DR/Delphi.gen trouble

View previous topic View next topic Go down

DR/Delphi.gen trouble

Post by brechtvhb on Tue Jan 12, 2010 9:25 pm

I have a annoying problem and I hope you could help me. My avira is telling me that I have DR/delphi.gen in my C:\windows\temp\xxxx.tmp and I can't get rid of it. Here is my hijackthis log. Thanks in advance for any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:17:30, on 12/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\HoeKey\HoeKey.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 85.119.220.171 [You must be registered and logged in to see this link.]
O1 - Hosts: 85.119.220.171 [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DebugBar BHO - {69FC0024-10EB-480A-BBF2-3BF4E78E17B1} - C:\Program Files\Core Services\DebugBar\DebugInfoBar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: DebugBar - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [beidsystemtray] C:\Program Files\Belgium Identity Card\beidsystemtray.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Startup: ApacheMonitor.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O4 - Startup: HoeKey.lnk = C:\Program Files\HoeKey\HoeKey.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: SmarThru4 Capture Selection - C:\Program Files\SmarThru 4\WebCapture.dll2.htm
O8 - Extra context menu item: SmarThru4 Save as HTML - C:\Program Files\SmarThru 4\WebCapture.dll1.htm
O8 - Extra context menu item: SmarThru4 Save Selected Text - C:\Program Files\SmarThru 4\WebCapture.dll.htm
O8 - Extra context menu item: SmarThru4 Web Capture - C:\Program Files\SmarThru 4\WebCapture.dll
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Web Capture - {5941A0E4-56C1-4a49-9B18-05762CAC5F9B} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Capture Selection - {A07BFEF7-DD11-4937-B23B-E70C11D2EDF4} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Save as HTML - {E753A93F-2367-4978-BFA0-83048C1E61CB} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra button: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: SmarThru4 Save Selected Text - {F1F53366-3E11-47ab-BF84-580C94F9C9AD} - C:\Program Files\SmarThru 4\WebCapture.dll (HKCU)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{15B5245A-54A8-4E76-9F60-CDB1DEC0FDA2}: NameServer = 192.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\guard32.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Creative ALchemy AL1 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: eID CRL Service - Zetes - C:\Windows\system32\beidservicecrl.exe
O23 - Service: eID Privacy Service - Zetes - C:\Windows\system32\beidservicepcsc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 9921 bytes

brechtvhb
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2010-01-12
OS : Windows Vista

View user profile

Back to top Go down

Re: DR/Delphi.gen trouble

Post by Belahzur on Wed Jan 13, 2010 12:19 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: 85.119.220.171 [You must be registered and logged in to see this link.]
    O1 - Hosts: 85.119.220.171 [You must be registered and logged in to see this link.]
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
    O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: DR/Delphi.gen trouble

Post by brechtvhb on Wed Jan 13, 2010 5:05 pm

The virus is still popping up:

Malwarebytes' Anti-Malware 1.44
Database versie: 3554
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

13/01/2010 17:38:12
mbam-log-2010-01-13 (17-38-12).txt

Scan type: Snelle Scan
Objecten gescand: 113007
Verstreken tijd: 7 minute(s), 38 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 0
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 0

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

brechtvhb
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2010-01-12
OS : Windows Vista

View user profile

Back to top Go down

Re: DR/Delphi.gen trouble

Post by Belahzur on Wed Jan 13, 2010 6:48 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: DR/Delphi.gen trouble

Post by brechtvhb on Wed Jan 13, 2010 7:32 pm

Is it normal that it renamed itself again to combofix.exe after rebooting?

ComboFix 10-01-13.04 - Brecht 13/01/2010 20:11:51.2.2 - x86
Microsoft« Windows VistaÖ Home Premium 6.0.6002.2.1252.1.1043.18.2494.1068 [GMT 1:00]
Running from: c:\users\Brecht\Desktop\ComboFix.exe
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-13 19:24 . 2010-01-13 19:24 -------- d-----w- c:\users\Brecht\AppData\Local\temp
2010-01-13 19:24 . 2010-01-13 19:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-13 19:24 . 2010-01-13 19:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-13 06:19 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 06:19 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 21:28 . 2010-01-12 21:28 -------- d-----w- c:\program files\SQLyog Community
2010-01-12 20:13 . 2010-01-12 20:13 -------- d-----w- c:\program files\ESET
2010-01-09 14:15 . 2010-01-09 14:15 -------- d-----w- C:\elime
2009-12-29 16:56 . 2009-12-29 16:56 -------- d-----w- c:\program files\Common Files\TortoiseOverlays
2009-12-29 16:06 . 2009-12-29 16:09 -------- d-----w- c:\users\Brecht\.netbeans
2009-12-29 16:06 . 2009-12-29 16:06 -------- d-----w- c:\users\Brecht\.netbeans-registration
2009-12-29 16:03 . 2009-12-29 16:06 -------- d-----w- c:\program files\NetBeans 6.8
2009-12-29 16:01 . 2009-12-29 16:06 -------- d-----w- c:\users\Brecht\.nbi
2009-12-18 17:28 . 2009-12-18 17:28 -------- d-----w- c:\programdata\CyberLink
2009-12-18 17:28 . 2009-12-18 19:09 -------- d-----w- c:\users\Public\CyberLink
2009-12-18 17:28 . 2009-12-18 17:28 -------- d-----w- c:\users\Brecht\AppData\Roaming\CyberLink
2009-12-18 15:36 . 2009-12-18 15:37 -------- d-----w- c:\programdata\SmartSound Software Inc
2009-12-18 15:36 . 2009-12-18 15:36 -------- d-----w- c:\program files\SmartSound Software
2009-12-18 15:27 . 2009-12-18 15:38 -------- d-----w- c:\program files\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 19:06 . 2007-08-22 18:08 -------- d-----w- c:\programdata\Microsoft Help
2010-01-13 19:05 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-13 18:47 . 2007-09-11 16:57 -------- d-----w- c:\users\Brecht\AppData\Roaming\SQLyog
2010-01-13 18:38 . 2008-05-01 08:09 -------- d-----w- c:\users\Brecht\AppData\Roaming\MySQL
2010-01-12 21:27 . 2007-12-05 14:17 -------- d-----w- c:\program files\SQLyog Enterprise
2010-01-12 19:48 . 2007-08-22 18:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-12 19:39 . 2009-06-15 15:17 74328 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-01-12 19:39 . 2009-06-15 15:17 171552 ----a-w- c:\windows\system32\guard32.dll
2010-01-12 19:39 . 2009-06-15 15:17 29520 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-01-12 19:39 . 2009-06-15 15:17 128376 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-01-12 19:39 . 2007-09-09 11:18 -------- d-----w- c:\program files\Java
2010-01-12 16:45 . 2008-06-08 07:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 16:44 . 2008-07-10 13:46 5115823 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 19:26 . 2008-09-29 08:30 -------- d-----w- c:\program files\FlashFXP
2010-01-11 06:44 . 2006-11-02 16:11 669950 ----a-w- c:\windows\system32\perfh013.dat
2010-01-11 06:44 . 2006-11-02 16:11 127650 ----a-w- c:\windows\system32\perfc013.dat
2010-01-07 15:07 . 2008-07-30 10:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2008-06-08 07:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 17:56 . 2008-12-10 21:25 -------- d-----w- c:\users\Brecht\AppData\Roaming\TortoiseSVN
2009-12-29 16:56 . 2008-12-10 20:19 -------- d-----w- c:\program files\TortoiseSVN
2009-12-26 10:02 . 2009-08-19 15:59 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-18 19:55 . 2009-10-24 11:09 -------- d-----w- c:\program files\avi.NET
2009-12-18 17:29 . 2007-08-21 22:12 107640 ----a-w- c:\users\Brecht\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-18 15:39 . 2007-08-22 16:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-14 20:01 . 2008-05-15 17:59 -------- d-----w- c:\users\Brecht\AppData\Roaming\FileZilla
2009-12-14 18:10 . 2009-12-14 18:10 108341 ----a-w- c:\users\Brecht\AppData\Roaming\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-12-13 11:15 . 2009-12-13 11:15 -------- d-----w- c:\program files\Windows Portable Devices
2009-12-13 11:15 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-13 11:14 . 2009-12-13 11:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-12-13 11:14 . 2009-12-13 11:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-12 18:39 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-12-12 18:39 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-12-12 18:39 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-12-12 18:39 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-12-12 18:39 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-12-12 18:39 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-12-12 18:35 . 2007-10-16 20:34 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-12-12 18:35 . 2007-10-16 20:34 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-12-08 19:27 . 2009-12-08 19:27 -------- d-----w- c:\program files\ElcomSoft
2009-12-07 20:59 . 2009-05-08 14:16 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-07 08:37 . 2008-07-31 21:14 -------- d-----w- c:\program files\Defraggler
2009-12-07 07:56 . 2007-12-11 18:14 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-12-06 23:44 . 2007-08-22 18:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-06 22:36 . 2007-09-09 16:00 -------- d-----w- c:\users\Brecht\AppData\Roaming\Azureus
2009-12-06 22:09 . 2008-01-06 11:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-06 22:08 . 2008-04-05 09:45 -------- d-----w- c:\program files\Sony Ericsson
2009-12-06 22:04 . 2009-10-10 11:47 -------- d-----w- c:\users\Brecht\AppData\Roaming\Panasonic
2009-12-06 21:53 . 2009-10-25 09:10 -------- d-----w- c:\program files\PDF Reader 2
2009-12-06 21:41 . 2007-11-10 14:46 -------- d-----w- c:\program files\Lightsmark 2007
2009-12-06 21:40 . 2008-10-06 20:24 -------- d-----w- c:\programdata\Apple Computer
2009-12-06 21:36 . 2009-11-12 21:09 -------- d-----w- c:\program files\HTC
2009-12-06 21:36 . 2009-11-12 21:13 -------- d-----w- c:\users\Brecht\AppData\Roaming\Teleca
2009-12-06 21:17 . 2009-07-10 06:15 -------- d-----w- c:\program files\Free Monitor for Google
2009-12-06 21:15 . 2008-03-02 19:48 -------- d-----w- c:\program files\Bonjour
2009-12-06 21:13 . 2008-10-06 20:22 -------- d-----w- c:\program files\Common Files\Apple
2009-12-06 21:10 . 2007-08-22 16:27 -------- d-----w- c:\program files\ASUS
2009-12-02 16:59 . 2008-09-05 20:41 -------- d-----w- c:\program files\Core Services
2009-11-29 20:20 . 2009-11-29 20:20 -------- d-----w- c:\program files\Microsoft
2009-11-29 20:19 . 2007-08-22 17:49 -------- d-----w- c:\program files\Windows Live
2009-11-29 20:17 . 2009-11-29 20:17 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-21 06:40 . 2009-12-13 10:42 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-13 10:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-13 10:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-13 10:42 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 10:48 . 2009-11-27 06:24 872960 ----a-w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\zovz708k.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 10:48 . 2009-11-27 06:24 43008 ----a-w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\zovz708k.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 10:48 . 2009-11-27 06:24 340480 ----a-w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\zovz708k.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 10:48 . 2009-11-27 06:24 346624 ----a-w- c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\zovz708k.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-18 17:31 . 2008-02-16 08:23 -------- d-----w- c:\program files\Google
2009-11-15 19:37 . 2009-11-15 19:37 -------- d-----w- c:\program files\eRightSoft
2009-11-09 12:31 . 2009-12-11 21:15 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-11 21:15 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-11 21:15 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-02 19:42 . 2009-10-03 12:13 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 21:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-25 09:10 . 2009-10-25 09:10 75776 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-10-24 16:36 . 2009-10-24 16:36 79872 ----a-w- c:\users\Brecht\AppData\Roaming\Azureus\updates\inst_1\aereg.dll
2007-11-05 06:54 . 2007-11-07 21:48 3564584 ----a-w- c:\program files\procexp.exe
2006-06-28 19:04 . 2006-06-28 19:04 108 --sha-r- c:\windows\neoqaz2.dll
2006-05-03 10:06 . 2009-11-15 19:37 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 11:47 . 2009-11-15 19:37 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 13:30 . 2009-11-15 19:37 216064 --sh--r- c:\windows\System32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 17:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 17:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 17:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 17:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 17:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 17:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 17:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 17:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2009-08-13 17:55 85768 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2007-04-26 774168]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"beidsystemtray"="c:\program files\Belgium Identity Card\beidsystemtray.exe" [2007-02-19 188416]
"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2007-06-26 312320]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 92704]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-11 524288]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"CTHelper"="CTHELPER.EXE" [2007-10-25 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-10-25 19968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-12 1800464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

c:\users\Brecht\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ApacheMonitor.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-9-5 41041]
HoeKey.lnk - c:\program files\HoeKey\HoeKey.exe [2005-1-6 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):80,2d,cf,3a,5b,7b,ca,01

R0 hotcore3;hotcore3;c:\windows\System32\drivers\hotcore3.sys [18/09/2007 21:06 38448]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [15/06/2009 16:17 128376]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [15/06/2009 16:17 29520]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/05/2009 15:16 108289]
R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [5/09/2007 8:59 24635]
R2 eID CRL Service;eID CRL Service;c:\windows\System32\beidservicecrl.exe [19/02/2007 14:16 225280]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [3/03/2008 21:53 1153368]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [13/08/2007 3:51 5120]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\System32\drivers\seehcri.sys [12/11/2009 12:18 27632]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [7/10/2007 10:12 685816]
S3 ACSSCR;ACR38 Smart Card Reader;c:\windows\System32\drivers\a38usb.sys [31/05/2008 12:10 35712]
S3 Creative ALchemy AL1 Licensing Service;Creative ALchemy AL1 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe [15/11/2007 21:56 79360]
S3 eID Privacy Service;eID Privacy Service;c:\windows\System32\beidservicepcsc.exe [19/02/2007 14:16 331776]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [20/04/2008 2:40 21504]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\System32\drivers\ggflt.sys [5/04/2008 10:49 13352]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\System32\drivers\s0016bus.sys [28/06/2009 16:23 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\System32\drivers\s0016mdfl.sys [28/06/2009 16:23 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\System32\drivers\s0016mdm.sys [28/06/2009 16:23 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s0016mgmt.sys [28/06/2009 16:23 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\System32\drivers\s0016nd5.sys [28/06/2009 16:23 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\System32\drivers\s0016obex.sys [28/06/2009 16:23 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\System32\drivers\s0016unic.sys [28/06/2009 16:23 115752]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [22/02/2007 17:39 2808664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-236250710-4071071235-3460814677-1000Core.job
- c:\users\Brecht\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-27 16:28]

2010-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-236250710-4071071235-3460814677-1000UA.job
- c:\users\Brecht\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-27 16:28]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: SmarThru4 Capture Selection - c:\program files\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\SmarThru 4\WebCapture.dll
TCP: {15B5245A-54A8-4E76-9F60-CDB1DEC0FDA2} = 192.168.1.1
FF - ProfilePath - c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\zovz708k.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Wowhead
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\zovz708k.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Brecht\AppData\Roaming\Mozilla\Firefox\Profiles\zovz708k.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\users\Brecht\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: zend.ZDE_Path - c:\program files\Zend\Zend Studio for Eclipse - 6.0.0\ZendStudio.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-13 20:24
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

[0] 0x00380000

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8639F618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8a3a3d24
\Driver\ACPI -> acpi.sys @ 0x83c9ad68
\Driver\atapi -> ataport.SYS @ 0x83db5a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-236250710-4071071235-3460814677-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:20,1b,82,e9,da,eb,3d,3b,07,18,0f,e9,1c,41,b3,f9,b6,4a,16,6b,21,65,2c,
a2,3e,b8,5e,26,25,aa,ec,54,a5,80,e3,52,12,ff,dd,08,8a,0d,cd,73,a0,24,65,3f,\
"??"=hex:91,66,0b,df,8b,c2,5a,0c,f4,f6,b0,71,cd,8e,bc,12

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-13 20:30:14
ComboFix-quarantined-files.txt 2010-01-13 19:30
ComboFix2.txt 2010-01-12 21:07

Pre-Run: 152.295.755.776 bytes beschikbaar
Post-Run: 152.276.631.552 bytes beschikbaar

- - End Of File - - 734421CBB22AA45A5FC934D6ED72AB7A

brechtvhb
Beginner
Beginner

Status :
Online
Offline

Posts : 3
Joined : 2010-01-12
OS : Windows Vista

View user profile

Back to top Go down

Re: DR/Delphi.gen trouble

Post by Belahzur on Thu Jan 14, 2010 12:13 am


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum