Geblokkeerd door ransomeware / Politievirus

reva · 25 april 2013

Beste,

Mijn comupter is geblokkeerd door een politievirus/ransomeware.

Heb al enkele dingen gelezen over gelijkaardige voorvallen maar er zijn blijkbaar toch wat verschillen. Kan er iemand me helpen?

Computer staat af (geforceerd) maar heb hem nog niet in veilige modus herstart.

Alvast bedankt

Jion · 25 april 2013

Dag reva,

welkom op PCH!

Download "HitmanPro" via de onderstaande link bijvoorbeeld naar het bureaublad op een niet geïnfecteerde computer

Klik hier om de uitgebreide handleiding te raadplegen

Klik hier om de handleiding voor het uitvoeren van HitmanPro.Kickstart via een Boot-CD

HitmanPro downloaden.(Kies hier de 32 of 64 bit versie).
HitmanPro (32bit)
HitmanPro (64bit)
Dubbelklik op HitmanPro36.exe of HitmanPro36_64.exe om het programma op te starten.
Klik in het beginscherm op de "Kickstartknop" zoals u kunt zien in het onderstaande rode kader.
Indien er reeds een USB-stick is aangesloten zal HitmanPro Kickstart deze automatisch herkennen en weergeven.
Klik deze USB-stick éénmaal aan waarna u de keuze krijgt om Kickstart te installeren op de USB-stick.
Voordat HitmanPro.Kickstart wordt geïnstalleerd wordt de USB-stick opnieuw geformatteerd.
Waarschuwing! Bij het opnieuw formatteren gaan alle gegevens verloren die op de USB-stick zijn opgeslagen.
Nadat de HitmanPro Kickstart USB-stick is aangemaakt zal deze automatisch “veilig verwijderd” worden van het betreffende systeem waarop deze is aangemaakt.
Start de geïnfecteerde computer op van de HitmanPro.Kickstart USB-stick. (Hoe u de computer van een USB-stick kunt opstarten lees u hier)
Vink de optie "Ik accepteer de voorwaarden van de gebruikersovereenkomst aan" en klik op "Volgende"
Klik in het setup scherm nu nogmaals op "Volgende", nu zal automatisch de scan starten, doe verder niets op de computer totdat de scan gereed is.
Als de scan klaar is klik je op "volgende"
Activeer nu de gratis licentie, hiermee kunt u 30 dagen gratis HitmanPro gebruiken en de gevonden infecties verwijderen.
Note: indien u reeds eerder gebruik hebt gemaakt van de 30 dagen trial-versie van HitmanPro is het niet meer mogelijk om gratis de gevonden infecties te verwijderen.
Als het verwijderen gereed is klik je onderin het scherm op "Save log" of "Logbestand opslaan" en sla deze op bijvoorbeeld het bureaublad op.
Post dit logje.
Klik nu op de knop "Herstarten".

reva · 25 april 2013

Beste Jion,

Bedankt voor de snelle reactie.

Hierbij de log:

code]

HitmanPro 3.7.3.194

www.hitmanpro.com

Computer name . . . . : ALPITEC-PC

Windows . . . . . . . : 6.1.1.7601.X86/2

User name . . . . . . : NT AUTHORITY\SYSTEM

UAC . . . . . . . . . : Disabled

License . . . . . . . : Trial (30 days left)

Scan date . . . . . . : 2013-04-25 14:12:21

Scan mode . . . . . . : Normal

Scan duration . . . . : 3m 55s

Disk access mode . . : Direct disk access (SRB)

Cloud . . . . . . . . : Internet

Reboot . . . . . . . : Yes

Threats . . . . . . . : 2

Traces . . . . . . . : 5

Objects scanned . . . : 1.581.034

Files scanned . . . . : 14.848

Remnants scanned . . : 325.049 files / 1.241.137 keys

Malware _____________________________________________________________________

C:\Users\Alpitec\AppData\Roaming\AltShell.dat -> Quarantined

Size . . . . . . . : 45.056 bytes

Age . . . . . . . : 0.1 days (2013-04-25 11:18:03)

Entropy . . . . . : 7.3

SHA-256 . . . . . : 4463FC32685BCAC43AD56E9AD130A9DF682DF96F2A78A197233A7BFB6AC3BE00

Parent Name . . . : C:\Windows\System32\userinit.exe

Running processes : 2188

> HitmanPro . . . . : Win32/Ransomware.Behavior

Fuzzy . . . . . . : 64.0

Substitutes Explorer.exe as the default shell. Malware tends to start this way.

