mappen zijn niet te openen

[tikoes]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:42:41, on 10-12-2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17103)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\ztoolkit\drivers\media\idt high definition audio codec\STacSV.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\WINDOWS\Installer\MSI38.tmp
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\uphclean\uphclean.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Novell\ZENworks\nalwin32.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Novell\ZENworks\NalWin.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gebruiker\Mijn documenten\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rocvantwente.nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rocvantwente.nl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rocvantwente.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer wordt aangeboden door ROC van Twente
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: ThreeShips IEHelper - {17FDB9F8-DCC4-4F6A-AE07-B16018A48469} - C:\Program Files\Common Files\Threeships Shared\DLL\ThreeShipsIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Search-Results Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Search-Results Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAL] nalwin32.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [iPrint Tray] C:\WINDOWS\system32\iprntctl.exe TRAY_ICON
O4 - HKLM\..\Run: [iPrint Event Monitor] C:\WINDOWS\system32\iprntlgn.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Jububd] C:\Documents and Settings\gebruiker\Application Data\Jububd.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Advanced SystemCare Service (AdvancedSystemCareService) - IObit - C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Autodesk Content Service - Unknown owner - C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: FLEXnet Licensing Service - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: SolidPDFToolsCreatorReadSpool (SPDFToolsReadSpool) - Solid Documents, LLC - C:\WINDOWS\Installer\MSI38.tmp
O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\ztoolkit\drivers\media\idt high definition audio codec\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe

--
End of file - 13027 bytes


Mappen op usb en externe harde schijf (via USB) zijn veranderd in snelkoppelingen en is niet meer te openen. Bij dubbelklikkek op map verschijnt window met met mededeling dat windows mapG;|recycler\470a1245.exe niet kan vinden

[tikoes]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##PERSCL01#SYS]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##PERSCL01#SYS#PUB​LIC]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##PERSCL01_VOL1POO​L_SERVER#VOL1]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##PERSCL01_VOL1POO​L_SERVER#VOL1#APP_DATA_ADM]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##PERSCL01_VOL1POO​L_SERVER#VOL1#APP_DATA_ADM#PSOFT]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##PERSCL01_VOL2POO​L_SERVER#VOL2#DATA]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##STUDSR01#VOL1#VC​D-IMAGES]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##ZENSR01#SYS]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##ZENSR01#SYS#PUBL​IC]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##ZENSR01#VOL1]
"BaseClass"="Drive"
"_CommentFromDesktopINI"=""
"_LabelFromDesktopINI"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\I]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2036b2cb-9057-11e0-8beb-705ab6a7a10c}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2036b2cb-9057-11e0-8beb-705ab6a7a10c}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2036b2cb-9057-11e0-8beb-705ab6a7a10c}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2036b2cb-9057-11e0-8beb-705ab6a7a10c}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{37743a12-a56b-11e0-8c0f-705ab6a7a10c}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e687f5a-8c1b-11e0-8bdd-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e687f5b-8c1b-11e0-8bdd-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e687f5c-8c1b-11e0-8bdd-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,cf,5f,5f,5f,5f,cf,cf,5f,5f,\
5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,5f,cf,cf,cf,5f,5f,5f,cf,01,01,00,5f,ee,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,60,00,00,00,10,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4402a753-7f9e-11df-98ea-806d6172696f}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{518566c0-8c34-11e0-8be2-705ab6a7a10c}]
"BaseClass"="Drive"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6c404c41-802b-11df-b072-986708a60cd0}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,01,00,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6c404c41-802b-11df-b072-986708a60cd0}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6c404c41-802b-11df-b072-986708a60cd0}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6c404c41-802b-11df-b072-986708a60cd0}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8abfc7ae-8c76-11e0-8be4-705ab6a7a10c}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,20,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8abfc7ae-8c76-11e0-8be4-705ab6a7a10c}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8abfc7ae-8c76-11e0-8be4-705ab6a7a10c}\_Autorun\DefaultIcon]
@="I:\\WD SmartWare\\SmartWare_CD.ICO"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8abfc7af-8c76-11e0-8be4-705ab6a7a10c}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,01,00,01,01,ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,01,00,00,00,08,07,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8b4742b1-d08f-11e0-8c3b-705ab6a7a10c}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8b4742b1-d08f-11e0-8c3b-705ab6a7a10c}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8b4742b1-d08f-11e0-8c3b-705ab6a7a10c}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8b4742b1-d08f-11e0-8c3b-705ab6a7a10c}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9aee2042-7fa6-11df-b06f-806d6172696f}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,01,00,01,01,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,00,20,00,00,00,09,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9aee2042-7fa6-11df-b06f-806d6172696f}\_Autorun]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9aee2042-7fa6-11df-b06f-806d6172696f}\_Autorun\DefaultIcon]
@="D:\\SETUP.EXE,0"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9b99718b-8f44-11e0-8bea-705ab6a7a10c}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a36c92fb-0bad-11e1-8c9e-0026c723c614}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,00,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,01,01,00,ee,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,02,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a36c92fb-0bad-11e1-8c9e-0026c723c614}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a36c92fb-0bad-11e1-8c9e-0026c723c614}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a36c92fb-0bad-11e1-8c9e-0026c723c614}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1c88ff4-1455-11e1-8ca9-0026c723c614}]
"BaseClass"="Drive"
"_AutorunStatus"=hex:01,00,01,00,00,01,00,df,df,5f,df,5f,5f,5f,5f,df,df,5f,5f,\
5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,5f,df,df,df,5f,5f,df,\
5f,5f,5f,5f,5f,cf,5f,5f,5f,5f,5f,cf,cf,5f,5f,5f,5f,cf,cf,cf,cf,cf,01,01,01,\
ee,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,10,00,00,08,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1c88ff4-1455-11e1-8ca9-0026c723c614}\shell]
@="None"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1c88ff4-1455-11e1-8ca9-0026c723c614}\shell\Autoplay]
"MUIVerb"="@shell32.dll,-8504"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1c88ff4-1455-11e1-8ca9-0026c723c614}\shell\Autoplay\DropTarget]
"CLSID"="{f26a669a-bcbb-4e37-abf9-7325da15f931}"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3e687f​5a-8c1b-11e0-8bdd-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,38,00,33,00,39,00,41,00,38,00,33,\
00,39,00,41,00,4f,00,66,00,66,00,73,00,65,00,74,00,37,00,45,00,30,00,30,00,\
4c,00,65,00,6e,00,67,00,74,00,68,00,39,00,43,00,34,00,35,00,39,00,35,00,41,\
00,30,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,33,00,30,00,64,00,\
2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,00,2d,00,39,00,34,\
00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,31,00,65,00,66,00,\
62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,33,00,65,00,36,00,38,00,37,00,66,00,35,00,61,00,2d,00,38,00,63,\
00,31,00,62,00,2d,00,31,00,31,00,65,00,30,00,2d,00,38,00,62,00,64,00,64,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,ff,00,07,00,ff,00,00,00,16,00,00,00,ff,79,d1,e4,00,00,00,00,00,00,00,30,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3e687f​5c-8c1b-11e0-8bdd-806d6172696f}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,49,00,44,00,45,00,23,00,43,00,\
64,00,52,00,6f,00,6d,00,68,00,70,00,5f,00,44,00,56,00,44,00,52,00,41,00,4d,\
00,5f,00,47,00,54,00,33,00,30,00,4c,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,\
5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,\
00,5f,00,5f,00,5f,00,5f,00,5f,00,5f,00,6d,00,50,00,30,00,34,00,5f,00,5f,00,\
5f,00,5f,00,23,00,33,00,35,00,34,00,64,00,34,00,31,00,34,00,61,00,34,00,35,\
00,33,00,33,00,33,00,33,00,34,00,63,00,33,00,34,00,33,00,38,00,32,00,30,00,\
33,00,38,00,32,00,30,00,32,00,30,00,32,00,30,00,32,00,30,00,32,00,30,00,32,\
00,30,00,32,00,30,00,32,00,30,00,23,00,7b,00,35,00,33,00,66,00,35,00,36,00,\
33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,31,00,64,00,30,\
00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,00,63,00,39,00,\
31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,33,00,65,00,36,00,38,00,37,00,66,00,35,00,63,00,2d,00,38,00,63,\
00,31,00,62,00,2d,00,31,00,31,00,65,00,30,00,2d,00,38,00,62,00,64,00,64,00,\
2d,00,38,00,30,00,36,00,64,00,36,00,31,00,37,00,32,00,36,00,39,00,36,00,66,\
00,7d,00,5c,00,00,00,49,00,6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,49,00,\
6e,00,76,00,61,00,6c,00,69,00,64,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,00,00,00,ff,01,00,\
00,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,bd,ad,db,ba,00,00,00,00,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{518566​c0-8c34-11e0-8be2-705ab6a7a10c}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,23,00,31,00,26,00,33,\
00,30,00,61,00,39,00,36,00,35,00,39,00,38,00,26,00,30,00,26,00,53,00,69,00,\
67,00,6e,00,61,00,74,00,75,00,72,00,65,00,38,00,33,00,39,00,41,00,38,00,33,\
00,39,00,41,00,4f,00,66,00,66,00,73,00,65,00,74,00,39,00,43,00,34,00,35,00,\
39,00,44,00,38,00,30,00,30,00,4c,00,65,00,6e,00,67,00,74,00,68,00,33,00,30,\
00,37,00,34,00,33,00,31,00,32,00,41,00,30,00,30,00,23,00,7b,00,35,00,33,00,\
66,00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,\
00,31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,\
30,00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,35,00,31,00,38,00,35,00,36,00,36,00,63,00,30,00,2d,00,38,00,63,\
00,33,00,34,00,2d,00,31,00,31,00,65,00,30,00,2d,00,38,00,62,00,65,00,32,00,\
2d,00,37,00,30,00,35,00,61,00,62,00,36,00,61,00,37,00,61,00,31,00,30,00,63,\
00,7d,00,5c,00,00,00,4e,00,69,00,65,00,75,00,77,00,56,00,6f,00,6c,00,75,00,\
6d,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,4e,00,\
54,00,46,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,08,00,00,00,01,10,00,\
00,ff,00,07,00,ff,00,00,00,16,00,00,00,dc,e7,15,d0,00,00,00,00,00,00,00,30,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9b9971​8b-8f44-11e0-8bea-705ab6a7a10c}]
"Data"=hex:00,00,00,00,5c,00,5c,00,3f,00,5c,00,53,00,54,00,4f,00,52,00,41,00,\
47,00,45,00,23,00,52,00,65,00,6d,00,6f,00,76,00,61,00,62,00,6c,00,65,00,4d,\
00,65,00,64,00,69,00,61,00,23,00,38,00,26,00,33,00,36,00,61,00,66,00,62,00,\
38,00,37,00,62,00,26,00,30,00,26,00,52,00,4d,00,23,00,7b,00,35,00,33,00,66,\
00,35,00,36,00,33,00,30,00,64,00,2d,00,62,00,36,00,62,00,66,00,2d,00,31,00,\
31,00,64,00,30,00,2d,00,39,00,34,00,66,00,32,00,2d,00,30,00,30,00,61,00,30,\
00,63,00,39,00,31,00,65,00,66,00,62,00,38,00,62,00,7d,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,5c,00,5c,00,3f,00,5c,00,56,00,6f,00,6c,00,75,00,6d,00,\
65,00,7b,00,39,00,62,00,39,00,39,00,37,00,31,00,38,00,62,00,2d,00,38,00,66,\
00,34,00,34,00,2d,00,31,00,31,00,65,00,30,00,2d,00,38,00,62,00,65,00,61,00,\
2d,00,37,00,30,00,35,00,61,00,62,00,36,00,61,00,37,00,61,00,31,00,30,00,63,\
00,7d,00,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,46,00,\
41,00,54,00,33,00,32,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,90,00,\
00,06,00,00,00,ff,00,00,00,10,00,00,00,8c,e0,4d,5e,00,00,00,00,00,00,00,30,\
00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,\
00
"Generation"=dword:00000001

Mappen op usb en externe harde schijf (via USB) zijn veranderd in snelkoppelingen en is niet meer te openen. Bij dubbelklikkek op map verschijnt window met met mededeling dat windows mapG;|recycler\470a1245.exe niet kan vinden

[miekiemoes]

Hoi,

Heb je posts samengevoegd.

Eerst en vooral, deïnstalleer de Ask Toolbar aangezien deze niet aangeraden is.
Herstart je pc daarna.

Daarna, start HijackThis opnieuw > klik scan en vink volgende lijnen aan:

R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: Search-Results Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Search-Results Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKCU\..\Run: [Jububd] C:\Documents and Settings\gebruiker\Application Data\Jububd.exe

Klik op Fix checked onderaan.

Daarna, * Bezoek volgende pagina met de instructies voor het downloaden en gebruiken van Combofix.

http://www.bleepingcomputer.com/combofix...-te-worden

Daarna post je de log van Combofix in je volgende post.

Extra nota... Zorg ervoor dat je Security software uitschakeld is (Antivirus, Firewall, AntiSpyware) tijdens het gebruik van Combofix. Dit omdat deze scanners bepaalde componenten die Combofix gebruikt onterecht zullen zien als geïnfecteerd (bijvoorbeeld Prep.com) en Combofix zullen blokkeren.Klik deze link indien je niet weet hoe je je Antivirus, Firewall en/of Antispywarescanner moet uitschakelen.

[tikoes]

ComboFix 11-12-27.01 - gebruiker 27-12-2011 21:42:40.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2991.2088 [GMT 1:00]
Gestart vanuit: c:\documents and settings\gebruiker\Mijn documenten\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\afk01\Application Data\Adobe\plugs
c:\documents and settings\afk01\Application Data\Adobe\plugs\mmc169
c:\documents and settings\afk01\Application Data\Adobe\shed
c:\documents and settings\afk01\Application Data\bWeZgJXLtg.txt
c:\documents and settings\afk01\Application Data\Secure-Soft Bot
c:\documents and settings\afk01\Application Data\Secure-Soft Bot\Kopie (2) van 15 Eboeken Nicci French, - Ebooks, NL - By Pixarr.exe
c:\documents and settings\afk01\Application Data\Secure-Soft Bot\Kopie (2) van Persistance.exe
c:\documents and settings\afk01\Application Data\Secure-Soft Bot\Kopie van 15 Eboeken Nicci French, - Ebooks, NL - By Pixarr.exe
c:\documents and settings\afk01\Application Data\Secure-Soft Bot\Kopie van Persistance.exe
c:\documents and settings\afk01\Application Data\xzcxnkowposb.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\default_user_class.dat.LOG
c:\windows\system32\NWGINA.DLL
c:\windows\system32\SET29E.tmp
c:\windows\system32\SET29F.tmp
c:\windows\system32\SET2A0.tmp
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-11-27 to 2011-12-27 ))))))))))))))))))))))))))))))
.
.
2011-12-18 09:22 . 2011-12-18 09:22 -------- d-----w- c:\program files\Common Files\ParetoLogic
2011-12-18 09:22 . 2011-12-18 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-12-18 09:22 . 2011-12-18 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Cached Installations
2011-12-18 09:15 . 2011-12-18 09:15 -------- d-----w- C:\1 FAT32
2011-12-18 08:36 . 2011-12-18 08:36 -------- d-----w- c:\program files\EASEUS
2011-12-18 08:31 . 2011-12-18 08:36 -------- d-----w- c:\documents and settings\gebruiker\Local Settings\Application Data\Temp
2011-12-18 08:31 . 2011-12-18 08:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-12-18 08:30 . 2011-12-18 08:36 -------- d-----w- c:\documents and settings\gebruiker\Local Settings\Application Data\Google
2011-12-18 08:30 . 2011-12-18 08:31 -------- d-----w- c:\program files\Google
2011-12-12 22:24 . 2011-12-12 22:24 -------- d-----w- c:\documents and settings\gebruiker\Local Settings\Application Data\PCHealth
2011-12-12 19:51 . 2011-12-12 20:01 -------- d-----w- c:\documents and settings\gebruiker\Application Data\GrabIt
2011-12-11 20:55 . 2011-12-11 20:55 -------- d-----w- c:\documents and settings\NetworkService\Bureaublad
2011-12-09 22:22 . 2011-12-12 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-12-08 20:24 . 2011-12-08 20:24 -------- d-----w- c:\documents and settings\gebruiker\Application Data\Malwarebytes
2011-12-06 22:59 . 2011-12-02 07:00 545 ----a-w- c:\windows\UC.PIF
2011-12-06 22:59 . 2011-12-06 23:00 -------- d-----w- C:\totalcmd
2011-12-06 22:59 . 2011-12-06 22:59 -------- d-----w- c:\documents and settings\gebruiker\Application Data\GHISLER
2011-12-06 22:59 . 2011-12-02 07:00 545 ----a-w- c:\windows\RAR.PIF
2011-12-06 22:59 . 2011-12-02 07:00 545 ----a-w- c:\windows\LHA.PIF
2011-12-06 22:59 . 2011-12-02 07:00 545 ----a-w- c:\windows\ARJ.PIF
2011-12-05 19:49 . 2011-12-05 19:49 -------- d-----w- c:\documents and settings\gebruiker\Application Data\dvdcss
2011-12-03 22:50 . 2011-12-23 20:31 -------- d-----w- c:\documents and settings\gebruiker\Local Settings\Application Data\QuickPar
2011-12-03 22:48 . 2011-12-18 08:26 -------- d-----w- c:\documents and settings\gebruiker\Downloads
2011-12-03 20:33 . 2011-12-23 22:24 -------- d-----w- c:\documents and settings\gebruiker\Application Data\Nero
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 14:40 . 2009-04-19 19:42 1859712 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 16:07 . 2005-07-26 04:12 1288192 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:37 . 2009-09-25 05:28 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:37 . 2005-03-04 09:12 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:37 . 2009-09-25 05:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-10-31 23:37 . 2005-03-04 09:11 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-28 05:32 . 2005-03-04 09:11 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-26 10:50 . 2004-08-03 22:58 2031616 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-26 10:50 . 2004-08-03 22:58 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-18 11:13 . 2005-03-04 09:24 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-06-24 13:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 19:40 . 2011-06-01 07:07 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-10-08 19:40 . 2011-06-01 07:07 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-09 22:19 . 2011-06-01 21:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-09-14 115624]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 287800]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2010-10-13 59992]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2010-10-13 64088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2011-06-15 307200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2008-01-04 458752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2009-01-09 03:03 24576 ----a-r- c:\windows\system32\novell\xtnotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^afk01^Menu Start^Programma's^Opstarten^ArcGIS License Manager 10 CRACKED.lnk]
backup=c:\windows\pss\ArcGIS License Manager 10 CRACKED.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-06-17 10:13 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-09-26 07:49 17353352 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xvwtisofbbqwh]
2011-07-10 05:05 591360 ----a-w- c:\documents and settings\afk01\Application Data\DxpMliOBPx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Brother\\Brmfl07b\\FAXRX.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Cracked License Manager 10\\ARCGIS.EXE"=
"c:\\Cracked License Manager 10\\lmgrd.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:Brother Network Scanner
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 NCFilter;Novell UNC Path Filter - Filter;c:\windows\system32\drivers\ncfilter.sys [16-12-2010 9:59 80000]
R0 NCRecognizer;Novell UNC Path Filter - Recognizer;c:\windows\system32\drivers\ncrecognizer.sys [16-12-2010 9:59 90240]
R0 NCUncFilter;Novell UNC Path Filter - UNC Filter;c:\windows\system32\drivers\ncuncfilter.sys [16-12-2010 9:59 14720]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [6-6-2011 18:42 41344]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [11-7-2011 17:29 328536]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2-2-2011 14:08 18656]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [23-5-2005 13:47 6899]
R2 mapmem;mapmem;c:\windows\system32\mapmem.sys [27-6-2011 18:35 3808]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [28-8-2011 13:49 366152]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [27-5-2009 17:01 167936]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [21-4-2010 13:10 48640]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [21-4-2010 13:10 47616]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [21-4-2010 13:10 38912]
R2 SPDFToolsReadSpool;SolidPDFToolsCreatorReadSpool;c:\windows\Installer\MSI38.tmp [14-7-2011 22:45 180032]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [8-5-2009 14:40 61440]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [22-4-2010 7:14 113664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [1-6-2011 12:26 227896]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [23-5-2005 13:11 2773]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9-11-2011 10:00 106104]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21-4-2010 13:11 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [21-4-2010 13:11 125696]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [21-4-2010 13:11 205824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [28-8-2011 13:49 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18-3-2010 13:16 130384]
S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18-12-2011 9:31 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14-9-2011 2:20 23888]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [18-12-2011 9:31 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4-3-2005 10:13 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18-3-2010 13:16 753504]
.
--- Andere Services/Drivers In Geheugen ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 10:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Inhoud van de 'Gedeelde Taken' map
.
2011-10-21 c:\windows\Tasks\ASC4_AutoCare.job
- c:\program files\IObit\Advanced SystemCare 4\AutoCare.exe [2011-07-11 14:38]
.
2011-12-27 c:\windows\Tasks\ASC4_AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 4\AutoSweep.exe [2011-07-11 14:38]
.
2011-12-18 c:\windows\Tasks\ASC4_AutoUpdate.job
- c:\program files\IObit\Advanced SystemCare 4\AutoUpdate.exe [2011-07-11 15:39]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-18 08:30]
.
2011-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-18 08:30]
.
2011-12-18 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 11:25]
.
2011-12-18 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 11:25]
.
2011-12-24 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 17:40]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.rocvantwente.nl
mStart Page = hxxp://www.rocvantwente.nl
uInternet Settings,ProxyOverride = <local>
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\gebruiker\Application Data\Mozilla\Firefox\Profiles\try7p0bp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
.
.
------- Bestandsassociaties -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS VERWIJDERD - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Jububd - c:\documents and settings\gebruiker\Application Data\Jububd.exe
HKLM-Run-NAL - nalwin32.exe
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-27 21:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPDFToolsReadSpool]
"ImagePath"="c:\windows\Installer\MSI38.tmp"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\AcSignIcon.dll
d:\program files\Autodesk\Inventor Fusion 2012\AcSignCore16.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\ztoolkit\drivers\media\idt high definition audio codec\STacSV.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Novell\ZENworks\nalntsrv.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\uphclean\uphclean.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\NWTRAY.EXE
c:\program files\Novell\ZENworks\nalwin32.exe
c:\program files\Novell\ZENworks\NalWin.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
.
**************************************************************************
.
Voltooingstijd: 2011-12-27 21:53:38 - machine werd herstart
ComboFix-quarantined-files.txt 2011-12-27 20:53
.
Pre-Run: 6.461.423.616 bytes beschikbaar
Post-Run: 6.225.072.128 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 2493FD1095D12806B207D886B7F318B7

(11-12-2011 13:02)miekiemoes schreef:  Hoi,

Heb je posts samengevoegd.

Eerst en vooral, deïnstalleer de Ask Toolbar aangezien deze niet aangeraden is.
Herstart je pc daarna.

Daarna, start HijackThis opnieuw > klik scan en vink volgende lijnen aan:

R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)
O2 - BHO: Search-Results Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Search-Results Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKCU\..\Run: [Jububd] C:\Documents and Settings\gebruiker\Application Data\Jububd.exe

Klik op Fix checked onderaan.

Daarna, * Bezoek volgende pagina met de instructies voor het downloaden en gebruiken van Combofix.

http://www.bleepingcomputer.com/combofix...-te-worden

Daarna post je de log van Combofix in je volgende post.

Extra nota... Zorg ervoor dat je Security software uitschakeld is (Antivirus, Firewall, AntiSpyware) tijdens het gebruik van Combofix. Dit omdat deze scanners bepaalde componenten die Combofix gebruikt onterecht zullen zien als geïnfecteerd (bijvoorbeeld Prep.com) en Combofix zullen blokkeren.Klik deze link indien je niet weet hoe je je Antivirus, Firewall en/of Antispywarescanner moet uitschakelen.

[miekiemoes]

Hoi,

Heb je je ooit al afgevraagd hoe het komt dat je geïnfecteerd geraakt bent? Volgens je log zie ik dat je niet bang bent om cracks te gebruiken. Dan is het helemaal normaal dat je pc geïnfecteerd geraakt, want de meeste van deze cracks zijn malware die gegevens van je pc stelen, zoals al je paswoorden + extra schade aan de pc aanricht. Dus blijf voortaan weg van cracksites/cracks.

In ieder geval....

* Open kladblok - Gebruik geen enkele andere texteditor dan kladblok het script zal falen!
Kopieer en plak hetgeen hieronder vetgedrukt staat in kladblok:

File::
c:\windows\UC.PIF
c:\windows\RAR.PIF
c:\windows\LHA.PIF
c:\windows\ARJ.PIF
c:\windows\pss\ArcGIS License Manager 10 CRACKED.lnkStartup
c:\documents and settings\afk01\Application Data\DxpMliOBPx.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xvwtisofbbqwh]


Sla dit op als tekstbestand CFScript

Daarna sleep je de CFScript in ComboFix.exe zoals je in onderstaande screenshot ziet:



Dit zal Combofix opnieuw starten. Na het herstarten van je computer, (indien het vraagt om te herstarten), kopieer en plak de inhoud van Combofix.txt in je volgende post samen met een nieuw HijackThislog.

Toen je Combofix gebruikte, was de USB en externe hardes schijf aangesloten? Indien niet, dan kan het ook niet weten of er daar al dan niet een autorun.inf bestand nog aanwezig is.

Daarom, voor de zekerheid, Download volgende tool:
http://download.bleepingcomputer.com/sUB...fector.exe
Plaats het op je bureaublad.
Dubbelklik erop om Flash_Disinfector.exe te starten. Volg de aanwijzingen die de tool aangeeft (dus, het zal ook vragen om je USB aan te sluiten etc..)

Herstart je pc nadat dit gedaan is en laat me weten hoe het met je probleem is daarna.

[tikoes]

ComboFix 11-12-27.01 - gebruiker 27-12-2011 22:48:08.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2991.2212 [GMT 1:00]
Gestart vanuit: c:\documents and settings\gebruiker\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\gebruiker\Bureaublad\CFScript.txt
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
FILE ::
"c:\documents and settings\afk01\Application Data\DxpMliOBPx.exe"
"c:\windows\ARJ.PIF"
"c:\windows\LHA.PIF"
"c:\windows\pss\ArcGIS License Manager 10 CRACKED.lnkStartup"
"c:\windows\RAR.PIF"
"c:\windows\UC.PIF"
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\afk01\Application Data\DxpMliOBPx.exe
c:\windows\ARJ.PIF
c:\windows\LHA.PIF
c:\windows\pss\ArcGIS License Manager 10 CRACKED.lnkStartup
c:\windows\RAR.PIF
c:\windows\UC.PIF
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-11-27 to 2011-12-27 ))))))))))))))))))))))))))))))
.
.
2011-12-18 09:22 . 2011-12-18 09:22 -------- d-----w- c:\program files\Common Files\ParetoLogic
2011-12-18 09:22 . 2011-12-18 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2011-12-18 09:22 . 2011-12-18 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Cached Installations
2011-12-18 09:15 . 2011-12-18 09:15 -------- d-----w- C:\1 FAT32
2011-12-18 08:36 . 2011-12-18 08:36 -------- d-----w- c:\program files\EASEUS
2011-12-18 08:31 . 2011-12-18 08:36 -------- d-----w- c:\documents and settings\gebruiker\Local Settings\Application Data\Temp
2011-12-18 08:31 . 2011-12-18 08:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-12-18 08:30 . 2011-12-18 08:36 -------- d-----w- c:\documents and settings\gebruiker\Local Settings\Application Data\Google
2011-12-18 08:30 . 2011-12-18 08:31 -------- d-----w- c:\program files\Google
2011-12-12 22:24 . 2011-12-12 22:24 -------- d-----w- c:\documents and settings\gebruiker\Local Settings\Application Data\PCHealth
2011-12-12 19:51 . 2011-12-12 20:01 -------- d-----w- c:\documents and settings\gebruiker\Application Data\GrabIt
2011-12-11 20:55 . 2011-12-11 20:55 -------- d-----w- c:\documents and settings\NetworkService\Bureaublad
2011-12-09 22:22 . 2011-12-12 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-12-08 20:24 . 2011-12-08 20:24 -------- d-----w- c:\documents and settings\gebruiker\Application Data\Malwarebytes
2011-12-06 22:59 . 2011-12-06 23:00 -------- d-----w- C:\totalcmd
2011-12-06 22:59 . 2011-12-06 22:59 -------- d-----w- c:\documents and settings\gebruiker\Application Data\GHISLER
2011-12-05 19:49 . 2011-12-05 19:49 -------- d-----w- c:\documents and settings\gebruiker\Application Data\dvdcss
2011-12-03 22:50 . 2011-12-23 20:31 -------- d-----w- c:\documents and settings\gebruiker\Local Settings\Application Data\QuickPar
2011-12-03 22:48 . 2011-12-18 08:26 -------- d-----w- c:\documents and settings\gebruiker\Downloads
2011-12-03 20:33 . 2011-12-23 22:24 -------- d-----w- c:\documents and settings\gebruiker\Application Data\Nero
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 14:40 . 2009-04-19 19:42 1859712 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 16:07 . 2005-07-26 04:12 1288192 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:37 . 2009-09-25 05:28 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:37 . 2005-03-04 09:12 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:37 . 2009-09-25 05:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-10-31 23:37 . 2005-03-04 09:11 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-28 05:32 . 2005-03-04 09:11 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-26 10:50 . 2004-08-03 22:58 2031616 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-26 10:50 . 2004-08-03 22:58 2153472 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-18 11:13 . 2005-03-04 09:24 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-06-24 13:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 19:40 . 2011-06-01 07:07 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-10-08 19:40 . 2011-06-01 07:07 125488 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-09 22:19 . 2011-06-01 21:25 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-27_20.49.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-27 21:49 . 2011-12-27 21:49 16384 c:\windows\Temp\Perflib_Perfdata_a9c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-09-14 115624]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2010-02-25 287800]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2010-10-13 59992]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2010-10-13 64088]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2011-06-15 307200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2008-01-04 458752]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2009-01-09 03:03 24576 ----a-r- c:\windows\system32\novell\xtnotify.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-06-17 10:13 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-09-26 07:49 17353352 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Brother\\Brmfl07b\\FAXRX.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Cracked License Manager 10\\ARCGIS.EXE"=
"c:\\Cracked License Manager 10\\lmgrd.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:Brother Network Scanner
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 NCFilter;Novell UNC Path Filter - Filter;c:\windows\system32\drivers\ncfilter.sys [16-12-2010 9:59 80000]
R0 NCRecognizer;Novell UNC Path Filter - Recognizer;c:\windows\system32\drivers\ncrecognizer.sys [16-12-2010 9:59 90240]
R0 NCUncFilter;Novell UNC Path Filter - UNC Filter;c:\windows\system32\drivers\ncuncfilter.sys [16-12-2010 9:59 14720]
R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [6-6-2011 18:42 41344]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [11-7-2011 17:29 328536]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2-2-2011 14:08 18656]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [23-5-2005 13:47 6899]
R2 mapmem;mapmem;c:\windows\system32\mapmem.sys [27-6-2011 18:35 3808]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [28-8-2011 13:49 366152]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [27-5-2009 17:01 167936]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [21-4-2010 13:10 48640]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [21-4-2010 13:10 47616]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [21-4-2010 13:10 38912]
R2 SPDFToolsReadSpool;SolidPDFToolsCreatorReadSpool;c:\windows\Installer\MSI38.tmp [14-7-2011 22:45 180032]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [8-5-2009 14:40 61440]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [22-4-2010 7:14 113664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [1-6-2011 12:26 227896]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [23-5-2005 13:11 2773]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9-11-2011 10:00 106104]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21-4-2010 13:11 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [21-4-2010 13:11 125696]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [21-4-2010 13:11 205824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [28-8-2011 13:49 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18-3-2010 13:16 130384]
S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18-12-2011 9:31 136176]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [14-9-2011 2:20 23888]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [18-12-2011 9:31 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4-3-2005 10:13 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18-3-2010 13:16 753504]
.
--- Andere Services/Drivers In Geheugen ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 10:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Inhoud van de 'Gedeelde Taken' map
.
2011-10-21 c:\windows\Tasks\ASC4_AutoCare.job
- c:\program files\IObit\Advanced SystemCare 4\AutoCare.exe [2011-07-11 14:38]
.
2011-12-27 c:\windows\Tasks\ASC4_AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 4\AutoSweep.exe [2011-07-11 14:38]
.
2011-12-18 c:\windows\Tasks\ASC4_AutoUpdate.job
- c:\program files\IObit\Advanced SystemCare 4\AutoUpdate.exe [2011-07-11 15:39]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-18 08:30]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-12-18 08:30]
.
2011-12-18 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 11:25]
.
2011-12-18 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 11:25]
.
2011-12-27 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 17:40]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.rocvantwente.nl
mStart Page = hxxp://www.rocvantwente.nl
uInternet Settings,ProxyOverride = <local>
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\gebruiker\Application Data\Mozilla\Firefox\Profiles\try7p0bp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-27 22:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SPDFToolsReadSpool]
"ImagePath"="c:\windows\Installer\MSI38.tmp"
.
Voltooingstijd: 2011-12-27 22:52:04
ComboFix-quarantined-files.txt 2011-12-27 21:52
ComboFix2.txt 2011-12-27 20:53
.
Pre-Run: 6.223.446.016 bytes beschikbaar
Post-Run: 6.206.865.408 bytes beschikbaar
.
- - End Of File - - 6A5E9D6994FDBED5D164F7CE8E975309

(27-12-2011 23:26)miekiemoes schreef:  Hoi,

Heb je je ooit al afgevraagd hoe het komt dat je geïnfecteerd geraakt bent? Volgens je log zie ik dat je niet bang bent om cracks te gebruiken. Dan is het helemaal normaal dat je pc geïnfecteerd geraakt, want de meeste van deze cracks zijn malware die gegevens van je pc stelen, zoals al je paswoorden + extra schade aan de pc aanricht. Dus blijf voortaan weg van cracksites/cracks.

In ieder geval....

* Open kladblok - Gebruik geen enkele andere texteditor dan kladblok het script zal falen!
Kopieer en plak hetgeen hieronder vetgedrukt staat in kladblok:

File::
c:\windows\UC.PIF
c:\windows\RAR.PIF
c:\windows\LHA.PIF
c:\windows\ARJ.PIF
c:\windows\pss\ArcGIS License Manager 10 CRACKED.lnkStartup
c:\documents and settings\afk01\Application Data\DxpMliOBPx.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xvwtisofbbqwh]


Sla dit op als tekstbestand CFScript

Daarna sleep je de CFScript in ComboFix.exe zoals je in onderstaande screenshot ziet:



Dit zal Combofix opnieuw starten. Na het herstarten van je computer, (indien het vraagt om te herstarten), kopieer en plak de inhoud van Combofix.txt in je volgende post samen met een nieuw HijackThislog.

Toen je Combofix gebruikte, was de USB en externe hardes schijf aangesloten? Indien niet, dan kan het ook niet weten of er daar al dan niet een autorun.inf bestand nog aanwezig is.

Daarom, voor de zekerheid, Download volgende tool:
http://download.bleepingcomputer.com/sUB...fector.exe
Plaats het op je bureaublad.
Dubbelklik erop om Flash_Disinfector.exe te starten. Volg de aanwijzingen die de tool aangeeft (dus, het zal ook vragen om je USB aan te sluiten etc..)

Herstart je pc nadat dit gedaan is en laat me weten hoe het met je probleem is daarna.

[tikoes]

Ik heb de Flash_Disinfector.exe gerund en de computer weer herstart. Het probleem blijft. De mappen op de USB blijven snelkoppelingen

(27-12-2011 23:26)miekiemoes schreef:  Hoi,

Heb je je ooit al afgevraagd hoe het komt dat je geïnfecteerd geraakt bent? Volgens je log zie ik dat je niet bang bent om cracks te gebruiken. Dan is het helemaal normaal dat je pc geïnfecteerd geraakt, want de meeste van deze cracks zijn malware die gegevens van je pc stelen, zoals al je paswoorden + extra schade aan de pc aanricht. Dus blijf voortaan weg van cracksites/cracks.

In ieder geval....

* Open kladblok - Gebruik geen enkele andere texteditor dan kladblok het script zal falen!
Kopieer en plak hetgeen hieronder vetgedrukt staat in kladblok:

File::
c:\windows\UC.PIF
c:\windows\RAR.PIF
c:\windows\LHA.PIF
c:\windows\ARJ.PIF
c:\windows\pss\ArcGIS License Manager 10 CRACKED.lnkStartup
c:\documents and settings\afk01\Application Data\DxpMliOBPx.exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xvwtisofbbqwh]


Sla dit op als tekstbestand CFScript

Daarna sleep je de CFScript in ComboFix.exe zoals je in onderstaande screenshot ziet:



Dit zal Combofix opnieuw starten. Na het herstarten van je computer, (indien het vraagt om te herstarten), kopieer en plak de inhoud van Combofix.txt in je volgende post samen met een nieuw HijackThislog.

Toen je Combofix gebruikte, was de USB en externe hardes schijf aangesloten? Indien niet, dan kan het ook niet weten of er daar al dan niet een autorun.inf bestand nog aanwezig is.

Daarom, voor de zekerheid, Download volgende tool:
http://download.bleepingcomputer.com/sUB...fector.exe
Plaats het op je bureaublad.
Dubbelklik erop om Flash_Disinfector.exe te starten. Volg de aanwijzingen die de tool aangeeft (dus, het zal ook vragen om je USB aan te sluiten etc..)

Herstart je pc nadat dit gedaan is en laat me weten hoe het met je probleem is daarna.

[miekiemoes]

Hoi,

Citaat:De mappen op de USB blijven snelkoppelingen

Je mappen zijn daar nog aanwezig hoor. Het is die worm die ervoor heeft gezorgd dat er snelkoppelingen ervoor werden aangemaakt en je eigenlijke mappen heeft verborgen.
Ga even naar start > uitvoeren en typ cmd
command prompt zal openen.
Typ het volgende erin en klik enter:

attrib -h -r -s /s /d x:\*.*

nota, je moet hier wel de x vervangen door de letter van je usb schijf. In vele gevallen is dit F of G
Daarna kan je de 'shortcuts' verwijderen.

[tikoes]

De mappen zijn weer te openen. Ik heb de snelkoppelingen verwijderd. Je bent geweldig.
Ik krijg wel de volgende mededeling nadat ik de attrib had gerund: "Kan kenmerk niet wijzigen= G:\autorun.inf\lpt3. This folder was created by Flash Disinfector.

Miekiemoes ik heb hetzelfde probleem op een andere laptop. IK heb een hijackthis log en een look.bat log gepost. Ik kan waarschijnlijk niet dezelfde handelingen doen als bij mijn eerste laptop. De eerste is van mijn werkgever en de tweede is van mijn vrouw.
Ik zal in de toekomst niet meer" vreemd" gaan met de cracks

(28-12-2011 00:23)miekiemoes schreef:  Hoi,

Citaat:De mappen op de USB blijven snelkoppelingen

Je mappen zijn daar nog aanwezig hoor. Het is die worm die ervoor heeft gezorgd dat er snelkoppelingen ervoor werden aangemaakt en je eigenlijke mappen heeft verborgen.
Ga even naar start > uitvoeren en typ cmd
command prompt zal openen.
Typ het volgende erin en klik enter:

attrib -h -r -s /s /d x:\*.*

nota, je moet hier wel de x vervangen door de letter van je usb schijf. In vele gevallen is dit F of G
Daarna kan je de 'shortcuts' verwijderen.

[miekiemoes]

Hoi,

Citaat:Ik krijg wel de volgende mededeling nadat ik de attrib had gerund: "Kan kenmerk niet wijzigen= G:\autorun.inf\lpt3. This folder was created by Flash Disinfector.

Klopt, en dat is ook normaal omdat het bestand lpt3. niet toegankelijk is. Dit is een map met een "gereserveerde bestandsnaam" die Flashdisinfector heeft aangemaakt. Dit voorkomt dat een nieuwe USB infectie een autorun.inf bestand op je usb plaatst aangezien er al een map met die naam aanwezig is met een bestand die "niet te verwijderen" is. Maw, de flashdisinfector heeft ervoor gezorgd dat deze USB niet meer geïnfecteerd kan worden dmv autorun.inf.

Citaat:Miekiemoes ik heb hetzelfde probleem op een andere laptop. IK heb een hijackthis log en een look.bat log gepost. Ik kan waarschijnlijk niet dezelfde handelingen doen als bij mijn eerste laptop. De eerste is van mijn werkgever en de tweede is van mijn vrouw.

Ik raad eerst aan om de flashdisinfector op die andere PC eerst te gebruiken zodat de infectie niet verder kan verspreid worden via USB.
Daarna draai je Combofix zoals je eerder hebt gedaan voor de eerste keer en plaats je de log hier. Dan zal ik wel aangeven welke verdere stappen er nog met Combofix moeten gedaan worden om de restanten op te ruimen.

[miekiemoes]

Trouwens, ik heb je discussies samengevoegd: http://www.mivercon.be/forum/showthread.php?tid=11339
Plaats gewoon onderaan in die thread daar je Combofix log na het uitvoeren van flashdisinfector.

[miekiemoes]

Aangezien het probleem opgelost is, wordt deze thread verplaatst naar het "Opgeloste/Inactieve HijackThislogs" forum, waar je niet meer kan posten, enkel lezen.

Indien je terug problemen ondervindt in de eerstvolgende dagen, gelieve een PM te sturen naar één van de Moderators of Administrators om deze thread terug te zetten zodat je verder kan geholpen worden.

Bij problemen die opduiken na enkele weken is het beter om een nieuwe thread te starten met een nieuwe log.
Indien er problemen zijn die niks met malware te maken hebben, gelieve een nieuwe thread te starten in het juist forumonderdeel.