Live Jasmin

Kef

30-09-2010 11:54

Hoi Argus,
Hierbij de logfile:
======C:\Windows====
–s-a-w 67,584 2010-09-30 09:37:45 C:\Windows\bootstat.dat
—-a-w 69 2010-09-28 19:10:30 C:\Windows\NeroDigital.ini
—-a-w 3,316 2010-09-29 20:03:43 C:\Windows\PFRO.log
—-a-w 1,404 2010-09-29 14:16:42 C:\Windows\setupact.log
—-a-w 0 2010-09-24 22:27:22 C:\Windows\setuperr.log
—-a-w 215 2010-09-17 20:04:49 C:\Windows\system.ini
—-a-w 219 2010-09-13 14:52:17 C:\Windows\win.ini
—-a-w 1,239,441 2010-09-30 09:38:19 C:\Windows\WindowsUpdate.log
Entries: 8 (7)
Directories: 0 Files: 8
Bytes: 1,312,248 Blocks: 2,566
======C:\Users\Kevin\AppData\Local\Temp====
—-a-w 134 2010-09-30 09:39:25 C:\Users\Kevin\AppData\Local\Temp\115362.od
—-a-w 1,906 2010-09-30 09:38:04 C:\Users\Kevin\AppData\Local\Temp\AdobeARM.log
—-a-w 0 2010-09-30 09:39:25 C:\Users\Kevin\AppData\Local\Temp\CVRC2A2.tmp.cvr
—-a-w 642 2010-09-30 09:37:59 C:\Users\Kevin\AppData\Local\Temp\DataCardMonitor.tmp
—hatw 0 2010-09-30 09:51:52 C:\Users\Kevin\AppData\Local\Temp\etilqs_AtCNlTQ2MwUWLWB50RgM
—-atw 0 2010-09-30 09:39:27 C:\Users\Kevin\AppData\Local\Temp\JETC86C.tmp
—-a-w 31,832 2010-09-30 09:37:53 C:\Users\Kevin\AppData\Local\Temp\Kevin.bmp
—-a-w 777 2010-09-30 09:51:56 C:\Users\Kevin\AppData\Local\Temp\Log.txt
—-a-w 204,800 2010-09-29 06:47:46 C:\Users\Kevin\AppData\Local\Temp\RtkBtMnt.exe
—-a-w 1,225 2010-09-29 22:28:34 C:\Users\Kevin\AppData\Local\Temp\zoek.bat
Entries: 10 (9)
Directories: 0 Files: 10
Bytes: 241,316 Blocks: 475
======C:\Windows\system32=====
—ha-w 3,216 2010-09-30 09:37:52 C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
—ha-w 3,216 2010-09-30 09:37:52 C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
—-a-w 382,648 2010-09-13 15:17:07 C:\Windows\System32\FNTCACHE.DAT
—-a-w 102,520 2010-09-13 15:17:22 C:\Windows\System32\GDIPFONTCACHEV1.DAT
—-a-w 104,070 2010-09-30 09:42:09 C:\Windows\System32\perfc009.dat
—-a-w 130,186 2010-09-30 09:42:09 C:\Windows\System32\perfc013.dat
—-a-w 595,996 2010-09-30 09:42:09 C:\Windows\System32\perfh009.dat
—-a-w 677,188 2010-09-30 09:42:09 C:\Windows\System32\perfh013.dat
—-a-w 1,497,330 2010-09-30 09:42:08 C:\Windows\System32\PerfStringBackup.INI
—-a-w 126,464 2010-08-17 13:32:33 C:\Windows\System32\spoolsv.exe
—-a-w 339 2010-09-30 09:38:35 C:\Windows\System32\timeset.bin
—-a-w 339 2010-09-30 09:38:35 C:\Windows\System32\timeset.exe
Entries: 12 (10)
Directories: 0 Files: 12
Bytes: 3,623,512 Blocks: 7,084
======C:\Windows\system32\drivers=====
—-a-w 16,968 2010-09-18 03:47:00 C:\Windows\System32\drivers\hitmanpro35.sys
Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 16,968 Blocks: 34
======C:\Windows\Tasks======
—-a-w 1,012 2010-09-07 22:40:00 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-136261241-1024311286-1967364142-1000Core.job
—-a-w 1,064 2010-09-30 09:40:06 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-136261241-1024311286-1967364142-1000UA.job
—ha-w 6 2010-09-30 09:37:50 C:\Windows\Tasks\SA.DAT
—-a-w 32,526 2010-09-30 05:55:24 C:\Windows\Tasks\SCHEDLGU.TXT
Entries: 4 (3)
Directories: 0 Files: 4
Bytes: 34,608 Blocks: 70
======C:\Windows\Temp======
—-a-w 632 2010-09-28 20:38:24 C:\Windows\Temp\fwtsqmfile00.sqm
—-a-w 3,476 2010-09-29 17:53:59 C:\Windows\Temp\MpSigStub.log
Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 4,108 Blocks: 9
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======C:=====
—-a-w 15,310 2010-09-17 20:08:29 C:\ComboFix.txt
–sha-w 3,145,736,192 2010-09-30 09:37:42 C:\hiberfil.sys
–sha-w 3,461,591,040 2010-09-30 09:37:40 C:\pagefile.sys
Entries: 3 (1)
Directories: 0 Files: 3
Bytes: 6,607,342,542 Blocks: 12,904,966
======C:\Users\Kevin\AppData\Roaming======
—-a-w 1,340 2010-09-28 19:10:30 C:\Users\Kevin\AppData\Roaming\default.rss
Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 1,340 Blocks: 3
======C:\Users\Kevin======
–sha-w 4,456,448 2010-09-30 09:51:01 C:\Users\Kevin\ntuser.dat
—ha-w 262,144 2010-09-30 09:51:01 C:\Users\Kevin\ntuser.dat.LOG1
–sha-w 65,536 2010-09-30 05:55:23 C:\Users\Kevin\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf
–sha-w 524,288 2010-09-30 05:55:23 C:\Users\Kevin\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms
Entries: 4 (0)
Directories: 0 Files: 4
Bytes: 5,308,416 Blocks: 10,368
======C:\Windows\Downloaded Program Files====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=============
Kef

30-09-2010 11:55

Hoi Argus,
Hierbij de logfile:
======C:\Windows====
–s-a-w 67,584 2010-09-30 09:37:45 C:\Windows\bootstat.dat
—-a-w 69 2010-09-28 19:10:30 C:\Windows\NeroDigital.ini
—-a-w 3,316 2010-09-29 20:03:43 C:\Windows\PFRO.log
—-a-w 1,404 2010-09-29 14:16:42 C:\Windows\setupact.log
—-a-w 0 2010-09-24 22:27:22 C:\Windows\setuperr.log
—-a-w 215 2010-09-17 20:04:49 C:\Windows\system.ini
—-a-w 219 2010-09-13 14:52:17 C:\Windows\win.ini
—-a-w 1,239,441 2010-09-30 09:38:19 C:\Windows\WindowsUpdate.log
Entries: 8 (7)
Directories: 0 Files: 8
Bytes: 1,312,248 Blocks: 2,566
======C:\Users\Kevin\AppData\Local\Temp====
—-a-w 134 2010-09-30 09:39:25 C:\Users\Kevin\AppData\Local\Temp\115362.od
—-a-w 1,906 2010-09-30 09:38:04 C:\Users\Kevin\AppData\Local\Temp\AdobeARM.log
—-a-w 0 2010-09-30 09:39:25 C:\Users\Kevin\AppData\Local\Temp\CVRC2A2.tmp.cvr
—-a-w 642 2010-09-30 09:37:59 C:\Users\Kevin\AppData\Local\Temp\DataCardMonitor.tmp
—hatw 0 2010-09-30 09:51:52 C:\Users\Kevin\AppData\Local\Temp\etilqs_AtCNlTQ2MwUWLWB50RgM
—-atw 0 2010-09-30 09:39:27 C:\Users\Kevin\AppData\Local\Temp\JETC86C.tmp
—-a-w 31,832 2010-09-30 09:37:53 C:\Users\Kevin\AppData\Local\Temp\Kevin.bmp
—-a-w 777 2010-09-30 09:51:56 C:\Users\Kevin\AppData\Local\Temp\Log.txt
—-a-w 204,800 2010-09-29 06:47:46 C:\Users\Kevin\AppData\Local\Temp\RtkBtMnt.exe
—-a-w 1,225 2010-09-29 22:28:34 C:\Users\Kevin\AppData\Local\Temp\zoek.bat
Entries: 10 (9)
Directories: 0 Files: 10
Bytes: 241,316 Blocks: 475
======C:\Windows\system32=====
—ha-w 3,216 2010-09-30 09:37:52 C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
—ha-w 3,216 2010-09-30 09:37:52 C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
—-a-w 382,648 2010-09-13 15:17:07 C:\Windows\System32\FNTCACHE.DAT
—-a-w 102,520 2010-09-13 15:17:22 C:\Windows\System32\GDIPFONTCACHEV1.DAT
—-a-w 104,070 2010-09-30 09:42:09 C:\Windows\System32\perfc009.dat
—-a-w 130,186 2010-09-30 09:42:09 C:\Windows\System32\perfc013.dat
—-a-w 595,996 2010-09-30 09:42:09 C:\Windows\System32\perfh009.dat
—-a-w 677,188 2010-09-30 09:42:09 C:\Windows\System32\perfh013.dat
—-a-w 1,497,330 2010-09-30 09:42:08 C:\Windows\System32\PerfStringBackup.INI
—-a-w 126,464 2010-08-17 13:32:33 C:\Windows\System32\spoolsv.exe
—-a-w 339 2010-09-30 09:38:35 C:\Windows\System32\timeset.bin
—-a-w 339 2010-09-30 09:38:35 C:\Windows\System32\timeset.exe
Entries: 12 (10)
Directories: 0 Files: 12
Bytes: 3,623,512 Blocks: 7,084
======C:\Windows\system32\drivers=====
—-a-w 16,968 2010-09-18 03:47:00 C:\Windows\System32\drivers\hitmanpro35.sys
Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 16,968 Blocks: 34
======C:\Windows\Tasks======
—-a-w 1,012 2010-09-07 22:40:00 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-136261241-1024311286-1967364142-1000Core.job
—-a-w 1,064 2010-09-30 09:40:06 C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-136261241-1024311286-1967364142-1000UA.job
—ha-w 6 2010-09-30 09:37:50 C:\Windows\Tasks\SA.DAT
—-a-w 32,526 2010-09-30 05:55:24 C:\Windows\Tasks\SCHEDLGU.TXT
Entries: 4 (3)
Directories: 0 Files: 4
Bytes: 34,608 Blocks: 70
======C:\Windows\Temp======
—-a-w 632 2010-09-28 20:38:24 C:\Windows\Temp\fwtsqmfile00.sqm
—-a-w 3,476 2010-09-29 17:53:59 C:\Windows\Temp\MpSigStub.log
Entries: 2 (2)
Directories: 0 Files: 2
Bytes: 4,108 Blocks: 9
=======C:\Program Files=====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=======C:=====
—-a-w 15,310 2010-09-17 20:08:29 C:\ComboFix.txt
–sha-w 3,145,736,192 2010-09-30 09:37:42 C:\hiberfil.sys
–sha-w 3,461,591,040 2010-09-30 09:37:40 C:\pagefile.sys
Entries: 3 (1)
Directories: 0 Files: 3
Bytes: 6,607,342,542 Blocks: 12,904,966
======C:\Users\Kevin\AppData\Roaming======
—-a-w 1,340 2010-09-28 19:10:30 C:\Users\Kevin\AppData\Roaming\default.rss
Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 1,340 Blocks: 3
======C:\Users\Kevin======
–sha-w 4,456,448 2010-09-30 09:51:01 C:\Users\Kevin\ntuser.dat
—ha-w 262,144 2010-09-30 09:51:01 C:\Users\Kevin\ntuser.dat.LOG1
–sha-w 65,536 2010-09-30 05:55:23 C:\Users\Kevin\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf
–sha-w 524,288 2010-09-30 05:55:23 C:\Users\Kevin\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms
Entries: 4 (0)
Directories: 0 Files: 4
Bytes: 5,308,416 Blocks: 10,368
======C:\Windows\Downloaded Program Files====
Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0
=============
Argus

30-09-2010 13:08

Hijack This
Sluit alle vensters en start Hijack This
Vista+Windows 7
Klik met de rechtermuis op het programma Hijackthis en Kies voor uitvoeren als administrator en dan
Klik : Do a Systemscan only
Zet een vinkje in het hokje voor:
O4 - HKCU\..\Run: C:\Windows\system32\timesync.exe
Internet Explorer moet gesloten zijn als je Fix Checked klikt
Download Combofix naar je Bureaublad.
OPMERKING: indien je, tijdens of na het downloaden van Combofix of tijdens het gebruik van Combofix een melding krijgt van je Antivirus- of een andere realtime scanner, schakel dan deze scanner uit en download Combofix opnieuw.
Sommige scanners zien bepaalde componenten die Combofix gebruikt als verdacht en gaan deze blokkeren of verwijderen!
Dubbelklik op Combofix.exe om het te starten.
Indien je Combofix al eerder hebt gebruikt, kan je een waarschuwing krijgen dat een update beschikbaar is. Sta toe dat ComboFix wordt geupdate.
Klik op OK in het “NirCmd” venstertje.
Klik na afloop terug op Ja om het scannen op malware te starten.
Tijdens het runnen van de fix, NIET in het venster klikken, want dit zal je pc doen vasthangen.
Wanneer de fix voltooid is en na herstart, zal de log Combofix.txt openen.
Post het logje van ComboFix
* Bezoek volgende pagina met de instructies voor het downloaden en gebruiken van Combofix.
http://www.bleepingcomputer.com/combofix/nl/hoe-dient-combofix-gebruikt-te-worden
Kef

08-10-2010 18:45

Beste Argus,
Ik heb de line fix cheched gedaan.
Sinds dien geen pop-ups meer gehad.
Hartelijk dank!
Argus

08-10-2010 20:24

Verwijder C:\Windows\system32\timesync.exe

Live Jasmin

Kef

Kef

Argus

Kef

Argus