Arangaras Skrevet 27. april 2008 Del Skrevet 27. april 2008 Hatar å spørre om ting utan å ha kontribuert til eit forum først, men ei venninde av meg har fått ein slags trojaner, og googling har ikkje gjort meg stort smartare. Har ordna ein HijackThis-logg frå PC-en som er infisert. Veit ikkje om det gjer folk stort klokare, men er vel ein start? Logfile of HijackThis v1.99.1 Scan saved at 19:24:19, on 27.04.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\adaware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Acer\eManager\anbmServ.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\vVX3000.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgvv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntnu.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0844F0AC-8543-4202-AF06-C095B91E7631} - C:\WINDOWS\system32\qoMcArRj.dll (file missing) O2 - BHO: (no name) - {0A816D2D-C423-4CED-87CD-F4EEDD51FBBF} - (no file) O2 - BHO: (no name) - {210ED2AF-FC77-4057-BA6C-3EB3FE431005} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {A66DB184-E609-4AC3-BE72-55FF594EA15D} - C:\WINDOWS\system32\cbXRLcaB.dll (file missing) O2 - BHO: (no name) - {BFED40C0-7E2C-4468-89C9-F2B808C5B3F5} - (no file) O2 - BHO: (no name) - {F50B3F5E-856E-4757-9BB1-B35D46CA7719} - C:\WINDOWS\system32\fccywwwv.dll O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\lrlrkumo.dll",b O4 - HKLM\..\Run: [bM313e2b3d] Rundll32.exe "C:\WINDOWS\system32\puuvaxsx.dll",s O4 - HKLM\..\RunOnce: [spybotDeletingA1778] command /c del "C:\WINDOWS\system32\puuvaxsx.dll_old" O4 - HKLM\..\RunOnce: [spybotDeletingC4569] cmd /c del "C:\WINDOWS\system32\puuvaxsx.dll_old" O4 - HKLM\..\RunOnce: [spybotDeletingA4694] command /c del "C:\WINDOWS\system32\lrlrkumo.dll_old" O4 - HKLM\..\RunOnce: [spybotDeletingC2536] cmd /c del "C:\WINDOWS\system32\lrlrkumo.dll_old" O4 - HKLM\..\RunOnce: [spybotDeletingA2971] command /c del "C:\WINDOWS\system32\cbXRLcaB.dll_old" O4 - HKLM\..\RunOnce: [spybotDeletingC8933] cmd /c del "C:\WINDOWS\system32\cbXRLcaB.dll_old" O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\RunOnce: [spybotDeletingB7582] command /c del "C:\WINDOWS\system32\puuvaxsx.dll_old" O4 - HKCU\..\RunOnce: [spybotDeletingD3537] cmd /c del "C:\WINDOWS\system32\puuvaxsx.dll_old" O4 - HKCU\..\RunOnce: [spybotDeletingB9431] command /c del "C:\WINDOWS\system32\lrlrkumo.dll_old" O4 - HKCU\..\RunOnce: [spybotDeletingD8960] cmd /c del "C:\WINDOWS\system32\lrlrkumo.dll_old" O4 - HKCU\..\RunOnce: [spybotDeletingB8002] command /c del "C:\WINDOWS\system32\cbXRLcaB.dll_old" O4 - HKCU\..\RunOnce: [spybotDeletingD6686] cmd /c del "C:\WINDOWS\system32\cbXRLcaB.dll_old" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mayla1984.spaces.live.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/502...geUploader3.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: fccywwwv - C:\WINDOWS\SYSTEM32\fccywwwv.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\adaware\aawservice.exe O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe På forhand takk for hjelp, både frå meg og venninda mi! Lenke til kommentar
snippsat Skrevet 27. april 2008 Del Skrevet 27. april 2008 Ja var litt grums her Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programet kjører. post logg C:\combofix.txt Lenke til kommentar
Arangaras Skrevet 27. april 2008 Forfatter Del Skrevet 27. april 2008 Tusen takk for hjelpa! Her er loggen: ComboFix 08-04-26.5 - May Lene 2008-04-27 22:09:42.1 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.79 [GMT 2:00] Running from: C:\Documents and Settings\May Lene\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\pskt.ini C:\WINDOWS\system32\autorun.ini C:\WINDOWS\system32\BacLRXbc.ini C:\WINDOWS\system32\BacLRXbc.ini2 C:\WINDOWS\system32\cLRBaGgh.ini C:\WINDOWS\system32\cLRBaGgh.ini2 C:\WINDOWS\system32\dllcache\spoolsv.exe C:\WINDOWS\system32\fccywwwv.dll C:\WINDOWS\system32\iidxxkmx.ini C:\WINDOWS\system32\jRrAcMoq.ini C:\WINDOWS\system32\jRrAcMoq.ini2 C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\nadmvgsu.ini C:\WINDOWS\system32\omukrlrl.ini . ((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 ))))))))))))))))))))))))))))))) . 2008-04-27 19:11 . 2008-04-27 19:11 <DIR> d-------- C:\Documents and Settings\May Lene\Application Data\Talkback 2008-04-27 19:10 . 2008-04-27 19:10 0 --a------ C:\WINDOWS\nsreg.dat 2008-04-27 16:26 . 2008-04-27 16:26 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-04-27 15:28 . 2008-04-27 15:28 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-04-27 15:12 . 2008-04-27 19:19 558 --a------ C:\WINDOWS\wininit.ini 2008-04-27 14:49 . 2008-04-27 14:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-04-27 14:49 . 2008-04-27 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-27 11:49 . 2008-04-27 11:49 <DIR> d-------- C:\Program Files\CCleaner 2008-04-24 09:44 . 2008-04-24 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-23 09:44 . 2008-04-23 09:44 <DIR> dr-h----- C:\$VAULT$.AVG 2008-04-23 09:43 . 2008-04-27 16:19 109,792 --a------ C:\WINDOWS\BM313e2b3d.xml 2008-04-17 08:25 . 2008-04-17 08:25 <DIR> d--hs---- C:\FOUND.001 2008-04-15 10:16 . 2008-04-15 10:16 <DIR> d-------- C:\Program Files\Yahoo! 2008-04-05 22:12 . 2008-04-05 22:12 0 --a------ C:\WINDOWS\iPlayer.INI 2008-04-05 17:04 . 2008-04-05 17:04 <DIR> d-------- C:\Program Files\InterActual 2008-03-27 20:09 . 2008-03-27 20:14 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-03-27 20:09 . 2008-03-27 20:14 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-03-27 20:09 . 2008-03-27 20:14 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-03-27 20:08 . 2008-03-27 20:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-03 14:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-03-03 11:09 --------- d-----w C:\Program Files\Bonjour 2008-03-03 10:58 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-03-01 16:36 3,591,680 ----a-w C:\WINDOWS\system32\SET47.tmp 2008-03-01 16:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll 2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-02-16 08:59 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll 2008-02-16 08:59 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll 2008-02-16 08:59 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll 2008-02-16 08:59 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll 2008-02-16 08:59 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll 2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll 2007-02-09 11:28 43,168 ----a-w C:\Documents and Settings\May Lene\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0844F0AC-8543-4202-AF06-C095B91E7631}] C:\WINDOWS\system32\qoMcArRj.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A816D2D-C423-4CED-87CD-F4EEDD51FBBF}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{210ED2AF-FC77-4057-BA6C-3EB3FE431005}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A66DB184-E609-4AC3-BE72-55FF594EA15D}] C:\WINDOWS\system32\cbXRLcaB.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFED40C0-7E2C-4468-89C9-F2B808C5B3F5}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 23:44 98394] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 23:43 688218] "SoundMan"="SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE] "AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 19:50 88363 C:\WINDOWS\AGRSMMSG.exe] "PCMService"="C:\Program Files\Arcade\PCMService.exe" [2005-03-09 18:59 49152] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-16 09:21 579584] "LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 17:01 277296] "VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 17:04 707376] "320d18a1"="C:\WINDOWS\system32\lrlrkumo.dll" [ ] "BM313e2b3d"="C:\WINDOWS\system32\puuvaxsx.dll" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 16:54 219136] C:\Documents and Settings\May Lene\Start Menu\Programs\Startup\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-10-23 18:52:48 106496] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccywwwv] fccywwwv.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^May Lene^Start Menu^Programs^Startup^Last.fm Helper.lnk] path=C:\Documents and Settings\May Lene\Start Menu\Programs\Startup\Last.fm Helper.lnk backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^May Lene^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper og Launcher.lnk] path=C:\Documents and Settings\May Lene\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper og Launcher.lnk backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper og Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\320d18a1] C:\WINDOWS\system32\usgvmdan.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM313e2b3d] C:\WINDOWS\system32\yxgboqen.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService] --a------ 2005-03-23 10:01 245760 C:\Windows\System32\Check.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] --a------ 2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager] --a------ 2005-03-28 12:30 315392 C:\Program Files\Launch Manager\QtZgAcer.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] --a------ 2004-08-04 05:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] --a------ 2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] --a------ 2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook] --a------ 2005-03-04 13:13 32768 C:\WINDOWS\system32\keyhook.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] --a------ 2005-02-25 13:35 49152 C:\WINDOWS\system32\SiSPower.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2006-11-09 15:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000] --a------ 2006-10-13 17:04 707376 C:\WINDOWS\vVX3000.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= "C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Last.fm\\LastFM.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 17:01] R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 01:43] S3 int15.sys;int15.sys;C:\Program Files\acer\eRecovery\int15.sys [2005-01-13 14:46] . Contents of the 'Scheduled Tasks' folder "2008-04-17 13:51:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-31 11:05:06 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1189335706.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-27 22:15:11 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\PROGRAM FILES\ADAWARE\AAWSERVICE.EXE C:\ACER\EMANAGER\ANBMSERV.EXE C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\BONJOUR\MDNSRESPONDER.EXE C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe . ************************************************************************** . Completion time: 2008-04-27 22:17:54 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-27 20:17:48 Pre-Run: 19,666,468,864 bytes free Post-Run: 19,696,844,800 bytes free 221 --- E O F --- 2008-04-27 15:21:06 Lenke til kommentar
snippsat Skrevet 27. april 2008 Del Skrevet 27. april 2008 (endret) Kopiere fet tekst under bildet->åpne notisblokk og lim inn. Lagre på skrivebordet som CFScript.txt. Gjør som på bildet combofix vil starte,Post logg c:\combofix.txt File:: C:\WINDOWS\imsins.BAK C:\WINDOWS\BM313e2b3d.xml C:\WINDOWS\system32\SET47.tmp Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0844F0AC-8543-4202-AF06-C095B91E7631}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A816D2D-C423-4CED-87CD-F4EEDD51FBBF}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{210ED2AF-FC77-4057-BA6C-3EB3FE431005}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A66DB184-E609-4AC3-BE72-55FF594EA15D}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFED40C0-7E2C-4468-89C9-F2B808C5B3F5}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F50B3F5E-856E-4757-9BB1-B35D46CA7719}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "320d18a1"=- "BM313e2b3d"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fccywwwv] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\320d18a1] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM313e2b3d] Last ned kjør CCleaner 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør register-renser og"svar ja til og reparere" --- Last ned oppdatere og kjør full scan SAS free Post loggen fra SAS (preferences->statistics/logs) --- Restart og en ny HijackThis logg. Endret 27. april 2008 av SNIPPSAT Lenke til kommentar
Arangaras Skrevet 29. april 2008 Forfatter Del Skrevet 29. april 2008 OK, her kjem loggane: Combofix: ComboFix 08-04-26.5 - May Lene 2008-04-28 19:55:24.2 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.128 [GMT 2:00] Running from: C:\Documents and Settings\May Lene\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\May Lene\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\BM313e2b3d.xml C:\WINDOWS\imsins.BAK C:\WINDOWS\system32\SET47.tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BM313e2b3d.xml C:\WINDOWS\imsins.BAK C:\WINDOWS\system32\SET47.tmp . ((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 ))))))))))))))))))))))))))))))) . 2008-04-27 19:11 . 2008-04-27 19:11 <DIR> d-------- C:\Documents and Settings\May Lene\Application Data\Talkback 2008-04-27 19:10 . 2008-04-27 19:10 0 --a------ C:\WINDOWS\nsreg.dat 2008-04-27 15:28 . 2008-04-27 15:28 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-04-27 15:12 . 2008-04-27 19:19 558 --a------ C:\WINDOWS\wininit.ini 2008-04-27 14:49 . 2008-04-27 14:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-04-27 14:49 . 2008-04-27 14:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-04-27 11:49 . 2008-04-27 11:49 <DIR> d-------- C:\Program Files\CCleaner 2008-04-24 09:44 . 2008-04-24 09:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-23 09:44 . 2008-04-23 09:44 <DIR> dr-h----- C:\$VAULT$.AVG 2008-04-17 08:25 . 2008-04-17 08:25 <DIR> d--hs---- C:\FOUND.001 2008-04-15 10:16 . 2008-04-15 10:16 <DIR> d-------- C:\Program Files\Yahoo! 2008-04-05 22:12 . 2008-04-05 22:12 0 --a------ C:\WINDOWS\iPlayer.INI 2008-04-05 17:04 . 2008-04-05 17:04 <DIR> d-------- C:\Program Files\InterActual . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-03 14:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-03-03 11:09 --------- d-----w C:\Program Files\Bonjour 2008-03-03 10:58 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-03-01 16:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll 2008-02-20 05:32 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-02-16 08:59 474,112 ----a-w C:\WINDOWS\system32\dllcache\shlwapi.dll 2008-02-16 08:59 151,040 ----a-w C:\WINDOWS\system32\dllcache\cdfview.dll 2008-02-16 08:59 1,494,528 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll 2008-02-16 08:59 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll 2008-02-16 08:59 1,023,488 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll 2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll 2007-02-09 11:28 43,168 ----a-w C:\Documents and Settings\May Lene\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((( snapshot@2008-04-27_22.17.30.35 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-27 20:14:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-28 17:41:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 23:44 98394] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 23:43 688218] "SoundMan"="SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE] "AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 19:50 88363 C:\WINDOWS\AGRSMMSG.exe] "PCMService"="C:\Program Files\Arcade\PCMService.exe" [2005-03-09 18:59 49152] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-16 09:21 579584] "LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 17:01 277296] "VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 17:04 707376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 16:54 219136] C:\Documents and Settings\May Lene\Start Menu\Programs\Startup\ Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-10-23 18:52:48 106496] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk backup=C:\WINDOWS\pss\VPN Client.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^May Lene^Start Menu^Programs^Startup^Last.fm Helper.lnk] path=C:\Documents and Settings\May Lene\Start Menu\Programs\Startup\Last.fm Helper.lnk backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^May Lene^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper og Launcher.lnk] path=C:\Documents and Settings\May Lene\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper og Launcher.lnk backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper og Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService] --a------ 2005-03-23 10:01 245760 C:\Windows\System32\Check.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] --a------ 2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-01-15 03:22 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager] --a------ 2005-03-28 12:30 315392 C:\Program Files\Launch Manager\QtZgAcer.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002] --a------ 2004-08-04 05:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] --a------ 2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] --a------ 2004-08-04 05:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook] --a------ 2005-03-04 13:13 32768 C:\WINDOWS\system32\keyhook.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower] --a------ 2005-02-25 13:35 49152 C:\WINDOWS\system32\SiSPower.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2006-11-09 15:07 49263 C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000] --a------ 2006-10-13 17:04 707376 C:\WINDOWS\vVX3000.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"= "C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"= "C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "C:\\Program Files\\Azureus\\Azureus.exe"= "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\Last.fm\\LastFM.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2006-10-13 17:01] R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 01:43] S3 int15.sys;int15.sys;C:\Program Files\acer\eRecovery\int15.sys [2005-01-13 14:46] *Newly Created Service* - CATCHME . Contents of the 'Scheduled Tasks' folder "2008-04-17 13:51:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2007-12-31 11:05:06 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1100 series#1189335706.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-28 19:57:19 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-04-28 19:57:43 ComboFix-quarantined-files.txt 2008-04-28 17:57:42 Pre-Run: 19,595,231,232 bytes free Post-Run: 19,583,631,360 bytes free 182 --- E O F --- 2008-04-27 15:21:06 SAS: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 04/28/2008 at 09:11 PM Application Version : 4.0.1154 Core Rules Database Version : 3449 Trace Rules Database Version: 1441 Scan type : Complete Scan Total Scan Time : 00:37:06 Memory items scanned : 439 Memory threats detected : 0 Registry items scanned : 5044 Registry threats detected : 0 File items scanned : 18998 File threats detected : 15 Adware.Tracking Cookie C:\Documents and Settings\May Lene\Cookies\[email protected][2].txt C:\Documents and Settings\May Lene\Cookies\may_lene@apmebf[1].txt C:\Documents and Settings\May Lene\Cookies\may_lene@tribalfusion[1].txt C:\Documents and Settings\May Lene\Cookies\[email protected][1].txt C:\Documents and Settings\May Lene\Cookies\[email protected][1].txt C:\Documents and Settings\May Lene\Cookies\may_lene@atdmt[2].txt C:\Documents and Settings\May Lene\Cookies\may_lene@adnetserver[1].txt C:\Documents and Settings\May Lene\Cookies\[email protected][2].txt C:\Documents and Settings\May Lene\Cookies\may_lene@doubleclick[1].txt C:\Documents and Settings\May Lene\Cookies\may_lene@fastclick[2].txt C:\Documents and Settings\May Lene\Cookies\may_lene@pacificpoker[1].txt Adware.Vundo-Variant C:\SYSTEM VOLUME INFORMATION\_RESTORE{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP343\A0048332.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP347\A0049836.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP348\A0049916.DLL Adware.Vundo-Variant/H C:\SYSTEM VOLUME INFORMATION\_RESTORE{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP349\A0049941.DLL Og Hijackthis: Logfile of HijackThis v1.99.1 Scan saved at 21:20:58, on 28.04.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\adaware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Acer\eManager\anbmServ.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Arcade\PCMService.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\vVX3000.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntnu.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0844F0AC-8543-4202-AF06-C095B91E7631} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {A66DB184-E609-4AC3-BE72-55FF594EA15D} - (no file) O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe" O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mayla1984.spaces.live.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp04.photoprintit.de/microsite/502...geUploader3.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: fccywwwv - C:\WINDOWS\ O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\adaware\aawservice.exe O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe Lenke til kommentar
snippsat Skrevet 29. april 2008 Del Skrevet 29. april 2008 Kjør kun hjt når du gjør dette. Start HijackThis "scan" finn disse linjene merk dem,så trykk fix checked. O2 - BHO: (no name) - {0844F0AC-8543-4202-AF06-C095B91E7631} - (no file) O2 - BHO: (no name) - {A66DB184-E609-4AC3-BE72-55FF594EA15D} - (no file) O20 - Winlogon Notify: fccywwwv - C:\WINDOWS\ Da ser det bra ut Du får bruke pcen litt,kjører den greit kan du gjøre dette. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Surf trygt. Lenke til kommentar
Arangaras Skrevet 29. april 2008 Forfatter Del Skrevet 29. april 2008 Tusen takk skal du ha! Kjem ikkje over kor vanvittig kult det er at ein kan finne folk som deg på ymse forum omkring på nettet, som berre hjelpe folk i nød utan å skulle ha noko for det. Grøssar berre ved tanken på kor mykje dette hadde kosta venninda mi viss ho hadde levert den til "profesjonelle". Har overtalt venninda mi til å gå over til Firefox no . Vil rekne med at slike problem vil bli sjeldnare "from here on out". Igjen, takk skal du ha! Lenke til kommentar
snippsat Skrevet 29. april 2008 Del Skrevet 29. april 2008 Ja hadde du levert den,hadde dem bare innstalert win på nytt og eier en del kroner fattigere. Tenke på en en brannvegg,denne er er enkel og veldig bra. Online armor free Takk for tilbakemelding. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå