Virusmaskin struper internett

abrj · 1. oktober 2008

Heisan

Faderen har en laptop med Windows XP pro som plutselig kveler all annen internettrafikk og oppførte seg rart.

Fulgte oppskriften i påfølgende link; https://www.diskusjon.no/index.php?showtopic=691246

Først kjørte jeg i Safemode, men når jeg startet opp igjen fra safemode var de samme problemene der.

Kjørte så på nytt etter å ha logget på som vanlig, men det samme skjer igjen; maskinen hans kveler internett for oss andre så snart maskinen hans logger på nettverket.

AVG maser forøvrig om en fil som heter tcpsr.sys (Trojoan horse SpamBot.G), samt en fil som han kaller osfruta.dll og osfruta32.dll

Trenger seriøst hjelp! Prøver med SpyBot nå for å se hva som skjer.

Jeg legger ved loggfilene.

Combofix;

ComboFix 08-09-28.05 - Rune 2008-10-01 13:48:47.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.650 [GMT 2:00]

Running from: C:\Documents and Settings\Rune\Desktop\Combofix\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))

.

2008-10-01 12:47 . 2008-10-01 12:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-10-01 12:44 . 2008-10-01 12:47 <DIR> d-------- C:\Documents and Settings\Administrator

2008-10-01 12:38 . 2008-10-01 12:38 <DIR> d-------- C:\Program Files\Trend Micro

2008-10-01 12:36 . 2008-10-01 12:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-10-01 12:36 . 2008-10-01 12:36 <DIR> d-------- C:\Documents and Settings\Rune\Application Data\Malwarebytes

2008-10-01 12:36 . 2008-10-01 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-10-01 12:36 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-10-01 12:36 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-10-01 12:35 . 2008-10-01 12:35 <DIR> d-------- C:\Program Files\CCleaner

2008-09-30 18:59 . 2008-09-30 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hgnoxgze

2008-09-30 18:57 . 2008-10-01 13:29 32,256 --a------ C:\WINDOWS\system32\drivers\ati2lrxx.sys

2008-09-13 23:10 . 2008-09-30 19:49 <DIR> d--h----- C:\$AVG8.VAULT$

2008-09-07 18:16 . 2004-08-04 09:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-09-07 12:01 . 2008-09-07 12:01 <DIR> d-------- C:\WINDOWS\system32\scripting

2008-09-07 12:01 . 2008-09-07 12:01 <DIR> d-------- C:\WINDOWS\system32\en

2008-09-07 12:01 . 2008-09-07 12:01 <DIR> d-------- C:\WINDOWS\l2schemas

2008-09-02 17:43 . 2008-04-14 02:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll

2008-09-02 17:43 . 2008-04-14 02:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll

2008-09-02 17:43 . 2008-04-14 02:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll

2008-09-02 17:41 . 2008-04-14 02:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll

2008-09-02 17:41 . 2008-04-14 02:12 380,416 --------- C:\WINDOWS\system32\irprops.cpl

2008-09-02 17:41 . 2008-04-14 02:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll

2008-09-02 17:41 . 2008-04-14 02:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll

2008-09-02 17:41 . 2008-04-14 02:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll

2008-09-02 17:41 . 2008-04-14 02:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll

2008-09-02 17:41 . 2008-04-14 02:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe

2008-09-02 17:41 . 2008-04-14 02:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll

2008-09-02 17:41 . 2008-04-14 02:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll

2008-09-02 17:41 . 2008-04-14 02:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll

2008-09-02 17:41 . 2008-04-14 02:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-01 11:34 --------- d-----w C:\Documents and Settings\Rune\Application Data\HPAppData

2008-09-02 14:57 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

2008-08-27 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\IncrediMail

2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 20:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 20:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll

2008-07-05 07:28 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]

"OM2_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-05-15 95536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-06-04 188416]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 282624]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]

"DriveIcons"="C:\Program Files\DriveIcon\DriveIcon.exe" [2004-07-02 662528]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\osfruta]

osfruta.dll [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2lrxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3syxx.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 ati2lrxx;ati2lrxx;C:\WINDOWS\system32\Drivers\ati2lrxx.sys [2008-10-01 32256]

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-02 97928]

R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-02 875288]

R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-02 231704]

R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-05 76040]

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 92550]

S0 ati3syxx;ati3syxx;C:\WINDOWS\system32\Drivers\ati3syxx.sys [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HPService REG_MULTI_SZ HPSLPSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99bd4a40-3fc3-11dd-b418-00904b7a06cf}]

\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

.

Contents of the 'Scheduled Tasks' folder

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://startsiden.no/

O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 -: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-01 13:51:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-10-01 13:52:34

ComboFix-quarantined-files.txt 2008-10-01 11:52:21

ComboFix2.txt 2008-10-01 11:20:24

Pre-Run: 43 016 773 632 bytes free

Post-Run: 43,002,851,328 bytes free

147 --- E O F --- 2008-09-13 07:53:57

------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.28

Database versjon: 1134

Windows 5.1.2600 Service Pack 3

01.10.2008 13:42:36

mbam-log-2008-10-01 (13-42-36).txt

Skanntype: Rask Skann

Objekter skannet: 45791

Tid tilbakelagt: 5 minute(s), 57 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 29

Registerverdier infisert: 2

Registerfiler infisert: 1

Mapper infisert: 0

Filer infisert: 1

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_CLASSES_ROOT\CLSID\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Classes\hol5_vxiewer.full.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.

Registerverdier infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfgmsg (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registerfiler infisert:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\WINDOWS\system32\ludylyja.exe (Trojan.FakeAlert.H) -> Delete on reboot.

------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:53:13, on 01.10.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\DriveIcon\DriveIcon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TomTom HOME 2\HOMERunner.exe

C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://startsiden.no/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [DriveIcons] C:\Program Files\DriveIcon\DriveIcon.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"

O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1213473017299

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213474902517

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: osfruta - osfruta.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--

End of file - 7096 bytes

1. oktober 2008

Først kjørte jeg i Safemode, men når jeg startet opp igjen fra safemode var de samme problemene der.

Å kjøre i "safemode" fjerner ingen ting av seg selv.

Du sier at AVG maser om noen filer. Javel; få AVG til å slette dem eller søk på "how to remove -insert malware name-".

Kjør også gjennom en fullstendig system-scan med Ad-aware og fjern det som kommer frem.

Edit: du har også mange prosesser gående. Skriv "msconfig" i "Kjør" og ta vekk haken ved det du ikke trenger å starte opp under boot-loading, under "oppstart" og "tjenester". Hardware.no hadde forøvrig en guide om dette du kan lete frem. Last ned Crapcleaner og ta en oppryddning av registeret etter du har gjort overnevnte.

Endret 1. oktober 2008 av Slettet-XHLacM

norbat · 1. oktober 2008

Gå til nettstedet Virustotal og last opp følgende fil for sjekk:

C:\WINDOWS\system32\drivers\ati2lrxx.sys

Åpne notisblokk, kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript

Dra fila og slipp den over Combofix-iconet. Combofix vil starte igjen.

DirLook::

C:\Documents and Settings\All Users\Application Data\hgnoxgze

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\osfruta]

Post loggen.

FOrtell også hvor AVG finner fila tcpsr.sys og de to andre filene du nevner

Endret 1. oktober 2008 av norbat

abrj · 1. oktober 2008

Han finner filen i C:\WINDOWS\System32\driver\ mappen

Problemet er også at maskinene strupes mot nettet.

Prøver jeg å laste opp C:\WINDOWS\system32\drivers\ati2lrxx.sys får eg bare en melding om at 0 bytes size received

Endret 1. oktober 2008 av abrj

SLiks · 1. oktober 2008

Finn tak i alt av viktige filer han har liggende på maskina.

DVS:

Arbeidsoppgaver, bilder og alt av viktige ting han ikke vil miste.

(Musikk filer og filmer han eventuelt har lastet ned fra nettet osv. er bare å laste ned på nytt igjen senere.)

Så finner du tak i windows plata, cd key og installerer hele greia på nytt. sørg for å oppdatere windows med en gang du har installert det uten å gjøre NOE annet på nettet først. etter dette installerer du antivirus og eventuelt brannmur, før du laster ned alle de nyeste driverne til hovedkort, skjermkort, tastatur og eventuelt andre ting.

Enkelt og greit, og et helt fullstendig clean system. Sjekk forumtråder for hvordan du kan holde systemet rent og optimalt.

Synes det alltid er enkleste løsning og installere xp/vista på nytt igjen om det førsta er blitt "krøll på tråden"

abrj · 1. oktober 2008

Har vært inne på tanken å reinstallere hele dritten ja, for nå har jeg holdt på noen timer med dette. Men, hadde vært kult å fått maskinen til å funke uten også da

1. oktober 2008

Når du eventuelt formaterer må du huske på å installere brannmur og antivirus. AVG og Zonealarm er en bra start.

abrj · 1. oktober 2008

Nå har jeg gjort som NORBAT sa.

tcpsr.sys ligger fremdels der (i system32/drivers) og kommer opp så fort jeg slår på det trådløse nettverket.

ComboFix 08-09-28.05 - Rune 2008-10-01 15:19:50.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.620 [GMT 2:00]

Running from: C:\Documents and Settings\Rune\Desktop\Combofix\ComboFix.exe

Command switches used :: E:\CFScript.txt

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\osfruta.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_tcpsr

((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))

.

2008-10-01 14:31 . 2008-10-01 14:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-10-01 14:31 . 2008-10-01 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy