Neveneffecten Sabam/UKash virus

[SR59230A]

Beste,

Dit forum is volkomen nieuw voor me. De kans dat mijn beschrijving onvolledig is, is dus vrijwel groot. Mijn excuses bij voorbaat.

Enkele dagen geleden kreeg ik te maken met het (blijkbaar hardnekkige) Sabam/Ukash virus.

Na enig sleutelwerk is het wel gelukt dit virus te verwijderen (vermoed ik?), doch functioneert mijn laptop allerminst optimaal.

Volgende hekelpunten zijn nog steeds duidelijk op te merken:

- Altijd: Zwart scherm voor het opstarten (ca. 5 minuten alvorens het login-scherm verschijnt);

- Altijd: Scrollbar van de touchpad werkt nietmeer;

- Soms: Bij het aanvinken van 'energiebesparing' wijzigt de helderheid zich niet (hetgeen vroeger natuurlijk wel het geval was);

- Soms: Webcam blijkt niet te werken;

- ...

Hieronder vinden jullie tevens een hijack-logje. Hopelijk weet iemand hier raad mee.

Dank bij voorbaat.

Met vriendelijke groet,

SR59230A

______________________________________________________

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 10:01:14, on 5/11/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16450)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP QuickWeb\hpqwutils.exe

C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files\Hewlett-Packard\File Sanitizer\coreshredder.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe

C:\Program Files\Citrix\ICA Client\concentr.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Citrix\ICA Client\wfcrun32.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe

C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe

C:\Program Files\Common Files\Portrait Displays\Drivers\SDKCOMServer.exe

C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe

C:\Program Files\Common Files\Portrait Displays\Drivers\pdiSdkHelper.exe

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Users\Ruben\Downloads\HijackThis.exe

C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = universiteit antwerpen - uaHome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: BHO_Startup - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O4 - HKLM\..\Run: [HPConnectionManager] C:\Program Files\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe

O4 - HKLM\..\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden

O4 - HKLM\..\Run: [HPQuickWebProxy] "C:\Program Files\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"

O4 - HKLM\..\Run: [iAStorIcon] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

O4 - HKLM\..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe

O4 - HKLM\..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray.exe

O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start

O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup

O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

O4 - HKLM\..\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKUS\S-1-5-18\..\RunOnce: [uhasselt Theme] c:\windows\resources\themes\uhasselt.theme (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [uhasselt Theme] c:\windows\resources\themes\uhasselt.theme (User 'Default user')

O4 - .DEFAULT User Startup: firstrun.bat (User 'Default user')

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105

O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O15 - Trusted Zone: *.clonewarsadventures.com

O15 - Trusted Zone: *.freerealms.com

O15 - Trusted Zone: *.line6.net

O15 - Trusted Zone: *.soe.com

O15 - Trusted Zone: *.sony.com

O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab

O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.9.0.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\aestsrv.exe

O23 - Service: Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service (AMPPALR3) - Intel Corporation - C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe

O23 - Service: Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service (BTHSSecurityMgr) - Intel® Corporation - C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

O23 - Service: @C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe,-128 (DpHost) - DigitalPersona, Inc. - C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe

O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Company - C:\Windows\system32\flcdlock.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Remote Procedure Call (RPC) Service (gzyjhrk) - Unknown owner - C:\Users\Ruben\AppData\Roaming\Microsoft\Ixaixlns\ixaixlns.exe (file missing)

O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

O23 - Service: HP Power Assistant Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe

O23 - Service: HP ProtectTools Service - Hewlett-Packard Development Company, L.P - C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe

O23 - Service: HP Connection Manager 4.0 Service (hpCMSrv) - Hewlett-Packard Development Company L.P. - C:\Program Files\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe

O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe

O23 - Service: File Sanitizer for HP ProtectTools (HPFSService) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe

O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: HP Service (hpsrv) - Hewlett-Packard Company - C:\Windows\system32\Hpservice.exe

O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)

O23 - Service: Passwdrenew - Unknown owner - C:\Windows\System32\rnpasswd.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe

O23 - Service: Portrait Displays SDK Service (PdiService) - Portrait Displays, Inc. - C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe

O23 - Service: @%SystemRoot%\system32\stlang.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: ArcCapture (uArcCapture) - ArcSoft, Inc. - C:\Windows\system32\ArcVCapRender\uArcCapture.exe

O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

O23 - Service: Validity VCS Fingerprint Service (vcsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vcsFPService.exe

O23 - Service: Mobile Broadband Service (WMCoreService) - Ericsson AB - C:\Program Files\Ericsson\Mobile Broadband Drivers\WMCore\mini_WMCore.exe

O23 - Service: xsherlock - Wellbia.com Co., Ltd. - C:\Windows\system32\xsherlock.xem

--

End of file - 12267 bytes

[kape]

Ga naar Start - Alle programma's - Bureauaccesoires.

Zoek het icoon van het opdrachtprompt en klik er op met de rechter muisknop en kies dan in het lijstje voor “uitvoeren als administrator” om het opdrachtprompt te openen.

Tik in: sc stop gzyjhrk en druk op Enter.

Tik in: sc delete gzyjhrk en druk op Enter.

Tik in exit en druk Enter.

Als je op een van deze instructies een foutmelding krijgt, ga dan gewoon door met de volgende instructie.

En laat dan even weten of dit verschil uitmaakt ?

[SR59230A]

Ik heb de instructies zonet uitgevoerd.

'gzyjhrk' is inmiddels verwijderd, maar helaas heeft dit het probleem niet verholpen.

Mvg,

SR59230A

[kweezie wabbit]

Wanneer heb je dat virus opgelopen?

Na enig sleutelwerk is het wel gelukt dit virus te verwijderen (vermoed ik?),

Wat heb je juist gedaan om het te verwijderen?

[SR59230A]

Wanneer heb je dat virus opgelopen?

Wat heb je juist gedaan om het te verwijderen?

1) Opgelopen nadat ik een map voor Minecraft poogde te downloaden. Via Ad.fly omgeleid, waarna de laptop meteen uitviel. Na het heropstarten verscheen de fictieve Sabammelding.

2) Kaspersky rescue disk, ComboFix en vervolgens Malwarebytes.

Mvg,

SR59230A

[kape]

Wil je die logjes van Combofix en Malwarebytes eens in een volgende bericht hangen ?

[SR59230A]

Hieronder zijn de logjes. Het zwarte scherm bij opstarten is overigens niet aanwezig in veilige modus.

Mallwarebytes log:

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Databaseversie: v2012.11.04.05

Windows 7 Service Pack 1 x86 NTFS (Veilige modus/netwerkmogelijkheden)

Internet Explorer 9.0.8112.16421

Ruben :: RUBEN-PC [administrator]

5/11/2012 21:26:32

mbam-log-2012-11-05 (21-26-32).txt

Scantype: Volledige scan (C:\|)

Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM

Uitgeschakelde scanopties: P2P

Objecten gescand: 377483

Verstreken tijd: 8 minuut/minuten, 40 seconde(n)

Geheugenprocessen gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Registerdata gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Mappen gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 0

(Geen kwaadaardige objecten gedetecteerd)

(einde)

ComboFix log

ComboFix 12-11-05.03 - Ruben 05/11/2012 21:20:37.6.4 - x86 NETWORK

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.32.1043.18.3014.1938 [GMT 1:00]

Gestart vanuit: c:\users\Ruben\Downloads\ComboFix.exe

AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Nieuw herstelpunt werd aangemaakt

.

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-10-05 to 2012-11-05 ))))))))))))))))))))))))))))))

.

.

2012-11-05 20:24 . 2012-11-05 20:24 -------- d-----w- c:\users\user\AppData\Local\temp

2012-11-05 20:24 . 2012-11-05 20:24 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-11-05 20:24 . 2012-11-05 20:24 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-11-05 20:24 . 2012-11-05 20:24 -------- d-----w- c:\users\Administrator\AppData\Local\temp

2012-11-02 19:03 . 2012-10-12 05:56 6918632 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{51E34608-1BD4-45C8-A6AA-1FCC6F48F4FE}\mpengine.dll

2012-11-01 22:10 . 2012-10-30 22:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-11-01 22:10 . 2012-10-30 22:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-11-01 22:10 . 2012-10-30 22:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-11-01 22:10 . 2012-10-30 22:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-11-01 22:10 . 2012-10-30 22:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-11-01 22:10 . 2012-10-15 16:59 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys

2012-11-01 22:10 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr

2012-11-01 22:10 . 2012-10-30 22:50 227648 ----a-w- c:\windows\system32\aswBoot.exe

2012-11-01 22:10 . 2012-11-01 22:10 -------- d-----w- c:\programdata\AVAST Software

2012-11-01 22:10 . 2012-11-01 22:10 -------- d-----w- c:\program files\AVAST Software

2012-11-01 22:09 . 2012-11-01 22:09 -------- d-----w- c:\program files\Common Files\Skype

2012-11-01 22:09 . 2012-11-01 22:09 -------- d-----r- c:\program files\Skype

2012-11-01 22:09 . 2012-11-01 22:09 -------- d-----w- c:\program files\GUM1E87.tmp

2012-11-01 22:03 . 2012-11-01 22:03 -------- d-----w- c:\users\Ruben\AppData\Roaming\Wise Registry Cleaner

2012-11-01 22:02 . 2012-11-01 22:03 -------- d-----w- c:\users\Ruben\AppData\Roaming\Wise Disk Cleaner

2012-11-01 22:01 . 2012-11-01 22:05 -------- d-----w- c:\users\Ruben\Wise Registry Cleaner

2012-11-01 22:01 . 2012-11-01 22:03 -------- d-----w- c:\users\Ruben\Wise Disk Cleaner

2012-11-01 21:18 . 2012-11-05 20:24 -------- d-----w- c:\users\Ruben\AppData\Local\temp

2012-11-01 20:37 . 2012-11-01 21:48 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2012-10-31 23:32 . 2012-10-31 23:32 95744 ----a-w- c:\windows\system32\rnpasswd.exe

2012-10-27 21:32 . 2012-10-27 21:32 -------- d-sh--w- c:\users\Ruben\wc

2012-10-27 21:32 . 2012-10-27 21:32 -------- d-sh--w- c:\users\Ruben\AppData\Roaming\ViperUpdate AU

2012-10-27 21:29 . 2012-10-27 21:29 -------- d-----w- c:\program files\All Answers Ltd

2012-10-21 13:05 . 2012-10-21 13:05 -------- d-----w- c:\programdata\Citrix

2012-10-21 13:05 . 2012-10-21 13:05 -------- d-----w- c:\users\Ruben\AppData\Roaming\ICAClient

2012-10-21 13:05 . 2012-10-21 13:05 -------- d-----w- c:\users\Ruben\AppData\Local\Citrix

2012-10-21 13:04 . 2012-10-21 13:04 -------- d-----w- c:\program files\Citrix

2012-10-10 17:22 . 2012-08-31 17:18 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys

2012-10-10 17:22 . 2012-08-30 17:12 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-10-10 17:22 . 2012-08-10 23:56 542208 ----a-w- c:\windows\system32\kerberos.dll

2012-10-10 17:22 . 2012-08-30 17:12 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe

.

.

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-29 18:54 . 2012-02-08 21:27 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-11 20:49 . 2012-09-11 20:49 16304 ------w- c:\windows\system32\apl003.sys

2012-09-11 20:49 . 2012-09-11 20:49 13232 ------w- c:\windows\system32\apf003.sys

2012-09-11 18:23 . 2012-03-18 21:48 140480 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2012-09-11 18:23 . 2012-03-18 21:47 298016 ----a-w- c:\windows\system32\PnkBstrB.exe

2012-09-11 18:23 . 2012-03-18 21:47 298016 ----a-w- c:\windows\system32\PnkBstrB.xtr

2012-09-11 15:40 . 2012-03-18 21:47 76888 ----a-w- c:\windows\system32\PnkBstrA.exe

2012-09-11 15:39 . 2012-03-18 21:47 298016 ----a-w- c:\windows\system32\PnkBstrB.ex0

2012-09-11 15:31 . 2012-08-12 12:19 138056 ----a-w- c:\users\Ruben\AppData\Roaming\PnkBstrK.sys

2012-08-24 06:59 . 2012-09-25 22:30 1800704 ----a-w- c:\windows\system32\jscript9.dll

2012-08-24 06:51 . 2012-09-25 22:30 1129472 ----a-w- c:\windows\system32\wininet.dll

2012-08-24 06:51 . 2012-09-25 22:30 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2012-08-24 06:47 . 2012-09-25 22:30 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2012-08-24 06:47 . 2012-09-25 22:30 420864 ----a-w- c:\windows\system32\vbscript.dll

2012-08-24 06:43 . 2012-09-25 22:30 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-08-22 17:16 . 2012-09-25 21:39 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-08-22 17:16 . 2012-09-25 21:39 240496 ----a-w- c:\windows\system32\drivers\netio.sys

2012-08-22 17:16 . 2012-09-25 21:39 712048 ----a-w- c:\windows\system32\drivers\ndis.sys

2012-08-22 17:16 . 2012-09-25 21:39 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2012-08-21 20:12 . 2012-09-25 21:39 245760 ----a-w- c:\windows\system32\OxpsConverter.exe

2012-08-12 12:19 . 2012-08-12 12:19 682280 ----a-w- c:\windows\system32\pbsvc.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPConnectionManager"="c:\program files\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2010-11-24 94264]

"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2010-11-15 13880]

"HPQuickWebProxy"="c:\program files\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [2010-11-18 65024]

"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-12 283160]

"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2010-11-21 12270080]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-09-07 495708]

"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-08-29 1996200]

"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2012-03-08 2333968]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"GrpConv"="grpconv -o" [X]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Uhasselt Theme"="c:\windows\resources\themes\uhasselt.theme" [X]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

firstrun.bat [2011-6-16 132]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux2"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ DPPassFilter scecli

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]

2012-08-29 10:03 1996200 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2012-07-28 01:09 4272064 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

R1 aswSnx;aswSnx; [x]

R1 aswSP;aswSP; [x]

R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]

R2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]

R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [x]

R2 aswFsBlk;aswFsBlk; [x]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]

R2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [x]

R2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [x]

R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [x]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]

R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]

R2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]

R2 Passwdrenew;Passwdrenew;c:\windows\system32\rnpasswd.exe [x]

R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [x]

R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [x]

R2 uArcCapture;ArcCapture;c:\windows\system32\ArcVCapRender\uArcCapture.exe [x]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]

R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [x]

R2 WMCoreService;Mobile Broadband Service;c:\program files\Ericsson\Mobile Broadband Drivers\WMCore\mini_WMCore.exe servicemode [x]

R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtuele adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [x]

R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [x]

R3 apf003;apf003;c:\windows\system32\apf003.sys [x]

R3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;c:\windows\system32\DRIVERS\ArcSoftVCapture.sys [x]

R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [x]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]

R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [x]

R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [x]

R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]

R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [x]

R3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [x]

R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]

R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]

R3 L6GX;Service - Line 6 GX;c:\windows\system32\Drivers\L6GX.sys [x]

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]

R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

R3 vtany;vtany;c:\windows\vtany.sys [x]

R3 WatAdminSvc;Windows Activation Technologies-service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R3 XDva397;XDva397;c:\windows\system32\XDva397.sys [x]

R3 xhunter1;xhunter1;c:\windows\xhunter1.sys [x]

R3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [x]

S0 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys [x]

S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [x]

S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [x]

S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series adapter stuurprogramma onder Windows 7 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

GPSvcGroup REG_MULTI_SZ GPSvc

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2010-05-19 08:36 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Inhoud van de 'Gedeelde Taken' map

.

2012-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-811656452-541211027-1334658650-1007Core.job

- c:\users\Ruben\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 11:18]

.

2012-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-811656452-541211027-1334658650-1007UA.job

- c:\users\Ruben\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-25 11:18]

.

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://www.ua.ac.be/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

Trusted Zone: clonewarsadventures.com

Trusted Zone: freerealms.com

Trusted Zone: line6.net

Trusted Zone: soe.com

Trusted Zone: sony.com

.

- - - - ORPHANS VERWIJDERD - - - -

.

HKLM-RunOnce-<NO NAME> - (no file)

.

.

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\xsherlock]

"ImagePath"="c:\windows\system32\xsherlock.xem"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

.

- - - - - - - > 'lsass.exe'(532)

c:\windows\system32\DPFPApi.DLL

.

Voltooingstijd: 2012-11-05 21:25:40

ComboFix-quarantined-files.txt 2012-11-05 20:25

ComboFix2.txt 2012-11-04 23:11

ComboFix3.txt 2012-11-01 21:23

ComboFix4.txt 2012-07-04 20:01

ComboFix5.txt 2012-11-05 20:20

.

Pre-Run: 32.918.245.376 bytes beschikbaar

Post-Run: 32.962.088.960 bytes beschikbaar

.

- - End Of File - - A0AB86F19692BFA7E4636D7B2F96E064

[kape]

Dat zijn (blijkbaar) nieuwe logjes die je gemaakt hebt op 05.11.2012. Heb je ook nog de vorige logjes, waarbij je de verbteringen hebt gedaan ?

[SR59230A]

Ik vrees dat ik die logs nooit heb opgeslagen, gezien ik me op dat moment van geen (extra) kwaad bewust was. Mijn excuses.

Is het misschien mogelijk dat er zaken in register-editor zijn aangepast door dat virus?

[kape]

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\program files\GUM1E87.tmp

c:\windows\system32\XDva397.sys

c:\windows\xhunter1.sys

Driver::

XDva397

xhunter1

Sla dit bestand op je bureaublad op als CFScript.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht.

Uiteraard is het mogelijk dat er ongewenste aanpassingen zijn gebeurd in het register. Met bovenstaande fix halen we wel een aantal problemen weg op het vlak van malware, maar de reeks moeilijkheden waar je mee kampt zijn wel heel divers.

Heb je al eens geprobeerd om de PC via systeemherstel terug te zetten naar een herstelpunt vóór deze verschillende problemen zijn begonnen ? Dat zou (mogelijk) alle problemen in één klap kunnen oplossen.

8 november 2012 aangepast door kape