mittsy Skrevet 26. oktober 2008 Del Skrevet 26. oktober 2008 Nå har jeg forsøkt en del forskjellige ting for å forsøke å stoppe explorer fra å restarte konstant hele tiden... Jeg har blant annet gjort som MrEro fikk råd om her i forumet med å installere MBAM og Combofix . Tenkte jeg skulle prøve å legge ut loggene jeg fikk fra disse programmene og se om noen av dere kan hjelpe meg MBAM logg: Malwarebytes' Anti-Malware 1.30 Database versjon: 1321 Windows 5.1.2600 Service Pack 1 26/10/2008 14:36:37 mbam-log-2008-10-26 (14-36-37).txt Skanntype: Rask Skann Objekter skannet: 65468 Tid tilbakelagt: 2 hour(s), 10 minute(s), 32 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 1 Registernøkler infisert: 13 Registerverdier infisert: 1 Registerfiler infisert: 0 Mapper infisert: 6 Filer infisert: 8 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: C:\WINDOWS\system32\__c0046A5.dat (Trojan.Zlob) -> Delete on reboot. Registernøkler infisert: HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0046a5 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winmgmt (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: C:\Programfiler\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully. C:\Programfiler\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully. Filer infisert: C:\WINDOWS\system32\wmiprvse.exe (Trojan.FakeAlert.H) -> Delete on reboot. C:\WINDOWS\system32\__c0046A5.dat (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\__c003DE8E.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c006333A.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c00939BC.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c00AB540.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\__c00C1704.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Eier\Lokale innstillinger\Temp\_A00F51053.exe (Trojan.Agent) -> Quarantined and deleted successfully. Combofix loggen: ComboFix 08-10-25.01 - HP_Eier 2008-10-26 14:44:07.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.47.1044.18.1649 [GMT 1:00] Running from: C:\Documents and Settings\HP_Eier\Skrivebord\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\msnmsgr.exe C:\WINDOWS\system32\1.tmp C:\WINDOWS\system32\MSINET.oca C:\xcrashdump.dat D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 ))))))))))))))))))))))))))))))) . 2008-10-26 14:40 . 2008-10-26 14:40 <DIR> d-------- C:\WINDOWS\LastGood 2008-10-26 12:23 . 2008-10-26 12:23 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-10-26 12:23 . 2008-10-26 12:23 <DIR> d-------- C:\Documents and Settings\HP_Eier\Programdata\Malwarebytes 2008-10-26 12:23 . 2008-10-26 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-26 12:23 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-26 12:23 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-26 11:53 . 2005-02-25 04:36 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Hitman Pro 3 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Hitman Pro 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Symantec 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\SampleView 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Apple Computer 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\_backupD 2008-10-26 11:09 . 2004-08-04 03:56 88,440 -rahs---- C:\WINDOWS\system32\mgrShell.exe 2008-10-26 10:53 . 2004-01-01 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Intervideo 2008-10-26 10:53 . 2008-10-26 11:35 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata 2008-10-26 10:53 . 2008-10-26 11:35 <DIR> dr------- C:\Documents and Settings\Administrator\Mine dokumenter 2008-10-26 10:53 . 2008-10-26 11:27 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler 2008-10-26 10:53 . 2008-10-26 14:48 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger 2008-10-26 10:53 . 2008-10-26 11:27 <DIR> dr------- C:\Documents and Settings\Administrator\Favoritter 2008-10-26 10:53 . 2008-10-26 11:27 <DIR> d-------- C:\Documents and Settings\Administrator 2008-10-26 10:49 . 2008-10-26 10:54 850 --a------ C:\Snarvei til HiJackThis.lnk 2008-10-26 09:46 . 2008-10-26 09:46 131,072 --a------ C:\WINDOWS\system32\eventcls32.dll 2008-10-25 23:49 . 2008-10-26 00:00 <DIR> d-------- C:\VundoFix Backups 2008-10-25 23:37 . 2008-10-25 23:37 <DIR> d-------- C:\WINDOWS\system32\regdacl 2008-10-25 23:37 . 2008-10-25 23:37 280,286 --a------ C:\win32delfkil.exe 2008-10-25 23:37 . 2008-10-25 23:37 90,112 --a------ C:\WINDOWS\system32\regdacl.exe 2008-10-25 23:37 . 2008-10-25 23:37 53,248 --a------ C:\WINDOWS\system32\process.exe 2008-10-25 23:37 . 2008-10-25 23:37 16,384 --a------ C:\WINDOWS\system32\restart.exe 2008-10-25 23:37 . 2008-10-25 23:37 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2008-10-25 20:28 . 2008-10-25 20:28 <DIR> d-------- C:\Programfiler\Lavasoft 2008-10-25 20:28 . 2008-10-26 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-10-25 20:01 . 2008-10-25 20:01 <DIR> d-------- C:\Documents and Settings\HP_Eier\Programdata\Electronic Arts 2008-10-25 17:16 . 2008-10-25 20:08 <DIR> d--hs---- C:\WINDOWS\system32\GroupPolicyManifest 2008-10-25 17:16 . 2008-10-25 17:16 318,464 --ahs---- C:\WINDOWS\system32\3D1.tmp 2008-10-25 17:16 . 2008-10-25 20:07 1,325 --ahs---- C:\WINDOWS\system32\GroupPolicy000.dat 2008-10-25 17:15 . 2008-10-25 17:15 131,072 --a------ C:\WINDOWS\system32\dpcdll32.dll 2008-10-25 17:15 . 2008-10-26 11:35 131,072 --a------ C:\WINDOWS\system32\dpcdll32(4).dll 2008-10-05 21:43 . 2008-10-26 11:34 <DIR> d-------- C:\tftpboot 2008-10-05 21:07 . 2008-10-05 21:07 <DIR> d-------- C:\SD Memory Card.temp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-26 10:27 --------- d-----w C:\Programfiler\Help and Support Additions 2008-10-26 10:27 --------- d-----w C:\Documents and Settings\HP_Eier\Programdata\Plus Browse 2008-10-25 22:39 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared 2004-12-18 16:41 4,574,944 ----a-w C:\Programfiler\winamp507_full.exe 2004-12-06 16:30 3,716,232 ----a-w C:\Programfiler\msgplus-setup.exe 2004-08-04 02:56 88,440 --sha-r C:\WINDOWS\system32\mgrShell.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Programfiler\java\jre1.6.0\bin\jusched.exe" [2007-06-16 77824] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "Home Theater SchSvr"="C:\Programfiler\Fellesfiler\InterVideo\SchSvr\SchSvr.exe" [2004-07-30 155648] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 233472] "ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-24 339968] "CTDVDDET"="C:\Programfiler\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056] "Creative WebCam Tray"="C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE" [2003-06-26 184320] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-02-12 145408] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "StartMS"="C:\Programfiler\Creative\Shared Files\Media Sniffer\StartMS.EXE" [2003-03-26 57344] "SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 C:\WINDOWS\MIDIDEF.EXE] [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] "PolicyRun"="C:\WINDOWS\System32\spoolsv32.exe" [2004-02-11 38920] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664] hp psc 2000 Series.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpobnz08.exe [2003-04-06 323646] hpoddt01.exe.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672] Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Photo Loader supervisory.lnk - C:\Programfiler\CASIO\Photo Loader\Plauto.exe [2006-04-01 229376] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\30c0e59a486] 2008-10-25 17:15 131072 C:\WINDOWS\system32\dpcdll32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\WINDOWS\System32\dpcdll32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.ACDV"= ACDV.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2006-01-11 10:25 71312 C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2004-05-10 21:45 286720 C:\Programfiler\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3] --a------ 2004-12-06 17:32 169096 C:\Programfiler\Messenger Plus! 3\MsgPlus.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt] --a------ 2004-11-08 13:45 218240 C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\usrprmpt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] --a------ 2005-05-14 11:14 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2005-04-16 20:45 180269 C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe] --a------ 2004-02-02 09:03 70760 C:\Programfiler\Norton Internet Security\URLLSTCK.EXE R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\System32\DRIVERS\Cap7134.sys [2004-06-23 334432] R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\System32\DRIVERS\PhTVTune.sys [2004-05-27 24608] R3 PRISM_A00;Intersil PRISM 802.11a/g Driver;C:\WINDOWS\System32\DRIVERS\PCTELSAP.SYS [2004-01-30 350282] S3 cxbu0wdm;CardMan 3x21;C:\WINDOWS\System32\DRIVERS\cxbu0wdm.sys [2006-07-11 84608] S3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\System32\DRIVERS\P1120Vid.sys [2003-09-19 759050] *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder 2008-10-26 C:\WINDOWS\Tasks\AE00B2DE91832382.job - c:\docume~1\mamma\progra~1\plusbr~1\admin the bold.exe [] 2008-10-26 C:\WINDOWS\Tasks\B629F8B5917A6301.job - c:\docume~1\hp_eier\progra~1\plusbr~1\admin the bold.exe [] 2005-03-28 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1101728463.job - C:\Programfiler\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52] 2008-08-15 C:\WINDOWS\Tasks\Norton AntiVirus - Søk på min datamaskin.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe [2003-12-10 14:02] . - - - - ORPHANS REMOVED - - - - HKLM-Run-VTTimer - VTTimer.exe MSConfigStartUp-Boneamenbinddata - C:\Documents and Settings\All Users\Programdata\Greatopenboneamen\Program Knob.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.google.com/ R0 -: HKCU-Main,Default_Search_URL = hxxp://search.msn.com O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm O9 -: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm - . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-26 14:53:02 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\System32\dpcdll32.dll -> C:\WINDOWS\system32\Ati2evxx.dll PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\System32\dpcdll32.dll . Completion time: 2008-10-26 14:54:27 ComboFix-quarantined-files.txt 2008-10-26 13:54:16 Pre-Run: 312,153,788,416 byte ledig Post-Run: 313,008,488,448 byte ledig 170 --- E O F --- 2008-10-26 10:53:49 Håper noen kan se noe feil her og hjelpe meg:) Tar imot alle råd da jeg absolutt ikke er noen dataekspert selv:) Lenke til kommentar
norbat Skrevet 26. oktober 2008 Del Skrevet 26. oktober 2008 Avinstaller, om mulig, fra legg til/fjern programmer: Messenger Plus! Åpne notisblokk, kopier og lim inn det som står i fet skrift under, lagre fila på skrivebordet med navnet CFScript.txt Dra og slipp fila over Combofix-iconet. Combofix vil starte igjen. File:: C:\WINDOWS\Tasks\AE00B2DE91832382.job C:\WINDOWS\Tasks\B629F8B5917A6301.job Folder:: C:\VundoFix Backups Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] "PolicyRun"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\30c0e59a486] Post ny combofix-logg. IKKE legg loggen mellom code-tagger da det blir vanskelig å lese loggen. Lenke til kommentar
mittsy Skrevet 26. oktober 2008 Forfatter Del Skrevet 26. oktober 2008 Da fikk jeg avinnstallert Messenger Plus! Så fikk jeg laget et teksdokument som du sa og startet Combofix på nytt igjen... Da legger jeg ut den nye loggen som kom fra Combofix uten code -tagger Combofix logg: ComboFix 08-10-25.01 - HP_Eier 2008-10-26 17:28:14.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.1.1252.47.1044.18.1646 [GMT 1:00] