Windows command processor infection

[Buffelmaster]

Hi,

When I start Internet Explorer i keep getting pop ups from windows command processor.

I looked around on Google but have not been able to fix it and MBAM does not find anything. Below the DSS reports.

Thank you in advance for the help.

Sander

DDS.txt

Attach.txt

[Maniac]

Hello Sander and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[Buffelmaster]

Hi,

Hereby the log. Parts are in Dutch, if needed I can translate this.

How can I check if combofix is really uninstalled? I got an error during the process (that AVG was back on since I activated it again) so I tried again since I also didn't see the popup but that happened to be at the back somewhere. But since I did the process more then once I'm not sure the program is really gone/

Regards,

Sander

ComboFix 12-06-26.02 - Sander 26-06-2012 20:19:14.1.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.31.1033.18.2046.1027 [GMT 2:00]

Gestart vanuit: c:\users\Sander\Desktop\ComboFix.exe

AV: AVG Anti-Virus plus Firewall *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

SP: AVG Anti-Virus plus Firewall *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Nieuw herstelpunt werd aangemaakt

.

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\668700870D.sys

c:\programdata\windows

c:\programdata\windows\ccdxmmde.dat

c:\programdata\windows\drss.dat

c:\programdata\Windows\msseedir.dll

c:\programdata\windows\xessmsxe.dat

c:\users\Sander\AppData\Local\Temp\b3ac04aa-9413-4ecb-ac45-ed44495e62a6\CliSecureRT.dll

c:\users\Sander\AppData\Roaming\Axve

c:\users\Sander\AppData\Roaming\Axve\umsoa.riu

c:\users\Sander\AppData\Roaming\Elyhe

c:\users\Sander\AppData\Roaming\Elyhe\eglai.apa

c:\users\Sander\AppData\Roaming\Fypya

c:\users\Sander\AppData\Roaming\Fypya\dyoke.zog

c:\users\Sander\Documents\~WRD0003.tmp

c:\windows\security\Database\tmp.edb

c:\windows\SysWow64\muzapp.exe

.

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-05-26 to 2012-06-26 ))))))))))))))))))))))))))))))

.

.

2012-06-24 11:24 . 2012-06-24 11:24 335872 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF012}\NewShortcut8.exe

2012-06-24 11:24 . 2012-06-24 11:24 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF013}\NewShortcut1.exe

2012-06-24 11:24 . 2012-06-24 11:24 335872 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF014}\NewShortcut2.exe

2012-06-24 11:23 . 2012-06-24 11:23 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{1A9DAB4D-46CD-4CBF-A9FC-28D8AA8D2FCF}\ARPPRODUCTICON.exe

2012-06-24 11:23 . 2012-06-24 11:23 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{AEFBAC58-2DDD-4CEF-BDFD-52A5A5F432ED}\ARPPRODUCTICON.exe

2012-06-24 11:23 . 2012-06-24 11:23 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF100}\ARPPRODUCTICON.exe

2012-06-24 11:22 . 2012-06-24 11:22 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{D2827848-7D2A-4547-9AD1-C965FB3E6344}\ARPPRODUCTICON.exe

2012-06-24 11:21 . 2012-06-24 11:21 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{9D306690-3173-42CD-94C6-9EF9318AF24B}\ARPPRODUCTICON.exe

2012-06-24 11:21 . 2012-06-24 11:21 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{D0160DD3-6F62-4F1E-B999-6C68D3AE7390}\ARPPRODUCTICON.exe

2012-06-24 10:06 . 2012-06-24 10:06 -------- d-----w- C:\sh4ldr

2012-06-24 10:06 . 2012-06-24 10:06 110080 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{18F97AF0-4F88-4494-AFE2-5A5702E142CC}\IconF7A21AF7.exe

2012-06-20 15:44 . 2012-06-26 15:28 -------- d-----w- c:\users\Sander\AppData\Local\Windows Live

2012-06-14 16:28 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-14 16:28 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-14 16:28 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

2012-06-08 20:40 . 2012-06-08 20:43 -------- d-----w- c:\users\Sander\AppData\Roaming\Xidyki

2012-06-03 08:45 . 2012-06-03 08:45 -------- d-----w- c:\users\Sander\AppData\Roaming\Ewdoid

.

.

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-20 15:49 . 2011-03-28 16:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-06-12 15:54 . 2012-03-30 11:23 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-12 15:54 . 2011-10-23 10:14 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-05-23 19:38 . 2012-05-23 19:38 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin

2012-05-05 17:49 . 2012-04-14 17:44 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2012-04-04 13:56 . 2012-05-18 20:07 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-30 11:35 . 2012-05-09 18:18 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys

2007-03-12 17:59 . 2007-03-12 17:59 299008 ----a-w- c:\program files (x86)\navigram_register.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

"MyTomTomSA.exe"="c:\program files (x86)\MyTomTom 3\MyTomTomSA.exe" [2011-11-14 435672]

"KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2011-11-02 21392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-03 25600]

"AVG9_TRAY"="c:\progra~2\AVG\AVG9\avgtray.exe" [2012-01-28 2077536]

"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]

"BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2009-12-15 75048]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"KiesHelper"="c:\program files (x86)\Samsung\Kies\KiesHelper.exe" [2011-11-02 928656]

"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2011-11-02 3508624]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-15 1207312]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-22 136176]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-12 257224]

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-10-15 79360]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-15 79360]

R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2009-06-04 202776]

R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2009-06-04 1417240]

R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2009-06-04 94744]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-02-15 99384]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-03-02 13088]

R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-12-11 1038088]

R3 gupdatem;Google Update-service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-22 136176]

R3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2009-06-10 867328]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2011-10-27 203320]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2010-11-20 16384]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-03 1255736]

R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 306416]

S0 AvgRkx64;avgrkx64.sys;c:\windows\System32\Drivers\avgrkx64.sys [2010-03-05 56008]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-15 871408]

S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6a.sys [2009-10-23 29976]

S1 AvgLdx64;AVG AVI Loader Driver x64;c:\windows\System32\Drivers\avgldx64.sys [2010-06-22 269904]

S1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;c:\windows\System32\Drivers\avgmfx64.sys [2011-09-13 35664]

S1 AvgTdiA;AVG Network Redirector x64;c:\windows\System32\Drivers\avgtdia.sys [2011-05-05 317520]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/01/25 21:07];c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\000.fcl [2009-12-15 11:28 146928]

S2 avg9wd;AVG WatchDog;c:\program files (x86)\AVG\AVG9\avgwdsvc.exe [2010-06-22 308136]

S2 avgfws9;AVG Firewall;c:\program files (x86)\AVG\AVG9\avgfws9.exe [2010-11-25 2331544]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-09-27 240232]

S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2009-06-04 202776]

S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2009-06-04 1417240]

S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2009-06-04 94744]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.

.

--- Andere Services/Drivers In Geheugen ---

.

*NewlyCreated* - WS2IFSL

.

Inhoud van de 'Gedeelde Taken' map

.

2012-06-26 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 15:54]

.

2012-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-22 14:35]

.

2012-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-22 14:35]

.

2012-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-120121219-856620432-35687517-1001Core.job

- c:\users\Sander\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-15 09:21]

.

2012-06-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-120121219-856620432-35687517-1001UA.job

- c:\users\Sander\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-15 09:21]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x1

"AppInit_DLLs"=c:\windows\System32\avgrssta.dll

.

------- Bijkomende Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: Interfaces\{61EA10B9-483A-4718-A9BC-192C664F8994}: NameServer = 195.121.1.34,195.121.1.66

DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/NL/Core/Player/2020PlayerAX_IKEA_Win32.cab

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{B154377D-700F-42cc-9474-23858FBDF4BD}]

"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\000.fcl"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Network Associates]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe

c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files (x86)\AVG\AVG9\avgam.exe

.

**************************************************************************

.

Voltooingstijd: 2012-06-26 20:48:14 - machine werd herstart

ComboFix-quarantined-files.txt 2012-06-26 18:48

.

Pre-Run: 22.750.306.304 bytes free

Post-Run: 22.333.034.496 bytes free

.

- - End Of File - - 4B80B218FDAFA65E5430239CA5263730

[Maniac]

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\users\Sander\AppData\Roaming\Xidyki
c:\users\Sander\AppData\Roaming\Ewdoid

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Buffelmaster]

I have performed the steps you have mentioned. Following is the log file.

Sander

Logfile:

ComboFix 12-06-26.02 - Sander 27-06-2012 15:52:33.2.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.31.1033.18.2046.801 [GMT 2:00]

Gestart vanuit: c:\users\Sander\Desktop\ComboFix.exe

gebruikte Opdracht switches :: c:\users\Sander\Desktop\CFScript.txt.txt

AV: AVG Anti-Virus plus Firewall *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

SP: AVG Anti-Virus plus Firewall *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Sander\AppData\Local\Temp\b3ac04aa-9413-4ecb-ac45-ed44495e62a6\CliSecureRT.dll

c:\users\Sander\AppData\Roaming\Ewdoid

c:\users\Sander\AppData\Roaming\Ewdoid\ebut.tmp

c:\users\Sander\AppData\Roaming\Xidyki

c:\users\Sander\AppData\Roaming\Xidyki\utcyv.fio

c:\users\Sander\AppData\Roaming\Xidyki\utcyv.tmp

.

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-05-27 to 2012-06-27 ))))))))))))))))))))))))))))))

.

.

2012-06-27 14:02 . 2012-06-27 14:02 -------- d-----w- c:\users\Mcx1-SANDER-PC\AppData\Local\temp

2012-06-24 11:24 . 2012-06-24 11:24 335872 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF012}\NewShortcut8.exe

2012-06-24 11:24 . 2012-06-24 11:24 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF013}\NewShortcut1.exe

2012-06-24 11:24 . 2012-06-24 11:24 335872 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF014}\NewShortcut2.exe

2012-06-24 11:23 . 2012-06-24 11:23 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{1A9DAB4D-46CD-4CBF-A9FC-28D8AA8D2FCF}\ARPPRODUCTICON.exe

2012-06-24 11:23 . 2012-06-24 11:23 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{AEFBAC58-2DDD-4CEF-BDFD-52A5A5F432ED}\ARPPRODUCTICON.exe

2012-06-24 11:23 . 2012-06-24 11:23 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{7F05E704-30A6-421A-97A7-8EEB1C7FF100}\ARPPRODUCTICON.exe

2012-06-24 11:22 . 2012-06-24 11:22 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{D2827848-7D2A-4547-9AD1-C965FB3E6344}\ARPPRODUCTICON.exe

2012-06-24 11:21 . 2012-06-24 11:21 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{9D306690-3173-42CD-94C6-9EF9318AF24B}\ARPPRODUCTICON.exe

2012-06-24 11:21 . 2012-06-24 11:21 86016 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{D0160DD3-6F62-4F1E-B999-6C68D3AE7390}\ARPPRODUCTICON.exe

2012-06-24 10:06 . 2012-06-24 10:06 -------- d-----w- C:\sh4ldr

2012-06-24 10:06 . 2012-06-24 10:06 110080 ----a-r- c:\users\Sander\AppData\Roaming\Microsoft\Installer\{18F97AF0-4F88-4494-AFE2-5A5702E142CC}\IconF7A21AF7.exe

2012-06-20 15:44 . 2012-06-26 15:28 -------- d-----w- c:\users\Sander\AppData\Local\Windows Live

2012-06-14 16:28 . 2012-04-26 05:41 77312 ----a-w- c:\windows\system32\rdpwsx.dll

2012-06-14 16:28 . 2012-04-26 05:41 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll

2012-06-14 16:28 . 2012-04-26 05:34 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe

.

.

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-20 15:49 . 2011-03-28 16:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-06-12 15:54 . 2012-03-30 11:23 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-06-12 15:54 . 2011-10-23 10:14 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-05-23 19:38 . 2012-05-23 19:38 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin

2012-05-05 17:49 . 2012-04-14 17:44 8769696 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe

2012-04-04 13:56 . 2012-05-18 20:07 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-30 11:35 . 2012-05-09 18:18 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys

2007-03-12 17:59 . 2007-03-12 17:59 299008 ----a-w- c:\program files (x86)\navigram_register.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]

"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

"MyTomTomSA.exe"="c:\program files (x86)\MyTomTom 3\MyTomTomSA.exe" [2011-11-14 435672]

"KiesPDLR"="c:\program files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2011-11-02 21392]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-03 25600]

"AVG9_TRAY"="c:\progra~2\AVG\AVG9\avgtray.exe" [2012-01-28 2077536]

"AdobeCS4ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]

"BDRegion"="c:\program files (x86)\Cyberlink\Shared files\brs.exe" [2009-12-15 75048]

"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

"KiesHelper"="c:\program files (x86)\Samsung\Kies\KiesHelper.exe" [2011-11-02 928656]

"KiesTrayAgent"="c:\program files (x86)\Samsung\Kies\KiesTrayAgent.exe" [2011-11-02 3508624]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-10-15 1207312]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-22 136176]

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-12 257224]

R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-10-15 79360]

R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-10-15 79360]

R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2009-06-04 202776]

R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2009-06-04 1417240]

R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2009-06-04 94744]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2012-02-15 99384]

R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-03-02 13088]

R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2009-12-11 1038088]

R3 gupdatem;Google Update-service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-22 136176]

R3 netr28ux;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28ux.sys [2009-06-10 867328]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2011-10-27 203320]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2010-11-20 16384]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-03 1255736]

R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 306416]

S0 AvgRkx64;avgrkx64.sys;c:\windows\System32\Drivers\avgrkx64.sys [2010-03-05 56008]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-10-15 871408]

S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6a.sys [2009-10-23 29976]

S1 AvgLdx64;AVG AVI Loader Driver x64;c:\windows\System32\Drivers\avgldx64.sys [2010-06-22 269904]

S1 AvgMfx64;AVG On-access Scanner Minifilter Driver x64;c:\windows\System32\Drivers\avgmfx64.sys [2011-09-13 35664]

S1 AvgTdiA;AVG Network Redirector x64;c:\windows\System32\Drivers\avgtdia.sys [2011-05-05 317520]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2010/01/25 21:07];c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\000.fcl [2009-12-15 11:28 146928]

S2 avg9wd;AVG WatchDog;c:\program files (x86)\AVG\AVG9\avgwdsvc.exe [2010-06-22 308136]

S2 avgfws9;AVG Firewall;c:\program files (x86)\AVG\AVG9\avgfws9.exe [2010-11-25 2331544]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-09-27 240232]

S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2009-06-04 202776]

S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2009-06-04 1417240]

S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2009-06-04 94744]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

.

.

Inhoud van de 'Gedeelde Taken' map

.

2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 15:54]

.

2012-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-22 14:35]

.

2012-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-22 14:35]

.

2012-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-120121219-856620432-35687517-1001Core.job

- c:\users\Sander\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-15 09:21]

.

2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-120121219-856620432-35687517-1001UA.job

- c:\users\Sander\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-15 09:21]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=c:\windows\System32\avgrssta.dll

.

------- Bijkomende Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: Interfaces\{61EA10B9-483A-4718-A9BC-192C664F8994}: NameServer = 195.121.1.34,195.121.1.66

DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/NL/Core/Player/2020PlayerAX_IKEA_Win32.cab

.

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{B154377D-700F-42cc-9474-23858FBDF4BD}]

"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\000.fcl"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Network Associates]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe

c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files (x86)\AVG\AVG9\avgam.exe

.

**************************************************************************

.

Voltooingstijd: 2012-06-27 16:16:20 - machine werd herstart

ComboFix-quarantined-files.txt 2012-06-27 14:16

ComboFix2.txt 2012-06-26 18:48

.

Pre-Run: 24.210.534.400 bytes free

Post-Run: 23.631.716.352 bytes free

.

- - End Of File - - 43B969C9B0EA3788212C984382447A38

[Maniac]

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[Buffelmaster]

<p>Hi,</p>

<p> </p>

<p>Runned the scan, nothing found. Log says following:</p>

<p> </p>

<p> </p>

<div>ESETSmartInstaller@High as CAB hook log:</div>

<div>OnlineScanner64.ocx - registred OK</div>

<div>OnlineScanner.ocx - registred OK</div>

[Maniac]

Good!

How are things now?

[Buffelmaster]

great, pop up seems to be gone

Thank you for all the help.

[Maniac]

Glad I could help!

Please uninstall ComboFix:

www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Next, manually delete DDS and uninstall ESET Online Scanner.

Some malware prevention tips:

http://forums.malwarebytes.org/index.php?showtopic=104379&pid=515983&st=0entry515983

Safe surfing!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!