cd speler wordt niet herkend

kape · 6 maart 2012

Download ComboFix van één van deze locaties:

* BELANGRIJK !!! Sla ComboFix.exe op je Bureaublad op

1. Schakel alle antivirus- en antispywareprogramma's uit, want anders kunnen ze misschien conflicteren met ComboFix. Hier is een handleiding over hoe je ze kan uitschakelen:

Klik hier

2. Het kan voorkomen dat de computer meerdere malen opnieuw gestart moet worden, dit is normaal.

3. Dubbelklik op "Combofix.exe" om de tool te starten.

4. Klik niet in het scherm van Combofix als deze actief is, hierdoor kan de 'tool' vastlopen.

Noot !!! Als er een error wordt getoond met de melding "Illegal operation attempted on a registery key that has been marked for deletion", herstart dan de computer.

5. Wanneer ComboFix klaar is, zal het het een logbestand voor je maken. Post de inhoud van dit logbestand (te vinden als C:\ComboFix.txt) in je volgende bericht.

djiemmie · 7 maart 2012

Hallo kape,

Toen ik deze middag mijn laptop opstartte, was mijn bureaublad gewoon zwart, en kon ik geen foto meer plaatsen... na installatie van combofix, en toen combofix begon te lopen verscheen het opeens weer wel...?...

toen combofix klaar was en het logje verscheen, kon ik even niet veel meer doen, zelfs niet op internet of avast opnieuw starten (om het opnieuw in te schakelen) . Bij alles wat ik aanklikte verscheen "Er is geprobeerd een ongeldige bewerking uit te voeren op een registersleutel die is gemarkeerd voor verwijdering".

Na opnieuw opstarten, lukte dit alles gelukkig weer wel, dus hierbij het logje van combofix

ComboFix 12-03-06.01 - tim 07/03/2012 13:35:55.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.32.1043.18.2046.919 [GMT 1:00]

Gestart vanuit: c:\users\tim\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

FW: ZoneAlarm Free Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4 .lnk

.

Besmet exemplaar van c:\windows\system32\userinit.exe werd aangetroffen en gedesinfecteerd

Hersteld exemplaar van - c:\combofix\HarddiskVolumeShadowCopy3_!Windows!System32!userinit.exe

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-02-07 to 2012-03-07 ))))))))))))))))))))))))))))))

.

2012-03-07 12:47 . 2012-03-07 12:47 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-03-06 16:06 . 2012-03-06 16:06 -------- d-----w- c:\users\tim\AppData\Roaming\Malwarebytes

2012-03-06 16:05 . 2012-03-06 16:05 -------- d-----w- c:\programdata\Malwarebytes

2012-03-06 16:05 . 2012-03-06 16:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-03-06 16:05 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-06 10:24 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3A74F703-5D8E-4681-B6B8-C7FFCFA53EE0}\mpengine.dll

2012-03-05 17:35 . 2012-03-05 17:35 388096 ----a-r- c:\users\tim\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-03-05 17:35 . 2012-03-05 17:35 -------- d-----w- c:\program files\Trend Micro

2012-03-05 16:12 . 2012-03-05 16:12 -------- d-----w- c:\users\tim\AppData\Local\ElevatedDiagnostics

2012-02-28 10:43 . 2012-02-28 14:00 -------- d-----w- c:\programdata\tmp

2012-02-28 10:40 . 2012-02-28 10:40 -------- d-----w- c:\program files\Pixum

2012-02-20 17:51 . 2012-02-20 17:51 -------- d-----w- c:\program files\Common Files\Java

2012-02-20 17:49 . 2012-02-20 17:49 -------- d-----w- c:\program files\Java

2012-02-20 17:46 . 2012-02-20 17:46 -------- d-----w- c:\windows\Sun

2012-02-17 09:43 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2012-02-17 09:43 . 2011-12-15 06:17 743424 ----a-w- c:\program files\Internet Explorer\iedvtool.dll

2012-02-17 09:43 . 2011-12-15 06:21 129536 ----a-w- c:\program files\Internet Explorer\sqmapi.dll

2012-02-17 09:43 . 2011-12-15 06:17 247808 ----a-w- c:\program files\Internet Explorer\ieproxy.dll

2012-02-17 09:43 . 2011-12-15 06:22 638240 ----a-w- c:\program files\Internet Explorer\iexplore.exe

.

((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-07 00:15 . 2010-09-08 15:33 41184 ----a-w- c:\windows\avastSS.scr

2012-03-07 00:15 . 2010-09-08 15:33 201352 ----a-w- c:\windows\system32\aswBoot.exe

2012-03-07 00:03 . 2011-02-28 16:49 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2012-03-07 00:03 . 2010-09-08 15:34 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys

2012-03-07 00:02 . 2010-09-08 15:34 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2012-03-07 00:01 . 2010-09-08 15:34 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2012-03-07 00:01 . 2010-09-08 15:34 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys

2012-03-07 00:01 . 2010-09-08 15:34 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2012-02-23 08:18 . 2010-09-06 14:43 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-02-20 17:49 . 2011-02-04 10:09 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-02-20 17:44 . 2011-05-15 17:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-01-12 19:52 . 2012-02-17 09:42 2044416 ----a-w- c:\windows\system32\win32k.sys

2011-12-15 06:22 . 2012-02-17 09:43 916992 ----a-w- c:\windows\system32\wininet.dll

2012-02-20 17:42 . 2011-11-27 11:30 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2012-03-07 00:15 123536 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"Akamai NetSession Interface"="c:\users\tim\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-17 845360]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-08-15 772616]

"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]

"Skytel"="Skytel.exe" [2007-06-15 1826816]

"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]

"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]

"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-25 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-25 8433664]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-25 81920]

"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]

"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]

"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-12-18 73360]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]

.

c:\users\tim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2007 Schermopname en Snel starten.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

reminder-ScanSoft Product Registration.lnk - c:\program files\Caere\OmniPagePro90\EREG\REMIND32.EXE [N/A]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-7-27 535336]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

.

--- Andere Services/Drivers In Geheugen ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

Akamai REG_MULTI_SZ Akamai

.

Inhoud van de 'Gedeelde Taken' map

.

2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-08 12:59]

.

2012-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-08 12:59]

.

------- Bijkomende Scan -------

.

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1211186286&rver=4.5.2130.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&id=64855

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://nl.intl.acer.yahoo.com

uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo! UK

IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 195.130.131.130 195.130.130.2

FF - ProfilePath - c:\users\tim\AppData\Roaming\Mozilla\Firefox\Profiles\nvqnh3l4.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.be/

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100482

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.id - 78e77161000000000000001b386f4c15

FF - user.js: extensions.BabylonToolbar_i.hardId - 78e77161000000000000001b386f4c15

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15356

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:18

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9

FF - user.js: extensions.BabylonToolbar_i.instlRef - sst

.

- - - - ORPHANS VERWIJDERD - - - -

.

WebBrowser-{91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Acer Tour Reminder - (no file)

HKCU-Run-AdobeBridge - (no file)

HKLM-Run-Acer Tour - (no file)

HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd

HKLM-Run-eRecoveryService - (no file)

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2012-03-07 13:52

Windows 6.0.6002 Service Pack 2 NTFS

.

scannen van verborgen processen ...

.

scannen van verborgen autostart items ...

.

scannen van verborgen bestanden ...

.

C:\avast! sandbox

.

Scan succesvol afgerond

verborgen bestanden: 1

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]

"ServiceDll"="c:\program files\common files\akamai/netsession_win_7de0ed9.dll"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]

"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"

.

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Geladen Onder Lopende Processen ---------------------

.

- - - - - - - > 'lsass.exe'(752)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

- - - - - - - > 'Explorer.exe'(4448)

c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

.

------------------------ Andere Aktieve Processen ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\CheckPoint\ZAForceField\IswSvc.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\acer\Mobility Center\MobilityService.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Microsoft Application Virtualization Client\sftvsa.exe

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\Microsoft Application Virtualization Client\sftlist.exe

c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe

c:\program files\Spybot - Search & Destroy\SDWinSec.exe

c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

c:\windows\system32\conime.exe

c:\windows\RtHDVCpl.exe

c:\program files\Launch Manager\LManager.exe

c:\windows\System32\rundll32.exe

c:\windows\ehome\ehmsas.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE

c:\windows\ehome\mcupdate.EXE

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Voltooingstijd: 2012-03-07 14:05:14 - machine werd herstart

ComboFix-quarantined-files.txt 2012-03-07 13:04

.

Pre-Run: 11.180.621.824 bytes beschikbaar

Post-Run: 11.120.398.336 bytes beschikbaar

.

- - End Of File - - E6617407A406D809CA0A3DA72B208E95

kape · 7 maart 2012

Open een kladblokbestand.

Kopieer en plak daarin de onderstaande vetgedrukte tekst.

File::

c:\programdata\tmp

Firefox::

FF - ProfilePath - c:\users\tim\AppData\Roaming\Mozilla\Firefox\Profiles\nvqnh3l4.default\

FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=100482

FF - user.js: extensions.BabylonToolbar_i.babExt -

FF - user.js: extensions.BabylonToolbar_i.srcExt - ss

FF - user.js: extensions.BabylonToolbar_i.id - 78e77161000000000000001b386f4c15

FF - user.js: extensions.BabylonToolbar_i.hardId - 78e77161000000000000001b386f4c15

FF - user.js: extensions.BabylonToolbar_i.instlDay - 15356

FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1712:18

FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar_i.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9

FF - user.js: extensions.BabylonToolbar_i.instlRef – sst

Sla dit bestand op je bureaublad op als CFScript.

Sleep CFScript.txt in ComboFix.exe

Dit zal ComboFix doen herstarten. Start opnieuw op als dat gevraagd wordt.

Post na herstart de inhoud van de Combofix.txt in je volgende bericht.

djiemmie · 8 maart 2012

hallo kape,

hierbij het logje

ComboFix 12-03-06.01 - tim 08/03/2012 12:47:02.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.32.1043.18.2046.859 [GMT 1:00]

Gestart vanuit: c:\users\tim\Desktop\ComboFix.exe

gebruikte Opdracht switches :: c:\users\tim\Desktop\CFScript.txt

AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}

FW: ZoneAlarm Free Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}

SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\programdata\tmp"

.

(((((((((((((((((((( Bestanden Gemaakt van 2012-02-08 to 2012-03-08 ))))))))))))))))))))))))))))))

.

2012-03-08 11:57 . 2012-03-08 11:57 -------- d-----w- c:\users\Default\AppData\Local\temp