[LØST]Problemer med Vundo-infeksjon

[Tomhah]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 22:10:22, on 23.06.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Klikk for å se/fjerne innholdet nedenfor

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Telenor\Online Start\Telenor.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\VentSrv\ventrilo_svc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\WinRAR\WinRAR.exe

C:\Documents and Settings\Stein-Arild\Desktop\Hijackthis!\test.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.online.no/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1A7A8363-D24D-454B-B1A6-D13DC087F2C0} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Online Start Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Program Files\Telenor\Online Start\IEFixItNowPlugin.dll

O2 - BHO: (no name) - {E5225210-F293-40FE-BB2F-D5A3C7F13C47} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iCQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize

O4 - HKLM\..\Run: [Telenor Online Start] "C:\Program Files\Telenor\Online Start\Telenor.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\Run: [j1271035] rundll32 C:\WINDOWS\system32\j1271035.dll sook

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\erfixhqb.dll",realset

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_06) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_06) -

O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://bente.eurofoto.no/activex/ImageUploader3.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\egqcyipt.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

O24 - Desktop Component 0: (no name) - http://www.mgr.fi/galleria_australia2006l.jpg

 

--

End of file - 8154 bytes

 

 

Der er hijacken og her kommer fra SUPER antispyware:

 

UPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 06/23/2007 at 09:44 PM

 

Application Version : 3.8.1002

 

Core Rules Database Version : 3260

Trace Rules Database Version: 1271

 

Scan type : Complete Scan

Total Scan Time : 00:38:47

 

Memory items scanned : 434

Memory threats detected : 3

Registry items scanned : 5597

Registry threats detected : 40

File items scanned : 48770

File threats detected : 26

 

Trojan.WinFixer

C:\WINDOWS\SYSTEM32\GEEBA.DLL

C:\WINDOWS\SYSTEM32\GEEBA.DLL

HKLM\Software\Classes\CLSID\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}

HKCR\CLSID\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}

HKCR\CLSID\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}\InprocServer32

HKCR\CLSID\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A7A8363-D24D-454B-B1A6-D13DC087F2C0}

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\geeba

 

Adware.Vundo Variant

C:\WINDOWS\SYSTEM32\WVURPQO.DLL

C:\WINDOWS\SYSTEM32\WVURPQO.DLL

HKLM\Software\Classes\CLSID\{92A444D2-F945-4dd9-89A1-896A6C2D8D22}

HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}

HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}\InprocServer32

HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\VWKRXHKE.DLL

HKLM\Software\Classes\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}

HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}

HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32

HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\NHOBSQUR.DLL

HKLM\Software\Classes\CLSID\{E12BFF69-38A7-406e-A8EF-2738107A7831}

HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}

HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}\InprocServer32

HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\HTKDBQQS.DLL

HKLM\Software\Classes\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

HKCR\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

HKCR\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}\InprocServer32

HKCR\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\wvurpqo

HKCR\CLSID\{92A444D2-F945-4DD9-89A1-896A6C2D8D22}

HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}

HKCR\CLSID\{E12BFF69-38A7-406E-A8EF-2738107A7831}

HKCR\CLSID\{E5225210-F293-40FE-BB2F-D5A3C7F13C47}

 

Trojan.Downloader-CREW

C:\WINDOWS\SYSTEM32\TWGMPLKX.DLL

C:\WINDOWS\SYSTEM32\TWGMPLKX.DLL

HKLM\Software\Classes\CLSID\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34f}

HKCR\CLSID\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34F}

HKCR\CLSID\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34F}\InprocServer32

HKCR\CLSID\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34F}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A79AA92-0CC5-4CD8-8175-F14BDD15C34f}

C:\SYSTEM VOLUME INFORMATION\_RESTORE{414DF493-84C2-4F33-82F5-45338DD1AFD7}\RP330\A0057169.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{414DF493-84C2-4F33-82F5-45338DD1AFD7}\RP331\A0057270.DLL

 

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}

HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}

HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32

HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\SMAYIJPN.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}

HKCR\CLSID\{5ADF3862-9E2E-4AD3-86F7-4510E6550CD0}

 

Adware.Tracking Cookie

C:\Documents and Settings\Stein-Arild\Cookies\[email protected][1].txt

C:\Documents and Settings\Stein-Arild\Cookies\[email protected][2].txt

C:\Documents and Settings\Stein-Arild\Cookies\stein-arild@winantivirus[2].txt

C:\Documents and Settings\Stein-Arild\Cookies\stein-arild@indexstats[2].txt

 

Spyware.RelevantKnowledge

C:\SYSTEM VOLUME INFORMATION\_RESTORE{414DF493-84C2-4F33-82F5-45338DD1AFD7}\RP242\A0033369.EXE

 

RelevantKnowledge Spyware Component

C:\SYSTEM VOLUME INFORMATION\_RESTORE{414DF493-84C2-4F33-82F5-45338DD1AFD7}\RP243\A0033386.EXE

 

Trace.Known Threat Sources

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\3IMSZ2DS\checksoft[1].js

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\3IMSZ2DS\top1_menu[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\8ALIDEM6\wav_banner[1].swf

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\WZMNQDMT\top1[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\694FUPO5\styles[1].css

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\GPUF01EN\tracking[1].js

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\694FUPO5\ico2[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\JUVT1TZR\logo[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\GPUF01EN\button2[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\WZMNQDMT\ico1[1].gif

C:\Documents and Settings\Stein-Arild\Local Settings\Temporary Internet Files\Content.IE5\JUVT1TZR\spacer[1].gif

 

 

 

EDIT: her er logg fra combofix

 

"Stein-Arild" - 2007-06-23 23:17:21 - ComboFix 07-06-23.5 - Service Pack 2 NTFS

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\erfixhqb.dll

C:\WINDOWS\system32\bqhxifre.ini

C:\WINDOWS\system32\abeeg.bak1

C:\WINDOWS\system32\abeeg.bak2

C:\WINDOWS\system32\abeeg.ini2

C:\WINDOWS\system32\abeeg.tmp

C:\WINDOWS\system32\abeeg.bak1

C:\WINDOWS\system32\abeeg.bak2

C:\WINDOWS\system32\abeeg.ini2

C:\WINDOWS\system32\abeeg.tmp

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\STEIN-~1\Desktop.\internet explorer.lnk

C:\i

C:\WINDOWS\servicepackfiles\mm.pidar

C:\WINDOWS\servicepackfiles\www.google.com

C:\WINDOWS\servicepackfiles\www.google.com\Google_files\hp0.gif

C:\WINDOWS\servicepackfiles\www.google.com\Google_files\hp1.gif

C:\WINDOWS\servicepackfiles\www.google.com\Google_files\hp2.gif

C:\WINDOWS\servicepackfiles\www.google.com\Google_files\hp3.gif

C:\WINDOWS\servicepackfiles\www.google.com\index.html

C:\WINDOWS\servicepackfiles\www.google.com\thank.html

C:\WINDOWS\system32\drivers\etc\hosts.tim

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_DOMAINSERVICE

-------\DomainService

 

 

((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))

 

 

2007-06-23 23:16 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-23 21:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-06-23 21:03 <DIR> d-------- C:\DOCUME~1\STEIN-~1\APPLIC~1\SUPERAntiSpyware.com

2007-06-23 21:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-06-23 13:11 <DIR> d-------- C:\Program Files\Alwil Software

2007-06-23 01:14 4,628 --a------ C:\WINDOWS\system32\rttwvhrk.exe

2007-06-20 13:48 <DIR> d-------- C:\Program Files\F1 Challange KRC 2007

2007-06-11 19:19 <DIR> d-------- C:\DOCUME~1\STEIN-~1\APPLIC~1\Opera

2007-06-07 16:20 <DIR> d-------- C:\Program Files\Common Files\Skype

2007-06-05 20:30 <DIR> d-------- C:\VIRTUAL RC RACING

2007-06-05 20:29 <DIR> d-------- C:\Program Files\VIRTUAL RC RACING DEMO

2007-06-03 18:57 <DIR> d-------- C:\Program Files\VIRTUAL RC RACING

2007-06-03 14:14 <DIR> d-------- C:\NAB FULL

2007-06-03 12:05 <DIR> d-------- C:\Nerf Arena Blast

2007-05-28 18:41 <DIR> d-------- C:\Program Files\Schmads Inc

2007-05-28 17:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-23 19:02:50 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-06-23 10:45:26 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\Hamachi

2007-06-23 10:26:44 -------- d-----w C:\Program Files\mIRC

2007-06-19 14:47:30 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\teamspeak2

2007-06-13 16:06:19 -------- d-----w C:\Program Files\rFactor

2007-06-09 20:28:27 -------- d-----w C:\Program Files\LFS

2007-06-07 19:31:24 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\Creative

2007-06-07 19:00:47 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\Skype

2007-06-07 14:20:23 -------- d-----w C:\Program Files\Skype

2007-05-29 16:52:41 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys

2007-05-29 16:41:33 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-28 15:56:02 -------- d-----w C:\Program Files\Common Files\Logitech

2007-05-28 15:56:01 -------- d-----w C:\Program Files\Logitech

2007-05-28 10:07:40 -------- d-----w C:\Program Files\Messenger Plus! Live

2007-05-28 10:07:39 -------- d-----w C:\Program Files\MSN Messenger

2007-05-22 17:57:29 -------- d-----w C:\Program Files\Mafia

2007-05-22 17:52:44 -------- d-----w C:\Program Files\Mafia

2007-05-21 15:29:43 -------- d-----w C:\Program Files\VentSrv

2007-05-21 15:12:16 -------- d-----w C:\Program Files\Steam

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-16 15:02:00 101,376 ----a-w C:\WINDOWS\system32\drivers\ACEDRV07.sys

2007-05-16 13:55:56 -------- d-----w C:\Program Files\BitLord

2007-05-14 16:20:30 -------- d-----w C:\Program Files\SmartFTP Client

2007-05-14 16:09:49 -------- d-----w C:\DOCUME~1\STEIN-~1\APPLIC~1\SmartFTP

2007-05-09 13:44:00 -------- d-----w C:\Program Files\Microsoft Games

2007-05-07 14:27:38 -------- d-----w C:\Program Files\BobsTrackBuilder

2007-05-03 18:47:31 -------- d-----w C:\Program Files\Creative

2007-05-03 18:46:57 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll

2007-05-03 18:46:57 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll

2007-05-03 15:22:10 -------- d-----w C:\Program Files\Vstep

2007-05-03 15:15:05 -------- d-----w C:\Program Files\Ship simulator

2007-04-30 16:37:08 -------- d-----w C:\Program Files\GameShadow

2007-04-29 08:25:32 -------- d-----w C:\Program Files\BlueVoda Website Builder

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-24 18:15:18 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-04-24 18:07:49 -------- d-----w C:\Program Files\GTR 2

2007-04-24 18:06:09 -------- d-----w C:\Program Files\DAEMON Tools

2007-04-24 18:01:01 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-06-07 11:09]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 03:25]

{DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516}=C:\Program Files\Telenor\Online Start\IEFixItNowPlugin.dll [2007-03-02 14:54]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 09:12]

"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]

"CTHelper"="CTHELPER.EXE" [2006-08-17 11:32 C:\WINDOWS\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 11:32 C:\WINDOWS\system32\CTXFIHLP.EXE]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-23 12:50]

"ICQ Lite"="C:\Program Files\ICQLite\ICQLite.exe" [2006-07-11 12:06]

"Telenor Online Start"="C:\Program Files\Telenor\Online Start\Telenor.exe" [2006-11-30 14:51]

"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 16:54]

"@"="" []

"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 17:22]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 10:35]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"EA Core"="C:\Program Files\Electronic Arts\EA Link\Core.exe" []

"Steam"="" []

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]

"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bff1043c-5257-11db-8062-806d6172696f}]

AutoRun\command- H:\ASUSACPI.exe

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-23 23:23:04

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-23 23:24:11 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-23 23:24

 

--- E O F ---

 

 

Ny hijack this logg

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 00:14:26, on 24.06.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Telenor\Online Start\Telenor.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\VentSrv\ventrilo_svc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Stein-Arild\Desktop\Hijackthis!\test.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.online.no/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.online.no/proxy.pac

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1A7A8363-D24D-454B-B1A6-D13DC087F2C0} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Online Start Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Program Files\Telenor\Online Start\IEFixItNowPlugin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iCQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize

O4 - HKLM\..\Run: [Telenor Online Start] "C:\Program Files\Telenor\Online Start\Telenor.exe"

O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"

O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE

O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\STEIN-~1\LOCALS~1\Temp\MsgPlusUninstall.exe" /Cleanup

O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_06) -

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_06) -

O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://bente.eurofoto.no/activex/ImageUploader3.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe

O24 - Desktop Component 0: (no name) - http://www.mgr.fi/galleria_australia2006l.jpg

 

--

End of file - 7856 bytes

 

 

Jeg hadde trojansk hest men etter jeg brukte SUPERantispyware så har det sluttet og kommet opp nye vinduer med "reklame".

Håper noen kan fortelle meg om jeg har mer virus og hva jeg da skal slette for å bli kvitt det..

 

Håper på svar så fort som overhode mulig!

 

Mvh Tomhah

 

Skjul-tags lagt inn av moderator

Endret 24. juni 2007 av Tomhah

[norbat]

Hent Combofix, og legg det på skrivebordet

 

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

 

Post loggfilen fra combofix (vanligvis c:\combofix.txt) + ny HJT-logg

[Tomhah]

Nå er den øverste redigert, nå er combofix der også!

Endret 23. juni 2007 av Tomhah

[norbat]

Så legger du ut en ny HJT-logg under posten her.

[norbat]

Foretrekker at du legger ut logger i nye poster da det er lettere å holde oversikt, men...

 

Kjør HJT, velg "Do a system scan only", sett merke framfor følgende linjer og klikk 'Fix checked':

O2 - BHO: (no name) - {1A7A8363-D24D-454B-B1A6-D13DC087F2C0} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\STEIN-~1\LOCALS~1\Temp\MsgPlusUninstall.exe" /Cleanup

 

Last ned CCleaner.

Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'.

 

Oppdater JAVA:

 

http://java.com/en/download/index.jsp

 

Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting.

Kontrollpanel->system->systemgjenoppretting .

Sett merke framfor "Slå av Systemgjenopprettingen .....",

restart pc,

fjern merket igjen for å aktivere funksjonen.

 

Fortell så hvordan pc'n kjører

[Tomhah]

Har gjort alt dette bortsett fra å nullstille systemgjenopprettingsmappa

Er jeg virus fri nå?

 

Er det viktig å nullstille den mappa? skal bare spørre pappa i morgen sånn for sikkerhets skyld siden det er en slags "familie" pc

[norbat]

Du er nå fri for virus, så lang jeg kan se.

 

Ang. 'nullstille' systemgjenopprettingen: Dette bør gjøres fordi om du ved en senere anledning får behov for å kjøre en systemgjenoppretting, vil du ikke bli infisert med det du nå nettopp har fjernet. Du skal jo aktivere funksjonen igjen, så det skjer ingenting annet enn at man får fjerne korrupte filer.