PCMMediaSharing

kape · 5 juli 2012

Geen probleem ... want zo verschijnen er weer nieuwe ongewenste zaken ;-)

Start Hijackthis op. Selecteer “Scan”. Selecteer alleen de items die hieronder zijn genoemd:

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

Klik op 'Fix checked' om de items te verwijderen.

Let op : Windows Vista & 7 gebruikers dienen HijackThis als “administrator” uit te voeren via rechtermuisknop “als administrator uitvoeren". Indien dit via de snelkoppeling niet lukt voer je HijackThis als administrator uit in de volgende map : C:\Program Files\Trend Micro\HiJackThis of C:\Program Files (x86)\Trend Micro\HiJackThis.

Bammens · 5 juli 2012

Ook deze zijn hardnekkig.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 20:54:15, on 5-7-2012

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v7.00 (7.00.6002.18005)

Boot mode: Normal

Running processes:

C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files (x86)\Northstar\SmartCopy\SmartCopy.exe

C:\Program Files (x86)\Northstar\SmartLauncher\SmartLauncher.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = iGoogle Redirect

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = iGoogle Redirect

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [PCMMediaSharing] "C:\Program Files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide

O4 - HKCU\..\Run: [ProductReg] "C:\Program Files\Acer\WR_PopUp\ProductReg.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - Global Startup: SmartCopy.lnk = C:\Program Files (x86)\Northstar\SmartCopy\SmartCopy.exe

O4 - Global Startup: SmartLauncher.lnk = C:\Program Files (x86)\Northstar\SmartLauncher\SmartLauncher.exe

O9 - Extra button: In weblog opnemen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &In weblog opnemen met Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)

O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)

O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update-service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)

O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe

O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)

O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)

O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)

O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)

O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe

O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2012\TuneUpUtilitiesService64.exe

O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)

O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)

O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)

O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--

End of file - 7795 bytes

kape · 6 juli 2012

Wil je - in deze nieuwe situatie - dan eens opnieuw een logje met Combofix maken en dit hier in een berichtje hangen ?

Bammens · 6 juli 2012

Ik bewonder je geduld.

ComboFix 12-07-06.01 - Carl 06-07-2012 10:48:38.2.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1043.18.6142.4603 [GMT 2:00]

Gestart vanuit: c:\users\Carl\Downloads\ComboFix.exe

AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\etc\hosts.ics

c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . konden niet verwijderd worden

c:\windows\TEMP\logishrd\LVPrcInj02.dll . . . . konden niet verwijderd worden

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-06-06 to 2012-07-06 ))))))))))))))))))))))))))))))

.

2012-07-06 08:58 . 2012-07-06 09:01 -------- d-----w- c:\users\Carl\AppData\Local\temp

2012-07-06 08:58 . 2012-07-06 08:58 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-07-05 15:52 . 2012-07-05 15:52 -------- d-----w- C:\found.000

2012-07-04 10:03 . 2012-05-29 15:28 34656 ----a-w- c:\windows\system32\TURegOpt.exe

2012-07-04 10:03 . 2012-05-29 15:27 25952 ----a-w- c:\windows\system32\authuitu.dll

2012-07-04 10:03 . 2012-05-29 15:27 21344 ----a-w- c:\windows\SysWow64\authuitu.dll

2012-07-04 10:02 . 2012-07-04 10:02 -------- d-----w- c:\users\Carl\AppData\Roaming\TuneUp Software

2012-07-04 10:02 . 2012-07-04 10:03 -------- d-----w- c:\program files (x86)\TuneUp Utilities 2012

2012-07-04 10:02 . 2012-07-04 10:04 -------- d-----w- c:\programdata\TuneUp Software

2012-07-04 10:01 . 2012-07-04 10:01 -------- d-sh--w- c:\programdata\{32364CEA-7855-4A3C-B674-53D8E9B97936}

2012-07-04 10:01 . 2012-07-04 10:01 -------- d--h--w- c:\programdata\Common Files

2012-06-15 19:15 . 2012-07-04 09:31 -------- d-----w- c:\program files\CCleaner

2012-06-15 18:59 . 2012-06-15 18:59 -------- d-----w- c:\windows\SysWow64\ca-ES

2012-06-15 18:59 . 2012-06-15 18:59 -------- d-----w- c:\windows\SysWow64\eu-ES

2012-06-15 18:59 . 2012-06-15 18:59 -------- d-----w- c:\windows\SysWow64\vi-VN

2012-06-15 18:59 . 2012-06-15 18:59 -------- d-----w- c:\windows\system32\eu-ES

2012-06-15 18:59 . 2012-06-15 18:59 -------- d-----w- c:\windows\system32\ca-ES

2012-06-15 18:59 . 2012-06-15 18:59 -------- d-----w- c:\windows\system32\vi-VN

2012-06-15 18:53 . 2012-06-15 18:53 -------- d-----w- c:\windows\system32\SPReview

2012-06-15 18:32 . 2009-04-10 22:11 946688 ----a-w- c:\windows\system32\scavenge.dll

2012-06-15 18:32 . 2009-04-10 22:10 56320 ----a-w- c:\windows\system32\compcln.exe

2012-06-15 18:30 . 2009-04-28 11:14 3584 ----a-w- c:\windows\system32\drivers\nl-NL\hdaudbus.sys.mui

2012-06-15 18:29 . 2009-04-28 11:12 8704 ----a-w- c:\windows\system32\drivers\nl-NL\bthport.sys.mui

2012-06-15 18:24 . 2009-04-10 22:11 88576 ----a-w- c:\windows\system32\iassvcs.dll

2012-06-15 18:20 . 2012-06-15 18:20 -------- d-----w- c:\windows\system32\EventProviders

2012-06-15 18:18 . 2012-06-15 19:02 -------- d-----w- c:\windows\system32\drivers\NISx64\1207020.003

2012-06-15 11:01 . 2012-06-15 11:01 887888 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

2012-06-15 10:12 . 2012-06-15 10:12 388096 ----a-r- c:\users\Carl\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-06-15 10:12 . 2012-06-15 10:12 -------- d-----w- c:\program files (x86)\Trend Micro

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((( SnapShot@2012-07-05_14.25.21 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-21 02:23 . 2012-07-05 18:17 58226 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2006-11-02 15:45 . 2012-07-06 08:42 88202 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin

+ 2010-11-25 14:47 . 2012-07-06 08:42 11634 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3181810260-507779967-866044231-1000_UserData.bin

+ 2010-11-25 14:43 . 2012-07-05 18:58 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-11-25 14:43 . 2012-07-04 10:03 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-11-25 14:43 . 2012-07-04 10:03 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-11-25 14:43 . 2012-07-05 18:58 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2010-11-25 14:43 . 2012-07-04 10:03 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2010-11-25 14:43 . 2012-07-05 18:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-11-29 16:38 . 2012-07-04 08:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-11-29 16:38 . 2012-07-05 18:16 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2010-11-29 16:38 . 2012-07-04 08:45 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-11-29 16:38 . 2012-07-05 18:16 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2010-11-29 16:38 . 2012-07-05 18:16 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-11-29 16:38 . 2012-07-04 08:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-11-28 10:10 . 2012-07-05 14:25 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-11-28 10:10 . 2012-07-06 09:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2010-11-28 10:10 . 2012-07-06 09:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2010-11-28 10:10 . 2012-07-05 14:25 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

+ 2012-07-06 09:00 . 2012-07-06 09:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-07-06 09:00 . 2012-07-06 09:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2012-07-05 14:24 . 2012-07-05 14:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2012-07-05 14:25 . 2009-10-06 23:46 131608 c:\windows\Temp\logishrd\LVPrcInj02.dll