This file was most recently added as automatic startup.

The file name extension of this program is not common.

Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.

Program is running but currently exposes no human-computer interface (GUI).

Authors name is missing in version info. This is not common to most programs.

Version control is missing. This file is probably created by an individual. This is not typical for most programs.

Program starts automatically without user intervention.

Time indicates that the file appeared recently on this computer.

The file is in use by one or more active processes.

Startup

HKU\S-1-5-21-3062237543-739346878-37038767-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

References

C:\Users\Alpitec\AppData\Roaming\AltShell.ini

Forensic Cluster

0.0s C:\Users\Alpitec\AppData\Roaming\AltShell.dat

0.6s C:\Users\Alpitec\AppData\Roaming\AltShell.ini

3.1s C:\Users\Alpitec\AppData\Local\Temp\a-squared.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\adaware.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\arcavir.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\av_noav.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\avast.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\avg.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\avira.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\bitdefender.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\clamwin.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\comodo.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\drweb.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\error.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ewido.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\f-prot.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\f-secure.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\gdata.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\header.jpg

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_1.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_1.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_10.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_2.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_3.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_4.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_5.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_6.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_7.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_8.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_2_9.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_3_1.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_3_2.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_3_3.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_3_4.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_3_5.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_3_6.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\ic_5_1.jpg

3.1s C:\Users\Alpitec\AppData\Local\Temp\ikarus.png

3.1s C:\Users\Alpitec\AppData\Local\Temp\index.html

3.2s C:\Users\Alpitec\AppData\Local\Temp\kaspersky.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\mcafee.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\me_error.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\me_notice.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\mse.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\nod32.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\norton.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\nosignal.jpg

3.2s C:\Users\Alpitec\AppData\Local\Temp\notice.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\onecare.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\outpost.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\panda.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\sophos.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\style.css

3.2s C:\Users\Alpitec\AppData\Local\Temp\trendmicro.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\vba.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\vexira.png

3.2s C:\Users\Alpitec\AppData\Local\Temp\zonealarm.png

4.1s C:\Users\Alpitec\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012013042520130426\

4.1s C:\Users\Alpitec\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012013042520130426\index.dat

C:\Windows\system32\.exe -> Quarantined

Size . . . . . . . : 39.558 bytes

Age . . . . . . . : 606.6 days (2011-08-27 22:41:56)

Entropy . . . . . : 6.8

SHA-256 . . . . . : ECBE0AFA6BBBBF0F0E5FFF12081E9020C61571A6291605A6BD0C179288A550D5

Needs elevation . : Yes

> Emsisoft . . . . . : Malware.Win32.AMN!A2

> G Data . . . . . . : Trojan.Generic.6579245 (Engine A)

Fuzzy . . . . . . : 108.0

Is het nu volledig opgelost?

Bedankt voor de hulp!

juisterr · 25 april 2013

Dit was de eerste goede stap, nu de volgende.

Download zoek.exe naar het bureaublad.

Schakel je antivirus- en antispywareprogramma's uit, mogelijk kunnen ze conflicteren met zoek.exe
(hier of hier) kan je lezen hoe je dat doet.
Dubbelklik op Zoek.exe om de tool te starten.
Kopieer nu onderstaande code en plak die in het grote invulvenster:
Note: Dit script is speciaal bedoeld voor deze PC, gebruik dit dan ook niet op andere PC's met een gelijkwaardig probleem.
```
startupall;
filesrcm;
emptyclsid; 
autoclean;
shortcutfix;
iedefaults; 
```
Klik daarna op de knop "Run script".
Wacht nu geduldig af tot er een logje opent (dit kan na een herstart zijn als deze benodigd is).
Mocht na de herstart geen logje verschijnen, start zoek.exe dan opnieuw, de log verschijnt dan alsnog.
Post nu de inhoud van het geopende logje in het volgende bericht.

reva · 25 april 2013

Uitkomst log:

Zoek.exe Version 4.0.0.2 Updated 23-04-2013

Tool run by Alpitec on do 25-04-2013 at 16:52:30,15.

Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x86

Running in: Normal Mode Internet Access Detected

==== Creating Sample_25-04-2013_1654.zip ======================

Copied file C:\Users\Alpitec\7295175.exe to sample

Copied file C:\Users\Alpitec\8213399.exe to sample

sample\7295175.exe renamed to C4956DECEAEE9945A98D55B329FFEDEA

sample\8213399.exe renamed to C4956DECEAEE9945A98D55B329FFEDEA

C:\Users\Public\Desktop\sample_25-04-2013_1654.zip created successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3062237543-739346878-37038767-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9999A076-A9E2-4C99-8A2B-632FC9429223} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Files \ Folders ======================

"C:\Users\Alpitec\7295175.exe" deleted

"C:\Users\Alpitec\8213399.exe" deleted

==== Files Recently Created / Modified ======================

====== C:\Windows ====

====== C:\Users\Alpitec\AppData\Local\Temp ====

====== C:\Windows\system32 =====

2013-04-25 14:02:46 D98766E896871A5F47A6A7056CFFD179 140200 ---ha-w- C:\Windows\System32\mlfcache.dat

2013-04-25 13:42:07 D0F47BFDDE810912F65E079B5956D6C7 94112 ----a-w- C:\Windows\System32\WindowsAccessBridge.dll

2013-04-25 12:23:53 CA1D2DD8785327AA6E658ED665AB2A7E 810 ----a-w- C:\Windows\System32\.crusader

2013-04-25 12:23:53 5614386D4CFDF9E56F355C45BEEBC976 12872 ----a-w- C:\Windows\System32\bootdelete.exe

====== C:\Windows\system32\drivers =====

2013-04-24 06:54:37 5E43D2B0EE64123D4880DFA6626DEFDE 1211752 ----a-w- C:\Windows\System32\drivers\ntfs.sys

2013-04-11 01:18:40 1647C720358DCC98ACF51E597C461C4D 302368 ----a-w- C:\Windows\System32\drivers\avgtdix.sys

2013-04-10 12:58:27 E306A24D9694C724FA2491278BF50FDB 196328 ----a-w- C:\Windows\System32\drivers\fvevol.sys

====== C:\Windows\Tasks ======

2013-04-25 13:45:48 7AEB4E4F143E29768A85893B7D2195E3 940 ----a-w- C:\Windows\Tasks\Adobe Flash Player Updater.job

====== C:\Windows\Temp ======

======= C:\Program Files =====

2013-04-25 14:11:43 -------- d-----w- C:\Program Files\Mozilla Maintenance Service

2013-04-25 13:55:54 -------- d-----w- C:\Program Files\Bonjour

2013-04-25 13:54:22 -------- d-----w- C:\Program Files\QuickTime

2013-04-25 13:48:07 -------- d-----w- C:\Program Files\Secunia

2013-04-25 12:12:06 -------- d-----w- C:\Program Files\HitmanPro

======= C: =====

====== C:\Users\Alpitec\AppData\Roaming ======

2013-04-25 14:11:51 -------- d-----w- C:\users\Alpitec\AppData\Roaming\Mozilla

2013-04-25 14:11:51 -------- d-----w- C:\users\Alpitec\AppData\Local\Mozilla

2013-04-25 13:48:15 -------- d-----w- C:\users\Alpitec\AppData\Local\Secunia PSI

====== C:\Users\Alpitec ======

2013-04-25 14:11:44 -------- d-----w- C:\ProgramData\Mozilla

2013-04-25 13:54:31 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime

2013-04-25 12:12:06 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro

2013-04-25 12:10:44 -------- d-----w- C:\ProgramData\HitmanPro

2013-04-16 14:26:16 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG

2013-03-28 08:32:35 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth

====== C: exe-files ==

2013-04-25 14:27:22 846AD66CBD2CE60B7A0F16CA3FFCC254 78333952 ----a-w- C:\Program Files\Secunia\PSI\SUA\5c1fe18a4d235a338af9372b647cfcd738b0c260\iTunes_10.7_32-bit_SPS.exe

2013-04-25 14:26:58 846AD66CBD2CE60B7A0F16CA3FFCC254 78333952 ----a-w- C:\Windows\Temp\Secunia PSI Agent\iTunes_10.7_32-bit_SPS.exe

2013-04-25 14:11:46 ACB7A097779ADEBD53CD8155BFEEF522 105964 ----a-w- C:\Program Files\Mozilla Maintenance Service\Uninstall.exe

2013-04-25 14:11:44 7EDBBB9351A38C6BB0FE98CFD44DB430 115608 ----a-w- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

2013-04-25 13:55:31 F64ED2E0CF4F82F5F8CCEEBCD6B828FC 103272 ----a-w- C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe

2013-04-25 13:55:31 3ECAC6384B793F4E73C71C822581EE63 54632 ----a-w- C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\airappinstaller.exe

2013-04-25 13:55:31 3ECAC6384B793F4E73C71C822581EE63 54632 ----a-w- C:\Program Files\Adobe\Flash Player\AddIns\airappinstaller\airappinstaller.exe

2013-04-25 13:55:31 2842F93E0B8EEE31CCC29C44BBE131B1 130408 ----a-w- C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

2013-04-25 13:55:31 004E16C7DCA3FB38896478DDCC4F00F0 59392 ----a-w- C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\template.exe

2013-04-25 13:52:31 D572C48968E5F32C6DC895DE24F408D2 38501744 ----a-w- C:\Users\Alpitec\AppData\Local\Temp\60377607-a0fb-49b0-adba-9c435df33687\SafariSetup.exe

2013-04-25 13:52:09 086A13FDE91C3C53BC34073C0FE63456 40437664 ----a-w- C:\Users\Alpitec\AppData\Local\Temp\60377607-a0fb-49b0-adba-9c43232324\QuickTimeInstaller.exe

2013-04-25 13:48:10 DB53DC35AACA5116211C7FBD28FC939E 481003 ----a-w- C:\Program Files\Secunia\PSI\Uninstall.exe

2013-04-25 13:44:39 2E671F9D2193DFFE5F0AFEFC47840BC1 2138352 ----a-w- C:\Users\Alpitec\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U9738191\install_flashplayer11x32ax_gtbd_chrd_dn_aih[1].exe

2013-04-25 12:23:53 5614386D4CFDF9E56F355C45BEEBC976 12872 ----a-w- C:\Windows\System32\bootdelete.exe

2013-04-25 12:12:11 E3E45EBFEFA50F14ECD6559BD0FC1F7C 106280 ----a-w- C:\Program Files\HitmanPro\hmpsched.exe

2013-04-25 12:12:06 FAEC969501113433B3F38891F3B77A26 9097384 ----a-w- C:\Program Files\HitmanPro\HitmanPro.exe

=== C: other files ==

2013-04-25 14:54:40 F004C1CDF62F0C129C57973927322FD3 36936 ----a-w- C:\Users\Public\Desktop\sample_25-04-2013_1654.zip

2013-04-25 14:23:04 A018EFB1FE0F722FF307382791BF3C98 532430 ----a-w- C:\Users\Alpitec\AppData\Roaming\Mozilla\Firefox\Profiles\dwsiodp4.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

2013-04-25 14:21:18 07607A3CB349EECCFC7768B5F4F2AAAE 817280 ----a-w- C:\Users\Alpitec\AppData\Roaming\Mozilla\Firefox\Profiles\dwsiodp4.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

2013-04-25 09:14:55 75DCE91C26CF5FB554407ED03CCC73C7 26616 ----a-w- C:\Users\Alpitec\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U9738191\jw-lite-black[1].zip

2013-04-24 06:54:37 5E43D2B0EE64123D4880DFA6626DEFDE 1211752 ----a-w- C:\Windows\System32\drivers\ntfs.sys

==== Startup Registry Enabled ======================

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-21-3062237543-739346878-37038767-1000\Software\Microsoft\Windows\CurrentVersion\Run]

"RESTART_STICKY_NOTES"="C:\Windows\System32\StikyNot.exe"

"Run-OSByPetzl"="C:\Program Files\Petzl\OSByPetzl\WinPetzlController.exe"

"BrowserChoice"="C:\Windows\System32\browserchoice.exe /run"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SPReview"="C:\Windows\System32\SPReview\SPReview.exe /sp:1 /errorfwlink:Troubleshoot problems installing Service Pack 1 (SP1) for Windows 7 and Windows Server 2008 R2 /build:7601"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"mctadmin"="C:\Windows\System32\mctadmin.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SPReview"="C:\Windows\System32\SPReview\SPReview.exe /sp:1 /errorfwlink:Troubleshoot problems installing Service Pack 1 (SP1) for Windows 7 and Windows Server 2008 R2 /build:7601"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

"IgfxTray"="C:\Windows\system32\igfxtray.exe"

"HotKeysCmds"="C:\Windows\system32\hkcmd.exe"

"Persistence"="C:\Windows\system32\igfxpers.exe"

"AVG_TRAY"="C:\Program Files\AVG\AVG2012\avgtray.exe"

"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe"

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe -atboottime"

"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"RESTART_STICKY_NOTES"="C:\Windows\System32\StikyNot.exe"

"Run-OSByPetzl"="C:\Program Files\Petzl\OSByPetzl\WinPetzlController.exe"

"BrowserChoice"="C:\Windows\System32\browserchoice.exe /run"

==== Startup Registry Disabled ======================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LosAlamos]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="LosAlamos"

"hkey"="HKCU"

"command"="rundll32.exe C:\\Windows\\system32\\sshnas21.dll,AttachConsoleA"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TOY5KNQ8OC]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="TOY5KNQ8OC"

"hkey"="HKCU"

"command"="C:\\Users\\Alpitec\\AppData\\Local\\Temp\\Oh1.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-]

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"SunJavaUpdateSched"="\"C:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe\""

"Adobe ARM"="\"C:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"

==== Startup Folders ======================

2010-03-08 21:54:55 1276 ----a-w- C:\users\Alpitec\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Schermopname en Snel starten.lnk

2013-04-25 13:48:09 1060 ----a-w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk

==== Task Scheduler Jobs ======================

C:\Windows\tasks\Adobe Flash Player Updater.job --a------ C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [25-04-2013 15:45]

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job --a------ C:\Program Files\Google\Update\GoogleUpdate.exe [18-06-2012 11:34]

C:\Windows\tasks\GoogleUpdateTaskMachineUA.job --a------ C:\Program Files\Google\Update\GoogleUpdate.exe [18-06-2012 11:34]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Alpitec\AppData\Roaming\Mozilla\Firefox\Profiles\dwsiodp4.default

- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files\Mozilla Firefox

- Default - %AppDir%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Alpitec\AppData\Roaming\Mozilla\Firefox\Profiles\dwsiodp4.default

AF87C7A3D391F5F5534167546D7DDE30 - C:\Program Files\QuickTime\Plugins\npqtplugin7.dll - QuickTime Plug-in 7.7.3

2034E977759F4EB2226914BFC58F2758 - C:\Program Files\QuickTime\Plugins\npqtplugin6.dll - QuickTime Plug-in 7.7.3

B14417814FCA3A5D4AB170E1823D5484 - C:\Program Files\QuickTime\Plugins\npqtplugin5.dll - QuickTime Plug-in 7.7.3

3EFF190EC0E333DFBD2F5499858044B6 - C:\Program Files\QuickTime\Plugins\npqtplugin4.dll - QuickTime Plug-in 7.7.3

C4EB1B18B39BD2F76A64F75D01DEAB61 - C:\Program Files\QuickTime\Plugins\npqtplugin3.dll - QuickTime Plug-in 7.7.3

45CC6EFE643FCB97D986BBE2D21E2491 - C:\Program Files\QuickTime\Plugins\npqtplugin2.dll - QuickTime Plug-in 7.7.3

9FCA15CC38F2E2C6F5E722ED0E1A9E7A - C:\Program Files\QuickTime\Plugins\npqtplugin.dll - QuickTime Plug-in 7.7.3

8F24103AB984847AA2939F58F19CCC98 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll - Java Platform SE 7 U21

ADC539F67D3198679F480974EE203678 - C:\Windows\system32\npDeployJava1.dll - Java Deployment Toolkit 7.0.210.11

66640A55AEFF3819C94E0A8D40D7E0AD - C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll - Shockwave for Director / Shockwave for Director

E971E06DDE68684CB3957C5D0E133CB0 - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll - Google Earth Plugin

E0FF893763BA82BAABB869A351F0C455 - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll - Google Update

A5C14075B571AF1C9592595BE724D9D2 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll - Silverlight Plug-In

69505F9C479C4FF95621C3E1A7B6E5CE - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll - Adobe Acrobat

D1CC5365F151777DF447242E476796BA - C:\Program Files\Adobe\Reader 10.0\Reader\browser\nppdf32.dll - Adobe Acrobat

A82533DA1C7AFCE542B8E0D2714B8A4A - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll - iTunes Application Detector

09B4E13D25623D879D35286E2D29FF13 - C:\Users\Alpitec\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll - Unity Player

15E298B5EC5B89C5994A59863969D9FF - C:\Windows\system32\npmproxy.dll - Microsoft® Windows® Operating System

2AA3703D87E1327A2290C9D416D89A28 - C:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrlui.dll - Microsoft® Silverlight

==== Chrome Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions

jmfkcklnlgedgbglfkkgedjfmejoahla - C:\Program Files\AVG\AVG2012\Chrome\safesearch.crx[26-07-2012 03:23]

ndibdjnfmopecpmkdieinmbadjfpblof - C:\Program Files\AVG\AVG2012\Chrome\donottrack.crx[20-04-2012 06:18]

==== Set IE to Default ======================

Old Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="Bing"

New Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="Bing"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes

"DefaultScope"="{B6C5B686-03C4-4754-8BB3-31735A51DD89}"

{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="{searchTerms} - Bing"

{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url="{searchTerms} - Google Search}"

{B6C5B686-03C4-4754-8BB3-31735A51DD89} Google Url="{searchTerms - Google zoeken}"

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== shortcuts on All Users Desktop ======================

C:\Users\Public\Desktop\AVG 2012.lnk - C:\Program Files\AVG\AVG2012\avgui.exe

C:\Users\Public\Desktop\Google Earth.lnk - C:\Program Files\Google\Google Earth\client\googleearth.exe

C:\Users\Public\Desktop\HitmanPro.lnk - C:\Program Files\HitmanPro\HitmanPro.exe

C:\Users\Public\Desktop\Mozilla Firefox.lnk - C:\Program Files\Mozilla Firefox\firefox.exe

C:\Users\Public\Desktop\Safari.lnk - C:\Windows\Installer\{A08BAD08-9AA3-410F-98F3-C92C8EE37218}\SafariIco.exe

==== shortcuts in All Users Start Menu ======================

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X .lnk - C:\Windows\Installer\{AC76BA86-7AD7-1043-7B44-AA1000000001}\SC_Reader.ico

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk - C:\Program Files\Mozilla Firefox\firefox.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Safari.lnk - C:\Windows\Installer\{A08BAD08-9AA3-410F-98F3-C92C8EE37218}\SafariIco.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk - C:\Program Files\Secunia\PSI\psi.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG\AVG 2012.lnk - C:\Program Files\AVG\AVG2012\avgui.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Google Earth starten in DirectX-modus.lnk - C:\Program Files\Google\Google Earth\client\googleearth.exe -setDX

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Google Earth starten in OpenGL-modus.lnk - C:\Program Files\Google\Google Earth\client\googleearth.exe -setOGL

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Google Earth verwijderen.lnk - C:\Windows\System32\msiexec.exe /x {468D22C0-8080-11E2-B86E-B8AC6F98CCE3}

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth\Google Earth.lnk - C:\Program Files\Google\Google Earth\client\googleearth.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro\HitmanPro.lnk - C:\Program Files\HitmanPro\HitmanPro.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro\Verwijder HitmanPro 3.7.lnk - C:\Program Files\HitmanPro\HitmanPro.exe /uninstall

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime\Over QuickTime.lnk - C:\Windows\Installer\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}\RichText.ico

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime\PictureViewer.lnk - C:\Windows\Installer\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}\PictureViewer.ico

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime\QuickTime deïnstalleren.lnk -

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime\QuickTime Player.lnk - C:\Windows\Installer\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}\QTPlayer.ico

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk - C:\Program Files\Secunia\PSI\psi_tray.exe

==== shortcuts in Quick Launch ======================

C:\Users\Alpitec\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk - C:\Windows\Installer\{A08BAD08-9AA3-410F-98F3-C92C8EE37218}\SafariIco.exe

C:\Users\Alpitec\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Mozilla Firefox.lnk - C:\Program Files\Mozilla Firefox\firefox.exe

C:\Users\Alpitec\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk - C:\Program Files\Mozilla Firefox\firefox.exe

==== Empty IE Cache ======================

C:\Users\Alpitec\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully

C:\Users\Alpitec\AppData\Local\Temp\Low\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Alpitec\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\serviceprofiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\serviceprofiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Alpitec\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

C:\Windows\serviceprofiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\users\Alpitec\AppData\Local\Mozilla\Firefox\Profiles\dwsiodp4.default\Cache emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

After Reboot

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied

C:\Users\Alpitec\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Alpitec\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted

"C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted

"C:\Windows\serviceprofiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found

juisterr · 25 april 2013

Zoek.exe heeft een sample file op je bureaublad gezet, Upload dit bestand naar Gratis bestanden delen en uploaden via Mijn Bestand! en plaats het linkje in het volgende bericht. (aub)

reva · 25 april 2013

sample_25-04-2013_1654.zip downloaden

juisterr · 26 april 2013

Hartelijk dank voor het sample, vertel even of u nog problemen heeft aub.

reva · 26 april 2013

Beste Juisterr,

Ik ben geen problemen meer tegen gekomen.

Kan ik op de "opgelost" button klikken denk je?

Er is nog wel een ouder item die bij het opstarten telkens een foutmelding geeft, maak ik daar een aparte vraag voor of zet ik hem hier ook dadelijk neer?

juisterr · 26 april 2013

Welk item is dat ?

Inloggen

Geblokkeerd door ransomeware / Politievirus

Aanbevolen berichten

Link naar reactie

Delen op andere sites

Link naar reactie

Delen op andere sites

Link naar reactie

Delen op andere sites

Link naar reactie

Delen op andere sites

Link naar reactie

Delen op andere sites

Link naar reactie

Delen op andere sites

Link naar reactie

Delen op andere sites

Link naar reactie

Delen op andere sites

Link naar reactie

Delen op andere sites

Link naar reactie

Delen op andere sites

Welkom op PC Helpforum

Leden statistieken

OVER ONS

SITEMAP

Belangrijke informatie