laptop is traag

kape · 12 juni 2012

Zo zou het alle delen moeten overlopen en daarna een logje maken ???

tommyboy · 12 juni 2012

wanneer het alle delen had gescand, kwam de melding:

voorbereiden verwijderen besmette bestanden, van een logje was geen sprake, ik wist niet of dit de bedoeling was,

dus heb ik het proces afgebroken, hoort dit zo, want dan doe ik het opnieuw

kape · 12 juni 2012

Bij die melding is Combofix inderdaad nog aan het werk. Afbreken is dan zonde van de tijd geweest. Het kan inderdaad tergend traag duren, maar dat hangt een beetje van je PC af.

tommyboy · 13 juni 2012

gevonden,

combofix log

ComboFix 12-06-12.01 - franky 12/06/2012 20:39:31.2.1 - x86

Gestart vanuit: c:\users\franky\Videos\Desktop\ComboFix.exe

AV: Panda Cloud Antivirus *Disabled/Updated* {86971480-9989-6750-B122-681A86518D59}

SP: Panda Cloud Antivirus *Disabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\programdata\Roaming

c:\users\franky\AppData\Local\Microsoft\Windows\Temporary Internet Files\tbinst

c:\windows\IsUn0413.exe

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-05-12 to 2012-06-12 ))))))))))))))))))))))))))))))

.

2012-06-12 18:53 . 2012-06-12 18:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-06-12 18:53 . 2012-06-12 18:54 -------- d-----w- c:\users\franky\AppData\Local\temp

2012-06-10 20:24 . 2012-06-10 20:24 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{73739C26-8EBA-428A-8273-42B394F9ABB7}\offreg.dll

2012-06-10 18:50 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{73739C26-8EBA-428A-8273-42B394F9ABB7}\mpengine.dll

2012-06-08 23:18 . 2012-06-08 23:18 -------- d-----w- c:\users\franky\AppData\Roaming\Malwarebytes

2012-06-08 23:18 . 2012-06-08 23:18 -------- d-----w- c:\programdata\Malwarebytes

2012-06-08 23:18 . 2012-04-04 13:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-08 23:18 . 2012-06-08 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-06-08 20:51 . 2012-06-08 20:51 388096 ----a-r- c:\users\franky\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-06-08 20:50 . 2012-06-08 20:50 -------- d-----w- c:\program files\Trend Micro

2012-05-14 19:31 . 2012-05-19 11:19 -------- d-----w- c:\users\franky\AppData\Roaming\Media Finder

2012-05-14 19:14 . 2012-06-08 23:08 -------- d-----w- c:\program files\Yontoo

2012-05-14 19:14 . 2012-05-14 19:14 -------- d-----w- c:\users\franky\AppData\Local\Babylon

2012-05-14 19:13 . 2012-05-14 19:13 -------- d-----w- c:\programdata\Tarma Installer

2012-05-14 19:13 . 2012-05-14 19:13 -------- d-----w- c:\programdata\Babylon

2012-05-14 19:13 . 2012-05-14 19:13 -------- d-----w- c:\users\franky\AppData\Roaming\Babylon

2012-05-14 18:17 . 2012-05-14 19:17 300 -c--a-w- C:\user.js

2012-05-14 18:16 . 2012-06-08 23:08 -------- d-----w- c:\program files\BrowserCompanion

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-05 14:58 . 2012-04-03 20:58 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-05-05 14:58 . 2012-04-03 20:58 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-03 19:56 . 2012-04-03 19:56 161792 ----a-w- c:\windows\system32\msls31.dll

2012-04-03 19:56 . 2012-04-03 19:56 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2012-04-03 19:56 . 2012-04-03 19:56 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2012-04-03 19:56 . 2012-04-03 19:56 48640 ----a-w- c:\windows\system32\mshtmler.dll

2012-04-03 19:56 . 2012-04-03 19:56 86528 ----a-w- c:\windows\system32\iesysprep.dll

2012-04-03 19:56 . 2012-04-03 19:56 63488 ----a-w- c:\windows\system32\tdc.ocx

2012-04-03 19:55 . 2012-04-03 19:55 367104 ----a-w- c:\windows\system32\html.iec

2012-04-03 19:55 . 2012-04-03 19:55 74752 ----a-w- c:\windows\system32\iesetup.dll

2012-04-03 19:55 . 2012-04-03 19:55 23552 ----a-w- c:\windows\system32\licmgr10.dll

2012-04-03 19:55 . 2012-04-03 19:55 152064 ----a-w- c:\windows\system32\wextract.exe

2012-04-03 19:55 . 2012-04-03 19:55 150528 ----a-w- c:\windows\system32\iexpress.exe

2012-04-03 19:55 . 2012-04-03 19:55 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-04-03 19:55 . 2012-04-03 19:55 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-04-03 19:55 . 2012-04-03 19:55 11776 ----a-w- c:\windows\system32\mshta.exe

2012-04-03 19:55 . 2012-04-03 19:55 101888 ----a-w- c:\windows\system32\admparse.dll

2012-04-03 19:55 . 2012-04-03 19:55 35840 ----a-w- c:\windows\system32\imgutil.dll

2012-04-03 19:55 . 2012-04-03 19:55 110592 ----a-w- c:\windows\system32\IEAdvpack.dll

2012-04-03 08:16 . 2012-05-11 16:21 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-03 08:16 . 2012-05-11 16:21 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-02 13:36 . 2012-05-11 16:21 2044928 ----a-w- c:\windows\system32\win32k.sys

2012-03-30 19:48 . 2010-04-19 13:29 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-03-30 12:39 . 2012-05-11 16:31 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-03-20 23:28 . 2012-05-11 16:31 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]

2010-12-19 14:46 86696 ----a-w- c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}"= "c:\program files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll" [2010-12-19 86696]

.

[HKEY_CLASSES_ROOT\clsid\{b821bf60-5c2d-41eb-92dc-3e4ccd3a22e4}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]

@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"

[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]

2011-05-09 10:45 288584 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]

@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"

[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]

2011-05-09 10:45 288584 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"????r"="" [?]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]

"MyTomTomSA.exe"="c:\program files\MyTomTom 3\MyTomTomSA.exe" [2011-11-14 435672]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]

"RtHDVCpl"="RtHDVCpl.exe" [2006-11-20 4018176]

"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2011-04-28 439616]

"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2006-11-18 151552]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-22 90191]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-22 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-22 7757824]

"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-11-20 244512]

"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-30 304664]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-11-28 614400]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]

"AcerOrbicamRibbon"="c:\program files\Acer\OrbiCam10\OrbiCam.exe" [2006-11-20 754712]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]

"Panda Security URL Filtering"="c:\programdata\Panda Security URL Filtering\Panda_URL_Filtering.exe" [2012-03-19 217256]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

Inhoud van de 'Gedeelde Taken' map

.

2012-06-12 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 14:58]

.

2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-22 14:40]

.

2012-06-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-22 14:40]

.

2012-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1433520924-4174861453-4113501684-1000Core.job

- c:\users\franky\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-31 21:07]

.

2012-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1433520924-4174861453-4113501684-1000UA.job

- c:\users\franky\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-31 21:07]

.

------- Bijkomende Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo! UK

IE: Download with &Media Finder - c:\program files\Media Finder\hook.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 195.130.131.3 195.130.130.131

.

- - - - ORPHANS VERWIJDERD - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Media Finder - c:\program files\Media Finder\Media Finder.exe

HKLM-Run-Acer Tour - (no file)

HKLM-Run-eRecoveryService - (no file)

AddRemove-Adobe Photoshop Elements 2.0 - c:\windows\ISUN0413.EXE

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2012-06-12 20:54

Windows 6.0.6002 Service Pack 2 NTFS

.

scannen van verborgen processen ...

.

scannen van verborgen autostart items ...

.

scannen van verborgen bestanden ...

.

Scan succesvol afgerond

verborgen bestanden: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{2FF8D163-C3C2-46ce-BD8D-D85AC1BC56DD}]

"ImagePath"="\??\c:\program files\Acer\Acer Arcade\000.fcl"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Voltooingstijd: 2012-06-12 21:05:23

ComboFix-quarantined-files.txt 2012-06-12 19:05

.

Pre-Run: 7.866.138.624 bytes beschikbaar

Post-Run: 7.725.985.792 bytes beschikbaar

.

- - End Of File - - 5ACBE7F1902EA7A98DA703450CEDCF7E

kape · 13 juni 2012

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

C:\user.js

Folder::

c:\program files\Yontoo

c:\users\franky\AppData\Local\Babylon

c:\programdata\Tarma Installer

c:\programdata\Babylon

c:\users\franky\AppData\Roaming\Babylon

c:\program files\BrowserCompanion

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Sla dit bestand op je bureaublad op als CFScript.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht.

tommyboy · 13 juni 2012

combofix log

ComboFix 12-06-13.03 - franky 13/06/2012 19:40:03.3.1 - x86

Gestart vanuit: c:\users\franky\Videos\Desktop\ComboFix.exe

gebruikte Opdracht switches :: c:\users\franky\Videos\Desktop\CFScript.txt

.

FILE ::

"C:\user.js"

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\BrowserCompanion

c:\program files\BrowserCompanion\BCHelper.exe

c:\program files\BrowserCompanion\blabbers-ch.crx

c:\program files\BrowserCompanion\blabbers-ff-full.xpi

c:\program files\BrowserCompanion\logo.ico

c:\program files\BrowserCompanion\sqlite3.dll

c:\program files\BrowserCompanion\tdataprotocol.dll

c:\program files\BrowserCompanion\toolbar.dll

c:\program files\BrowserCompanion\uninstall.exe

c:\program files\BrowserCompanion\updatebhoWin32.dll

c:\program files\BrowserCompanion\updater.ini

c:\program files\BrowserCompanion\widgetserv.exe

c:\program files\Yontoo

c:\programdata\Babylon

c:\programdata\Tarma Installer

c:\programdata\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\_Setup.dll

c:\programdata\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.dat

c:\programdata\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.exe

c:\programdata\Tarma Installer\{361E80BE-388B-4270-BF54-A10C2B756504}\Setup.ico

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe

c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico

C:\user.js

c:\users\franky\AppData\Local\Babylon

c:\users\franky\AppData\Local\Babylon\Setup\bab033.tbinst.dat

c:\users\franky\AppData\Local\Babylon\Setup\bab091.norecovericon.dat

c:\users\franky\AppData\Local\Babylon\Setup\Babylon.dat

c:\users\franky\AppData\Local\Babylon\Setup\BExternal.dll

c:\users\franky\AppData\Local\Babylon\Setup\Chrome_tb.zpb

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\blueStar.png

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\eula.html

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\globe.png

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\options.js

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\page0.html

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\page2.css

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\page2.html

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\page2Lrg.css

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\page3.css

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\page3.html

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\page3Lrg.css

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\pBar.gif

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\progress.png

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\setup.js

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\title.png

c:\users\franky\AppData\Local\Babylon\Setup\HtmlScreens\toolBar.jpg

c:\users\franky\AppData\Local\Babylon\Setup\IECookieLow.dll

c:\users\franky\AppData\Local\Babylon\Setup\Setup-latest-30b.zpb

c:\users\franky\AppData\Local\Babylon\Setup\Setup-tbmntr903.zpb

c:\users\franky\AppData\Local\Babylon\Setup\Setup.exe

c:\users\franky\AppData\Local\Babylon\Setup\SetupStrings.dat

c:\users\franky\AppData\Local\Babylon\Setup\sign

c:\users\franky\AppData\Local\Babylon\Setup\sqlite3.dll

c:\users\franky\AppData\Roaming\Babylon

c:\users\franky\AppData\Roaming\Babylon\log_file.txt

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-05-13 to 2012-06-13 ))))))))))))))))))))))))))))))

.

2012-06-13 18:06 . 2012-06-13 18:07 -------- d-----w- c:\users\franky\AppData\Local\temp

2012-06-13 18:06 . 2012-06-13 18:06 -------- d-----w- c:\users\Default\AppData\Local\temp