+ 2012-07-06 09:00 . 2009-10-06 23:46 131608 c:\windows\Temp\logishrd\LVPrcInj02.dll

+ 2012-07-06 09:00 . 2009-10-06 23:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll

- 2012-07-05 14:25 . 2009-10-06 23:47 109080 c:\windows\Temp\logishrd\LVPrcInj01.dll

- 2008-01-21 08:09 . 2012-07-05 14:18 667114 c:\windows\system32\perfh013.dat

+ 2008-01-21 08:09 . 2012-07-06 08:47 667114 c:\windows\system32\perfh013.dat

- 2006-11-02 12:46 . 2012-07-05 14:18 586980 c:\windows\system32\perfh009.dat

+ 2006-11-02 12:46 . 2012-07-06 08:47 586980 c:\windows\system32\perfh009.dat

- 2008-01-21 08:09 . 2012-07-05 14:18 126648 c:\windows\system32\perfc013.dat

+ 2008-01-21 08:09 . 2012-07-06 08:47 126648 c:\windows\system32\perfc013.dat

- 2006-11-02 12:46 . 2012-07-05 14:18 101052 c:\windows\system32\perfc009.dat

+ 2006-11-02 12:46 . 2012-07-06 08:47 101052 c:\windows\system32\perfc009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 135168]

"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-11-25 68856]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"PCMMediaSharing"="c:\program files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-05-20 204908]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

SmartCopy.lnk - c:\program files (x86)\Northstar\SmartCopy\SmartCopy.exe [2010-11-25 319488]

SmartLauncher.lnk - c:\program files (x86)\Northstar\SmartLauncher\SmartLauncher.exe [2010-11-25 339968]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

.

S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files (x86)\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-20 269448]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

Themes

.

Inhoud van de 'Gedeelde Taken' map

.

2012-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-25 19:41]

.

2012-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-11-25 19:41]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-18 333344]

"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]

"Skytel"="Skytel.exe" [2008-09-18 1833504]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-09 15941152]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.google.nl/

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0413&s=1&o=vp64&d=1110&m=aspire_m7711

mLocal Page = %SystemRoot%\system32\blank.htm

TCP: DhcpNameServer = 212.54.35.25 212.54.40.25

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,2a,11,40,94,3a,

52,1d,0d,e2,63,26,f1,3f,c8,ff,68,be,85,04,24,cc,59,08,42,e2,63,26,f1,3f,c8,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,06,96,0a,19,46,

43,cd,e2,6a,9c,d6,61,af,45,84,18,b2,2a,e8,f5,ba,ca,00,1a,6a,9c,d6,61,af,45,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,c0,e0,06,d6,ba,

13,7f,8a,ff,7c,85,e0,43,d4,0e,fe,2d,de,f7,6c,66,04,52,92,ff,7c,85,e0,43,d4,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,5b,65,52,cc,35,

19,98,88,86,8c,21,01,be,91,eb,e7,6c,71,a5,6b,0c,aa,67,07,86,8c,21,01,be,91,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,bf,b9,93,85,0d,

0a,f2,5c,f5,1d,4d,73,a8,13,5c,05,b4,7d,f0,5b,7e,12,8f,7f,f5,1d,4d,73,a8,13,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,5e,f8,c5,cb,3e,

1a,f6,7c,df,20,58,62,78,6b,cf,c8,d0,eb,f6,51,85,0f,38,b7,df,20,58,62,78,6b,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,45,f9,3f,5c,07,

53,50,1a,fb,a7,78,e6,12,2f,9a,ea,ad,d2,e1,d0,1b,bb,7c,46,fb,a7,78,e6,12,2f,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@SACL=

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]

@SACL=

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]

@SACL=

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]

@SACL=

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@SACL=

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@SACL=

@="ShockwaveFlash.ShockwaveFlash.9"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]

@SACL=

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@SACL=

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@SACL=

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@SACL=

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@SACL=

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]

@SACL=

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@SACL=

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]

@SACL=

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@SACL=

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@SACL=

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@SACL=

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]

@Denied: (A 2) (Everyone)

@SACL=

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]

@SACL=

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]

@SACL=

@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]

@SACL=

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,18,f1,a7,8a,1b,

02,2a,2a,01,3a,48,fc,e8,04,4a,f1,d0,cd,e1,3e,fa,99,b1,31,01,3a,48,fc,e8,04,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,f0,b9,60,2e,cb,

26,3b,f8,f6,0f,4e,58,98,5b,89,c9,b6,4f,49,85,24,74,c2,5f,f6,0f,4e,58,98,5b,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,9c,e4,23,45,21,

aa,e4,1f,3d,ce,ea,26,2d,45,aa,78,31,71,bf,d1,d4,97,32,b7,3d,ce,ea,26,2d,45,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,8f,fa,bf,1a,79,

3e,c8,ad,2a,b7,cc,b5,b9,7f,41,e7,d3,9b,28,28,a8,7c,fe,b9,2a,b7,cc,b5,b9,7f,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\Windows\\SysWow64\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,c3,54,0f,90,ff,

7e,b8,53,6c,43,2d,1e,aa,22,2f,9c,04,88,f9,1f,08,21,9c,10,6c,43,2d,1e,aa,22,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]

@Denied: (A 2) (Everyone)

@SACL=

@="IFlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]

@SACL=

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]

@SACL=

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@SACL=

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@SACL=

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@SACL=

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@SACL=

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\*¶O]

"3140110900063D11C8EF10054038389C"="C?\\Windows\\SysWOW64\\FM20ENU.DLL"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\program files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe

c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

c:\program files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

c:\program files (x86)\CyberLink\Shared Files\RichVideo.exe

c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe

c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe

c:\program files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Voltooingstijd: 2012-07-06 11:10:35 - machine werd herstart

ComboFix-quarantined-files.txt 2012-07-06 09:10

ComboFix2.txt 2012-07-05 14:28

.

Pre-Run: 199.973.433.344 bytes beschikbaar

Post-Run: 200.071.200.768 bytes beschikbaar

.

- - End Of File - - 99E88A0EC83B2DD565EE81ADEF4E9165

Bammens · 6 juli 2012

Kape, ik weet niet of jullie dat wel eens doen, maar ik heb er geen enkel probleem mee wanneer je in mijn pc kijkt. Laat maar weten wat ik daarvoor moet doen.

kape · 6 juli 2012

Neen, ben niet echt voorstander van dat systeem. We proberen het (voorlopig) nog even verder op de gewone manier.

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\windows\Temp\logishrd\LVPrcInj02.dll

c:\windows\Temp\logishrd\LVPrcInj01.dll

Folder::

C:\found.000

Sla dit bestand op je bureaublad op als CFScript.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht.

Bammens · 6 juli 2012

ComboFix 12-07-06.01 - Carl 06-07-2012 12:19:08.3.4 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.31.1043.18.6142.4713 [GMT 2:00]

Gestart vanuit: c:\users\Carl\Downloads\ComboFix.exe

gebruikte Opdracht switches :: c:\users\Carl\Desktop\CFScript.txt

AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\windows\Temp\logishrd\LVPrcInj01.dll"

"c:\windows\Temp\logishrd\LVPrcInj02.dll"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\found.000

c:\found.000\file0000.chk

c:\windows\system32\drivers\etc\hosts.ics

c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . konden niet verwijderd worden

c:\windows\TEMP\logishrd\LVPrcInj02.dll . . . . konden niet verwijderd worden

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-06-06 to 2012-07-06 ))))))))))))))))))))))))))))))

.

2012-07-06 10:29 . 2012-07-06 10:31 -------- d-----w- c:\users\Carl\AppData\Local\temp

2012-07-06 10:29 . 2012-07-06 10:29 -------- d-----w- c:\users\Default\AppData\Local\temp