Politievirus

[centrino]

Beste, ik ben slachtoffer geworden van het politievirus. Normaal gezien zou ik een HijackThis logje willen maken, maar dit lukt me niet. Ik heb al geprobeerd in veilige modus op te starten, maar telkens ik in veilige modus kom, meldt de computer zich af en start de computer terug opnieuw op. Kunnen jullie mij hiermee helpen?

Alvast bedankt!

[Jion]

Hoi centrino,

Download "HitmanPro" via de onderstaande link bijvoorbeeld naar het bureaublad op een niet geïnfecteerde computer

Klik hier om de uitgebreide handleiding te raadplegen

• HitmanPro downloaden.(Kies hier de 32 of 64 bit versie).
  
  • HitmanPro (32bit)
    
  • HitmanPro (64bit)
    

  [*] Dubbelklik op HitmanPro36.exe of HitmanPro36_64.exe om het programma op te starten.

  [*] Klik in het beginscherm op de "Kickstartknop" zoals u kunt zien in het onderstaande rode kader.

  

  [*] Indien er reeds een USB-stick is aangesloten zal HitmanPro Kickstart deze automatisch herkennen en weergeven.

  [*] Klik deze USB-stick éénmaal aan waarna u de keuze krijgt om Kickstart te installeren op de USB-stick.

• Voordat HitmanPro.Kickstart wordt geïnstalleerd wordt de USB-stick opnieuw geformatteerd.
  Waarschuwing! Bij het opnieuw formatteren gaan alle gegevens verloren die op de USB-stick zijn opgeslagen.
  

• Nadat de HitmanPro Kickstart USB-stick is aangemaakt zal deze automatisch “veilig verwijderd” worden van het betreffende systeem waarop deze is aangemaakt.
  
• Start de geïnfecteerde computer op van de HitmanPro.Kickstart USB-stick. (Hoe u de computer van een USB-stick kunt opstarten lees u hier)
  

• Vink de optie "Ik accepteer de voorwaarden van de gebruikersovereenkomst aan" en klik op "Volgende"
  
• Klik in het setup scherm nu nogmaals op "Volgende", nu zal automatisch de scan starten, doe verder niets op de computer totdat de scan gereed is.
  
• Als de scan klaar is klik je op "volgende"
  
• Activeer nu de gratis licentie, hiermee kunt u 30 dagen gratis HitmanPro gebruiken en de gevonden infecties verwijderen.
  
• Note: indien u reeds eerder gebruik hebt gemaakt van de 30 dagen trial-versie van HitmanPro is het niet meer mogelijk om gratis de gevonden infecties te verwijderen.
  
• Als het verwijderen gereed is klik je onderin het scherm op "Save log" of "Logbestand opslaan" en sla deze op bijvoorbeeld het bureaublad op.
  Post dit logje.
  
• Klik nu op de knop "Herstarten".
  

[centrino]

Beste Jion

hierbij het logbestandje van HitmanPro:

HitmanPro 3.7.6.201
www.hitmanpro.com

  Computer name . . . . : ZJEF-PC
  Windows . . . . . . . : 6.1.1.7601.X86/2
  User name . . . . . . : NT AUTHORITY\SYSTEM
  UAC . . . . . . . . . : Disabled
  License . . . . . . . : Trial (30 days left)

  Scan date . . . . . . : 2013-07-29 19:07:40
  Scan mode . . . . . . : Normal
  Scan duration . . . . : 11m 32s
  Disk access mode  . . : Direct disk access (SRB)
  Cloud . . . . . . . . : Internet
  Reboot  . . . . . . . : Yes

  Threats . . . . . . . : 33
  Traces  . . . . . . . : 431

  Objects scanned . . . : 2.102.939
  Files scanned . . . . : 146.790
  Remnants scanned  . . : 790.442 files / 1.165.707 keys

Malware _____________________________________________________________________

  C:\Users\Zjef\AppData\Local\Temp\71987846.exe -> Quarantined
     Size . . . . . . . : 172.032 bytes
     Age  . . . . . . . : 12.3 days (2013-07-17 12:26:03)
     Entropy  . . . . . : 6.8
     SHA-256  . . . . . : 60838A96D76D98DD227DD42DF39B84262590D7A4D75E61DE5C5AB88D265D17FD
   > Ikarus . . . . . . : Trojan.Win32.Urausy!IK
     Fuzzy  . . . . . . : 99.0

  C:\Users\Zjef\AppData\Roaming\cache.dat -> Quarantined
     Size . . . . . . . : 172.032 bytes
     Age  . . . . . . . : 12.3 days (2013-07-17 12:26:58)
     Entropy  . . . . . : 6.8
     SHA-256  . . . . . : 60838A96D76D98DD227DD42DF39B84262590D7A4D75E61DE5C5AB88D265D17FD
   > Ikarus . . . . . . : Trojan.Win32.Urausy!IK
     Fuzzy  . . . . . . : 153.0
        One or more antivirus vendors have indicated that the file is malicious.
        Substitutes Explorer.exe as the default shell. Malware tends to start this way.
        This file was most recently added as automatic startup.
        The file name extension of this program is not common.
        Authors name is missing in version info. This is not common to most programs.
        Version control is missing. This file is probably created by an individual. This is not typical for most programs.
        Program starts automatically without user intervention.
        Time indicates that the file appeared recently on this computer.
     Startup
        HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
     Forensic Cluster
        -49.1s C:\Users\Zjef\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GEW13NC0\p[1].js
        -26.7s C:\Users\Zjef\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LUI4J2CP\InfoBar[6].ashx
        -3.9s C:\Users\Zjef\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WCGYS0ZL\p[2].js
         0.0s C:\Users\Zjef\AppData\Roaming\cache.dat


Suspicious files ____________________________________________________________

  C:\Windows\Temp\nsj832A.tmp\nsisdt.dll
     Size . . . . . . . : 5.632 bytes
     Age  . . . . . . . : 71.4 days (2013-05-19 10:09:08)
     Entropy  . . . . . : 2.8
     SHA-256  . . . . . : 2261027077F23C8DBA6B72AF28862832AAA059740D0F5634B46CABB14326DD10
     Fuzzy  . . . . . . : 22.0
        The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
        Authors name is missing in version info. This is not common to most programs.
        Version control is missing. This file is probably created by an individual. This is not typical for most programs.
        Program contains PE structure anomalies. This is not typical for most programs.

  C:\Windows\Temp\nsl7D2E.tmp\nsisdt.dll
     Size . . . . . . . : 5.632 bytes
     Age  . . . . . . . : 48.7 days (2013-06-11 01:32:05)
     Entropy  . . . . . : 2.8
     SHA-256  . . . . . : 2261027077F23C8DBA6B72AF28862832AAA059740D0F5634B46CABB14326DD10
     Fuzzy  . . . . . . : 22.0
        The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
        Authors name is missing in version info. This is not common to most programs.
        Version control is missing. This file is probably created by an individual. This is not typical for most programs.
        Program contains PE structure anomalies. This is not typical for most programs.

  C:\Windows\Temp\nsw7773.tmp\nsisdt.dll
     Size . . . . . . . : 5.632 bytes
     Age  . . . . . . . : 147.8 days (2013-03-04 01:02:33)
     Entropy  . . . . . : 2.8
     SHA-256  . . . . . : 2261027077F23C8DBA6B72AF28862832AAA059740D0F5634B46CABB14326DD10
     Fuzzy  . . . . . . : 22.0
        The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
        Authors name is missing in version info. This is not common to most programs.
        Version control is missing. This file is probably created by an individual. This is not typical for most programs.
        Program contains PE structure anomalies. This is not typical for most programs.

  C:\Windows\Temp\TMP00000003E053B38C5FC86D06
     Size . . . . . . . : 524.288 bytes
     Age  . . . . . . . : 1082.6 days (2010-08-12 05:33:30)
     Entropy  . . . . . : 8.0
     SHA-256  . . . . . : A3B095206192B65CF5E6F6575383BCD20019E6DE4926151B98F12E994F49E6B3
     Product  . . . . . : Microsoft® Windows® Operating System
     Publisher  . . . . : Microsoft Corporation
     Description  . . . : MS AHCI 1.0 Standard Driver
     Version  . . . . . : 6.1.7600.16385
     Copyright  . . . . : © Microsoft Corporation. All rights reserved.
     Fuzzy  . . . . . . : 52.0
        The file is hidden from Windows API. This is typical for malware.
        The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
        Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
        The file name extension of this program is not common.
        The file is a device driver. Device drivers run as trusted (highly privileged) code.


Potential Unwanted Programs _________________________________________________

  C:\Program Files\DealPly\ (Delta Search)
  C:\Program Files\DealPly\DealPly.crx (Delta Search)
  C:\Program Files\DealPly\DealPlyIE.dll (Delta Search)
     Size . . . . . . . : 83.048 bytes
     Age  . . . . . . . : 377.0 days (2012-07-17 19:43:47)
     Entropy  . . . . . : 6.3
     SHA-256  . . . . . : C28C50700C5560D834B058E0CA816E1CCD003E77FB58777F55CD4B9D015F9013
     Product  . . . . . : http://www.dealply.com/
     Publisher  . . . . : DealPly Technologies Ltd
     Description  . . . : DealPly for Internet Explorer
     Version  . . . . . : 2.0.0.0
     Copyright  . . . . : Copyright © 2011 DealPly Technologies Ltd
     RSA Key Size . . . : 2048
     Authenticode . . . : Valid
     Fuzzy  . . . . . . : -11.0
     Startup
        HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\
     References
        HKLM\SOFTWARE\Classes\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\
        HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\

  C:\Program Files\DealPly\DealPlyTune.dll (Delta Search)
     Size . . . . . . . : 71.272 bytes
     Age  . . . . . . . : 377.0 days (2012-07-17 19:43:48)
     Entropy  . . . . . : 6.4
     SHA-256  . . . . . : CDF6791EEB0EE9FBC9BBA1E96694B708EC51F0B10B68941E96D62AB217F84D4C
     Product  . . . . . : DealPlyTune.dll
     Publisher  . . . . : DealPly Technologies Ltd.
     Description  . . . : http://www.dealply.com/
     Version  . . . . . : 1.0.0.1
     Copyright  . . . . : Copyright (C) 2011 DealPly Technologies Ltd.
     RSA Key Size . . . : 2048
     Authenticode . . . : Valid
     Fuzzy  . . . . . . : -15.0

  C:\Program Files\DealPly\DealPlyUpdate.exe (Delta Search)
     Size . . . . . . . : 77.848 bytes
     Age  . . . . . . . : 377.0 days (2012-07-17 19:43:47)
     Entropy  . . . . . : 6.9
     SHA-256  . . . . . : D0897A8D526FCF7DFE30D0838418DCB9773750B915A3A3C6757DAD7EDED543FD
     Product  . . . . . : DealPly Update
     Publisher  . . . . : DealPly
     Description  . . . : http://www.dealply.com/
     Version  . . . . . : 2.0.0.0
     Copyright  . . . . : Copyright (C) 2011 DealPly Technologies Ltd.
     RSA Key Size . . . : 2048
     Authenticode . . . : Valid
     Fuzzy  . . . . . . : -15.0

  C:\Program Files\DealPly\DealPlyUpdate.log (Delta Search)
  C:\Program Files\DealPly\DealPlyUpdateRun.exe (Delta Search)
     Size . . . . . . . : 81.512 bytes
     Age  . . . . . . . : 377.0 days (2012-07-17 19:43:47)
     Entropy  . . . . . : 6.2
     SHA-256  . . . . . : 20CB45A68990055DFDE65AC284AE15F1D7E50FD9DE588C545EB5462A955555CB
     Product  . . . . . : DealPlyUpdateRun
     Publisher  . . . . : DealPly
     Description  . . . : DealPlyUpdateRun
     Version  . . . . . : 1.0.0.0
     Copyright  . . . . : Copyright (C) 2011 DealPly Technologies Ltd.
     RSA Key Size . . . : 2048
     Authenticode . . . : Valid
     Fuzzy  . . . . . . : -15.0

  C:\Program Files\DealPly\icon.ico (Delta Search)
  C:\Program Files\DealPly\uninst.exe (Delta Search)
     Size . . . . . . . : 89.472 bytes
     Age  . . . . . . . : 377.0 days (2012-07-17 19:43:51)
     Entropy  . . . . . : 7.1
     SHA-256  . . . . . : BD7C685D3434017B299AC53B04A434BE7D03275DF8DCE8C3FEB3D1CE1E626EBD
     Product  . . . . . : DealPly
     Publisher  . . . . : DealPly
     Description  . . . : http://www.dealply.com/
     Version  . . . . . : 3.0.0.0
     Copyright  . . . . : Copyright (C) 2011 DealPly Technologies Ltd.
     Fuzzy  . . . . . . : -8.0

  C:\ProgramData\Babylon\ (Babylon)
  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DealPly\ (Delta Search)
  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DealPly\DealPly Help.lnk (Delta Search)
  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DealPly\DealPly.lnk (Delta Search)
  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DealPly\Uninstall DealPly.lnk (Delta Search)
  C:\Users\Zjef\AppData\Roaming\Babylon\ (Babylon)
  C:\Users\Zjef\AppData\Roaming\Babylon\log_file.txt (Babylon)
  C:\Users\Zjef\AppData\Roaming\DealPly\ (Delta Search)
  C:\Users\Zjef\AppData\Roaming\DealPly\UpdateProc\ (Delta Search)
  C:\Users\Zjef\AppData\Roaming\DealPly\UpdateProc\config.dat (Delta Search)
  C:\Users\Zjef\AppData\Roaming\DealPly\UpdateProc\UpdateTask.exe (Delta Search)
     Size . . . . . . . : 93.752 bytes
     Age  . . . . . . . : 140.9 days (2013-03-10 22:07:28)
     Entropy  . . . . . : 6.5
     SHA-256  . . . . . : D8EFBD51B9AFF12849EFECA4E234C725CD6624093EBC909AFF1F49983CECFD79
     RSA Key Size . . . : 2048
     Authenticode . . . : Valid
     Fuzzy  . . . . . . : -1.0

  C:\Users\Zjef\Local Settings\Temp\BabylonToolbar\ (Babylon)
  HKLM\SOFTWARE\Babylon\ (Babylon)
  HKLM\SOFTWARE\Classes\AppID\escort.DLL\ (Funmoods)
  HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ (Funmoods)
  HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4eaf-B541-F8DE92DD98DB}\ (Babylon)
  HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1\ (Babylon)
  HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr\ (Babylon)
  HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B}\ (Babylon)
  HKLM\SOFTWARE\Classes\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\ (Delta Search)
  HKLM\SOFTWARE\Classes\Prod.cap\ (Claro)
  HKLM\SOFTWARE\DataMngr\ (SearchQU)
  HKLM\SOFTWARE\DealPly\ (Delta Search)
  HKLM\SOFTWARE\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje\ (Delta Search)
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\ (Delta Search)
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DealPly\ (Delta Search)
  HKU\.DEFAULT\Software\DealPly\ (Delta Search)
  HKU\S-1-5-18\Software\DealPly\ (Delta Search)
  HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\DataMngr\ (SearchQU)
  HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\DataMngr_Toolbar\ (SearchQU)
  HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\DealPly\ (Delta Search)
  HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje\ (Delta Search)
  HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ (Babylon)
  HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}\ (Babylon)
  HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\ (Delta Search)
  HKU\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Softonic\ (Softonic)

alvast bedankt!

[Jion]

Download zoek.exe naar het bureaublad.

Schakel je antivirus- en antispywareprogramma's uit, mogelijk kunnen ze conflicteren met zoek.exe

(hier of hier) kan je lezen hoe je dat doet.

• 
  
• Dubbelklik op Zoek.exe om de tool te starten.
  
• Windows Vista, 7 en 8 gebruikers dienen de tool als "administrator" uit te voeren door middel van de rechtermuisknop en kiezen voor Als Administrator uitvoeren.
  
• Kopieer nu onderstaande code en plak die in het grote invulvenster:
  
• Note: Dit script is speciaal bedoeld voor deze PC, gebruik dit dan ook niet op andere PC's met een gelijkaardig probleem.
  

 
startupall; 
filesrcm; 
autoclean;

• 
  
• Klik nu op de knop "Run script".
  
• Wacht nu geduldig af tot er een logje opent (dit kan na een herstart zijn als deze benodigd is).
  
• Mocht na de herstart geen logje verschijnen, start zoek.exe dan opnieuw, de log verschijnt dan alsnog.
  
• Post het geopende logje in het volgende bericht.
  

[centrino]

Beste Jion

ik heb de zoek.exe uitgevoerd als Administrator. Ik krijg echter geen logje te zien. Ook niet wanneer ik de computer herstart. Ik heb daarna gezocht naar zoek-results.log (zoals voorgesteld vanuit het programma zelf), ook op deze manier kan ik het logbestandje niet vinden... Ik zal iets verkeerd doen, maar weet niet goed wat...

[Jion]

Heb je Zoek laten doen tot hij uit zichzelf meldt dat alles afgerond is?

Voer bovenstaande anders nogmaals uit.

[centrino]

Oei, duidelijk niet geduldig genoeg geweest. Nu is het wel gelukt, hier heb je het logbestandje:

Zoek.exe Version 4.0.0.4 Updated 30-07-2013

Tool run by Zjef on di 30/07/2013 at 13:34:23,67.

Microsoft Windows 7 Ultimate 6.1.7601 Service Pack 1 x86

Running in: Normal Mode Internet Access Detected

Launched: C:\Users\Zjef\Desktop\zoek.exe [script inserted]

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} deleted successfully

HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Deleting Files \ Folders ======================

"C:\Program Files\GUT4ADB.tmp" deleted

"C:\Users\Zjef\AppData\Roaming\cache.ini" deleted

"C:\Windows\System32\Tasks\DealPly" deleted

"C:\Windows\System32\Tasks\DealPlyUpdate" deleted

"C:\Users\Public\sdelevURL.tmp" deleted

"C:\user.js" deleted

"C:\Program Files\BearShare Applications\MediaBar\Datamngr\datamngrUI.exe" deleted

"C:\Program Files\GUM4ADA.tmp" deleted

"C:\Program Files\BearShare Applications\MediaBar" deleted

"C:\Program Files\DealPly" deleted

"C:\Users\Zjef\AppData\Roaming\Babylon" deleted

"C:\Users\Zjef\AppData\Roaming\DealPly" deleted

"C:\ProgramData\Babylon" deleted

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DealPly" deleted

"C:\Users\Zjef\AppData\Local\PackageAware" deleted

"C:\Users\Zjef\AppData\LocalLow\mediabarbs" deleted

"C:\Program Files\BearShare Applications\MediaBar\Datamngr" deleted

==== Files Recently Created / Modified ======================

====== C:\Windows ====

====== C:\Users\Zjef\AppData\Local\Temp ====

====== C:\Windows\system32 =====

2013-07-29 17:26:00 452BCEAE7718C96E67F2E186B05CDF3D 910 ----a-w- C:\Windows\System32\.crusader

2013-07-26 10:42:58 BF1D2CFAE91C1E835902ECA27F8F7470 2706432 ----a-w- C:\Windows\System32\mshtml.tlb

2013-07-26 10:42:57 52F71A5790E1B6FFC34648F3B311EEE1 690688 ----a-w- C:\Windows\System32\jscript.dll

2013-07-26 10:42:55 CB811C14C225DD07B98E676DFB0221E6 2877440 ----a-w- C:\Windows\System32\jscript9.dll

2013-07-26 10:42:54 B6A67646BD7E3A0AF2515703CBBD9A1C 61440 ----a-w- C:\Windows\System32\iesetup.dll

2013-07-26 10:42:54 AC9A9B64AF7005E488390E38AE00D117 39424 ----a-w- C:\Windows\System32\jsproxy.dll

2013-07-26 10:42:54 6A32A12A2C76B729D6485D04FCFB2175 391168 ----a-w- C:\Windows\System32\ieui.dll

2013-07-26 10:42:52 F4A608A800C1BB6838797390CBBC1269 33280 ----a-w- C:\Windows\System32\iernonce.dll

2013-07-26 10:42:52 EED047A0C528813D6AAF4F4F8B2C40C4 493056 ----a-w- C:\Windows\System32\msfeeds.dll

2013-07-26 10:42:52 DED7DCF831A05D21F49510EA03F8F2C5 109056 ----a-w- C:\Windows\System32\iesysprep.dll

2013-07-26 10:42:52 6D404DDC4D0C13350E8EF0DD0421A7ED 42496 ----a-w- C:\Windows\System32\ie4uinit.exe

2013-07-26 10:42:52 225D276C730DF08CC83EABAC407F0D75 1141248 ----a-w- C:\Windows\System32\urlmon.dll

2013-07-26 10:42:52 0D2F075863C2FA4F84FB95AC00B95151 71680 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe

2013-07-26 10:42:51 FE29131E35902038066C924CF9C59DF8 2046976 ----a-w- C:\Windows\System32\iertutil.dll

2013-07-26 10:42:49 9BF7C7654EFD098EE3A27B49492A382A 1767936 ----a-w- C:\Windows\System32\wininet.dll

2013-07-26 10:42:47 CC3FD6DEEE458D0BE9A69241E0749717 13760512 ----a-w- C:\Windows\System32\ieframe.dll

2013-07-26 10:42:44 AF31E7D2C385F647ADFD5F5736B3BA64 14329856 ----a-w- C:\Windows\System32\mshtml.dll

====== C:\Windows\system32\drivers =====

2013-07-29 17:29:13 05E0D8EE7D6FAB5CB672FEC3AAD93AA0 30464 ----a-w- C:\Windows\System32\drivers\hitmanpro37.sys

====== C:\Windows\Tasks ======

====== C:\Windows\Temp ======

======= C:\Program Files =====

======= C: =====

2013-07-17 10:51:33 0126334AE898D0773CBB45DFDF5A16A3 6608 ------w- C:\bootsqm.dat

====== C:\Users\Zjef\AppData\Roaming ======

====== C:\Users\Zjef ======

2013-07-29 17:05:55 -------- d-----w- C:\ProgramData\HitmanPro

====== C: exe-files ==

2013-07-26 10:42:49 30E7CA4620500FE012EB464F0E1DE91E 770648 ----a-w- C:\Program Files\Internet Explorer\iexplore.exe

=== C: other files ==

2013-07-29 17:29:13 05E0D8EE7D6FAB5CB672FEC3AAD93AA0 30464 ----a-w- C:\Windows\System32\drivers\hitmanpro37.sys

==== Startup Registry Enabled ======================

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe /background"

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

"AutoStartNPSAgent"="C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe"

"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe -onlytray"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SPReview"="C:\Windows\System32\SPReview\SPReview.exe /sp:1 /errorfwlink:Troubleshoot problems installing Service Pack 1 (SP1) for Windows 7 and Windows Server 2008 R2 /build:7601"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="C:\Windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe -update activex"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SPReview"="C:\Windows\System32\SPReview\SPReview.exe /sp:1 /errorfwlink:Troubleshoot problems installing Service Pack 1 (SP1) for Windows 7 and Windows Server 2008 R2 /build:7601"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

"IgfxTray"="C:\Windows\system32\igfxtray.exe"

"HotKeysCmds"="C:\Windows\system32\hkcmd.exe"

"Persistence"="C:\Windows\system32\igfxpers.exe"

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe -atboottime"

"DATAMNGR"="C:\PROGRA~1\BEARSH~1\MediaBar\Datamngr\DATAMN~1.EXE"

"beid"="C:\Program Files\Belgium Identity Card\beid35gui.exe /startup"

"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe"

"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe /background"

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

"AutoStartNPSAgent"="C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe"

"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe -onlytray"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="C:\Windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe -update activex"

==== Startup Folders ======================

2011-05-24 13:51:23 1284 ----a-w- C:\users\Zjef\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Schermopname en Snel starten.lnk

==== Task Scheduler Jobs ======================

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job --a------ C:\Program Files\Google\Update\GoogleUpdate.exe [26/04/2010 16:21]

C:\Windows\tasks\GoogleUpdateTaskMachineUA.job --a------ C:P0C:\ProgramC:Files\Google\Update\GoogleUpdate.exe []

==== Chrome Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions

gaiilaahiahdejapggenmdmafpmbipje - C:\Program Files\DealPly\DealPly.crx[]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions

gaiilaahiahdejapggenmdmafpmbipje - C:\Program Files\DealPly\DealPly.crx[]

DealPly - Zjef - Default\Extensions\gaiilaahiahdejapggenmdmafpmbipje

==== Chrome Fix ======================

C:\Users\Zjef\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaiilaahiahdejapggenmdmafpmbipje deleted successfully

==== Set IE to Default ======================

Old Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="Google"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]

"DefaultScope"="{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}] not found

New Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="Google"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]

"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes

{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="{searchTerms} - Bing"

{2103BE3E-B401-4784-8793-F84F58E03741} Google Url="{searchTerms} - Google zoeken"

{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url="{searchTerms} - Google Search}"

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} deleted successfully

HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} deleted successfully

HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} deleted successfully

HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} deleted successfully

HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E} deleted successfully

HKEY_USERS\S-1-5-21-3609507806-3768346546-1524884971-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} deleted successfully

HKEY_CLASSES_ROOT\CLSID\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} deleted successfully

HKEY_CLASSES_ROOT\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} deleted successfully

HKEY_CLASSES_ROOT\CLSID\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E} deleted successfully

==== Deleting CLSID Registry Values ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} deleted successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje deleted successfully

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\gaiilaahiahdejapggenmdmafpmbipje deleted successfully

==== Empty IE Cache ======================

C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Zjef\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Zjef\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully

C:\Users\Zjef\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Zjef\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\serviceprofiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\serviceprofiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\serviceprofiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\users\Zjef\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied

C:\Users\Zjef\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on di 30/07/2013 at 14:34:57,04 ======================

[Jion]

Schakel je antivirus- en antispywareprogramma's uit, mogelijk kunnen ze conflicteren met zoek.exe

(hier of hier) kan je lezen hoe je dat doet.

• 
  
• Dubbelklik op Zoek.exe om de tool te starten.
  
• Windows Vista, 7 en 8 gebruikers dienen de tool als "administrator" uit te voeren door middel van de rechtermuisknop en kiezen voor Als Administrator uitvoeren.
  
• Kopieer nu onderstaande code en plak die in het grote invulvenster:
  
• Note: Dit script is speciaal bedoeld voor deze PC, gebruik dit dan ook niet op andere PC's met een gelijkaardig probleem.
  

 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"DATAMNGR"=-;r

• 
  
• Klik nu op de knop "Run script".
  
• Wacht nu geduldig af tot er een logje opent (dit kan na een herstart zijn als deze benodigd is).
  
• Mocht na de herstart geen logje verschijnen, start zoek.exe dan opnieuw, de log verschijnt dan alsnog.
  
• Post het geopende logje in het volgende bericht.
  

[centrino]

Beste

hierbij het logje:

Zoek.exe Version 4.0.0.4 Updated 30-07-2013

Tool run by Zjef on di 30/07/2013 at 15:52:43,91.

Microsoft Windows 7 Ultimate 6.1.7601 Service Pack 1 x86

Running in: Normal Mode Internet Access Detected

Launched: C:\Users\Zjef\Desktop\zoek.exe [script inserted]

==== Registry Fix Code ======================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DATAMNGR"=-

==== EOF on di 30/07/2013 at 15:53:29,67 ======================

[Jion]

Je systeem is terug clean. Tijd voor de grote schoonmaak:

Download Delfix by Xplode naar het bureaublad.

Dubbelklik op Delfix.exe om de tool te starten.

Zet nu vinkjes voor de volgende items:

• 
  
• Activate UAC
  
• Remove disinfection tools
  
• Create registry backup
  
• Purge System Restore
  
• Reset system settings
  

Klik nu op "Run" en wacht geduldig tot de tool gereed is.

Wanneer de tool gereed is wordt er een logbestand aangemaakt. Dit hoeft u echter niet te plaatsen.

Hoewel de problemen nu verholpen zijn adviseer ik je nog wel om de onderstaande tips uit te voeren:

1) Windows updates

Malware maakt heel vaak gebruik van securitylekken in software. Zorg daarom dat je Windows geupdate is. De beste manier is dat je dit automatisch laat gebeuren via Windows Update. Laat de updates automatisch downloaden en installeren. Op deze manier heb je telkens de nieuwste updates en securitypatches voor je besturingssysteem.

2) Software up-to-date houden

Veel malware komt je computer binnen via lekken in de software die je gebruikt. Het is daarom belangrijk om je systeem up-to-date te houden. Om dit makkelijker te maken kun je gebruik maken van Secunia PSI.

Download Secunia PSI op deze website en installeer deze. Maak van dit programma gebruik om je systeem up-to-date te houden.

3) Malwarepreventie

Bekijk ook eens aandachtig DEZE anti-malware tips. Dankzij deze tips kan je de kans op infecties in de toekomst sterk verminderen.

Als je verder geen vragen meer hebt, mag je op de knop "Markeer als Opgelost" klikken.