naar bestaande PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: { - c:\program files\Messenger\msmsgs.exe

Trusted Zone: intranet

TCP: DhcpNameServer = 192.168.2.1

DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mail07-57.finbel.intra/dwa85W.cab

FF - ProfilePath - d:\documents and settings\pgadebac\Application Data\Mozilla\Firefox\Profiles\mn9m13ub.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.be

FF - prefs.js: network.proxy.http - http://intranet/proxy.pac

FF - prefs.js: network.proxy.http_port - 80

FF - prefs.js: network.proxy.type - 2

FF - user.js: browser.blink_allowed - true

FF - user.js: network.prefetch-next - true

FF - user.js: layout.spellcheckDefault - 1

FF - user.js: browser.urlbar.autoFill - false

FF - user.js: browser.search.openintab - false

FF - user.js: browser.tabs.closeButtons - 1

FF - user.js: browser.tabs.opentabfor.middleclick - true

FF - user.js: browser.tabs.tabMinWidth - 100

FF - user.js: browser.urlbar.hideGoButton - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2011-10-24 18:50

Windows 5.1.2600 Service Pack 3 NTFS

.

scannen van verborgen processen ...

.

scannen van verborgen autostart items ...

.

scannen van verborgen bestanden ...

.

Scan succesvol afgerond

verborgen bestanden: 0

.

**************************************************************************

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5d,56,2c,24,e9,d7,d5,43,9c,d4,1b,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5d,56,2c,24,e9,d7,d5,43,9c,d4,1b,\

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINNT\\system32\\FM20ENU.DLL"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–}|ÿÿÿÿÀ•}|ù•9~*]

"3140110900063D11C8EF10054038389C"="C?\\WINNT\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

.

- - - - - - - > 'winlogon.exe'(1364)

c:\winnt\system32\Ati2evxx.dll

c:\winnt\system32\pcsinst.dll

c:\winnt\system32\beidcsp.dll

c:\winnt\system32\beidCSPLib.dll

c:\winnt\system32\beid35DlgsWin32.dll

c:\winnt\system32\beid35common.dll

c:\winnt\system32\beid35cardlayer.dll

.

- - - - - - - > 'explorer.exe'(1876)

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\winnt\system32\webcheck.dll

c:\program files\Stardock\Fences\FencesMenu.dll

c:\winnt\system32\WPDShServiceObj.dll

c:\program files\stardock\fences\DesktopDock.dll

c:\winnt\system32\PortableDeviceTypes.dll

c:\winnt\system32\PortableDeviceApi.dll

.

Voltooingstijd: 2011-10-24 18:53:43

ComboFix-quarantined-files.txt 2011-10-24 16:53

ComboFix2.txt 2011-10-21 06:09

.

Pre-Run: 19.373.723.648 bytes beschikbaar

Post-Run: 19.349.856.256 bytes beschikbaar

.

- - End Of File - - E53FF81428BB22F73CD7FCAD2D77C8B5

[kweezie wabbit]

De fix is mislukt.

Heb je het scriptje gemaakt met kopieren en plakken van de opgegeven instructie?

Indien niet doe het dan op die manier en voer combofix nogmaals uit door het scriptje op de snelkoppeling te slepen.

[paddepoel]

Ik heb exact gedaan zoals gevraagd. Zie bestandje in bijlage.

Ik probeer nog eens.

CFScript.txt