Trage PC

sdm · 13 maart 2012

Beste,

PC is op een paar dagen tijd heel traag geworden.

Diverse antivirussen gedraaid, één en ander verwijderd, hij blijft traag.

Kan u de HijackLog eens bekijken? Alvast bedankt.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 17:48:47, on 13/03/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Safe mode with network support

Running processes:

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

F:\drivers\Spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vdwalle.be/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, nieuws en entertainment vind je op MSN.nl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = HP | MSN

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: 172.31.243.198 RB_TEMPO

O1 - Hosts: 212.79.93.10 my.nateus.nateusgroep.portima

O1 - Hosts: 212.79.93.10 pro.nateus.nateusgroep.portima

O1 - Hosts: 212.79.93.10 login.nateusgroep.portima

O1 - Hosts: 212.79.93.10 loans.nateus.nateusgroep.portima

O1 - Hosts: 212.79.94.52 fws.axa.be

O1 - Hosts: 212.79.94.41 www.fe.axa.be

O1 - Hosts: 212.79.93.10 my.audi.nateusgroep.portima

O1 - Hosts: 212.79.93.10 pro.audi.nateusgroep.portima

O1 - Hosts: 212.79.94.193 Webfs2.agf.be

O1 - Hosts: 212.79.94.194 hydrafs2.agf.be

O1 - Hosts: 212.79.93.10 pro.nateus.be

O1 - Hosts: 212.79.93.10 login.nateus.be

O1 - Hosts: 212.79.94.41 www.front-office.rp.axa.portima

O1 - Hosts: 212.79.94.41 www.front-office.axa.be

O1 - Hosts: 212.79.94.41 www.phoenixiard.rp.axa.portima

O1 - Hosts: 212.79.94.36 www.efl.axa.be

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\RunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript

O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\Windows\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f

O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN

O4 - HKCU\..\Run: [Express ClickYes] C:\Program Files\Express ClickYes\ClickYes.exe

O4 - HKCU\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [ASP] "C:\ProgramData\f5730f\AntivirusSP.exe" /s

O4 - Global Startup: ASWeb.lnk = C:\AnetLP\Assurnet\AsWeb\AsWebNotifier.exe

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O15 - Trusted Zone: http://www.agf.assurnet

O15 - Trusted Zone: http://www.agf2.assurnet

O15 - Trusted Zone: http://*.aginsurance.portima

O15 - Trusted Zone: http://*.allianz.assurnet

O15 - Trusted Zone: http://www.allianz2.assurnet

O15 - Trusted Zone: http://*.allianz2.assurnet

O15 - Trusted Zone: http://*.aragb2b.be

O15 - Trusted Zone: http://*.avero.be

O15 - Trusted Zone: http://*.axa.be

O15 - Trusted Zone: http://*.axa.portima

O15 - Trusted Zone: http://demo.brio.be

O15 - Trusted Zone: http://*.brio.be

O15 - Trusted Zone: http://*.brioplus.be

O15 - Trusted Zone: http://*.das.be

O15 - Trusted Zone: http://*.feprabel.be

O15 - Trusted Zone: http://*.fortisag.assurnet

O15 - Trusted Zone: http://*.foyer.lu

O15 - Trusted Zone: http://*.nateus.be

O15 - Trusted Zone: http://*.nateusgroep.portima

O15 - Trusted Zone: http://*.port-e-key.be

O15 - Trusted Zone: http://*.portigate.be

O15 - Trusted Zone: http://briotraining.portima.be

O15 - Trusted Zone: http://*.portima.be

O15 - Trusted Zone: http://*.portima.com

O15 - Trusted Zone: http://www.prolinknet.assurnet

O15 - Trusted Zone: http://*.vivium.be

O15 - Trusted Zone: http://*.vivium.portima

O15 - Trusted Zone: http://*.mcafee.com (HKLM)

O15 - Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)

O15 - Trusted Zone: http://vs.mcafeeasap.com (HKLM)

O15 - Trusted Zone: http://www.mcafeeasap.com (HKLM)

O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)

O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)

O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)

O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)

O16 - DPF: Mercator.Portal.CA.Client.CAB - https://registratie.mercator.be/Mercator.Portal.CA.Client.CAB

O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://srvvdw.vandewalle.local:4343/officescan/console/ClientInstall/WinNTChk.cab

O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://srvvdw.vandewalle.local:4343/officescan/console/ClientInstall/setup.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Vandewalle.local

O17 - HKLM\Software\..\Telephony: DomainName = Vandewalle.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Vandewalle.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Vandewalle.local

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: Portima Middleware Server Engine ASWeb (PortimaMiddlewareServerEngineASWeb) - GamConsult - C:\AnetLP\Assurnet\AW_Common\portima.middleware.server.engine.exe

O23 - Service: Portima Middleware Server Engine AuthProxy (PortimaMiddlewareServerEngineAuthProxy) - GamConsult - C:\AnetLP\Assurnet\AW_Common\portima.middleware.server.engine.exe

O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe

O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

O23 - Service: Trend Micro Client/Server Security Agent Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe

O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--

End of file - 9101 bytes

kweezie wabbit · 14 maart 2012

Start Hijackthis op. Klik met de rechter muisknop op de icoon en kies dan voor “Run as administrator" of "Uitvoeren als administrator".

Selecteer “Do a system scan only”.

Vink alleen de items aan die hieronder zijn genoemd:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)

O4 - HKLM\..\RunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq

Klik op 'Fix checked' om de items te verwijderen.

Download MVPS Hosts.

Unzip het programma naar een door u bepaalde locatie.

Klik op mvps.bat en kies voor “uitvoeren” om mvps.bat op te starten (*).

Druk op toets om door te gaan.

Van het bestaande bestand HOSTS op de standaardlocatie C:\windows\system32\drivers\etc wordt een backup gemaakt met de naam HOSTS.MVP

Dan wordt het bestand vervangen door de actuele MVPS Hosts-versie.

(*) Windows Vista en Windows 7 gebruikers moeten rechtsklikken op mvps.bat en kiezen voor ”uitvoeren als administrator” om mvps.bat op te starten.

Download MBAM (Malwarebytes Anti-Malware)

Dubbelklik op mbam-setup.exe om het programma te installeren.

Zorg ervoor dat er een vinkje geplaatst is voor Update Malwarebytes' Anti-Malware en Start Malwarebytes' Anti-Malware, Klik daarna op "Voltooien".

Indien een update gevonden werd, zal die gedownload en geïnstalleerd worden.

Wanneer het programma volledig up to date is, selecteer dan in het tabblad Scanner : "Snelle Scan", daarna klik op Scan.

Het scannen kan een tijdje duren, dus wees geduldig.

Wanneer de scan voltooid is, klik op OK, daarna "Bekijk Resultaten" om de resultaten te zien.

Zorg ervoor dat daar alles aangevinkt is, daarna klik op: Verwijder geselecteerde.

Na het verwijderen zal een log openen en zal er gevraagd worden om de computer opnieuw op te starten. (Zie verder).

Indien er de rootkit (TDSS) aanwezig is, zal MBAM vragen te herstarten. Doe dit dan ook.

MBAM zal na de herstart opnieuw scannen en de rootkit verwijderen.

Het log wordt automatisch bewaard door MBAM en kan je terugvinden door op de "Logs" tab te klikken in het programma.

Indien MBAM moeilijkheden heeft met het verwijderen van bepaalde bestanden zal het enkele meldingen geven waar je OK moet klikken. Daarna zal het vragen om de computer opnieuw op te starten... Dus sta toe dat MBAM de computer opnieuw opstart.

Plak de inhoud van het logje in je volgende bericht, samen met een nieuw HijackThis log.

sdm · 14 maart 2012

Beste,

PC krijg ik eigenlijk alleen nog deftig (naar snelheid toe) opgestart in veilige modus.

Hierbij de gevraagde logs.

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.07.07

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

annick :: VDW-WIN7-2 [limited]

14/03/2012 13:41:18

mbam-log-2012-03-14 (13-41-18).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 140469

Time elapsed: 1 minute(s), 56 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 16

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|0 (Security.Hijack) -> Data: msseces.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|1 (Security.Hijack) -> Data: MSASCui.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|2 (Security.Hijack) -> Data: ekrn.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|3 (Security.Hijack) -> Data: egui.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|4 (Security.Hijack) -> Data: avgnt.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|5 (Security.Hijack) -> Data: avcenter.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|6 (Security.Hijack) -> Data: avscan.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|7 (Security.Hijack) -> Data: avgfrw.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|8 (Security.Hijack) -> Data: avgui.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|9 (Security.Hijack) -> Data: avgtray.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|10 (Security.Hijack) -> Data: avgscanx.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|11 (Security.Hijack) -> Data: avgcfgex.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|12 (Security.Hijack) -> Data: avgemc.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|13 (Security.Hijack) -> Data: avgchsvx.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|14 (Security.Hijack) -> Data: avgcmgr.exe -> Delete on reboot.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|15 (Security.Hijack) -> Data: avgwdsvc.exe -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 13:52:39, on 14/03/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Safe mode with network support

Running processes:

C:\Windows\Explorer.EXE

C:\Windows\system32\ctfmon.exe

C:\Windows\helppane.exe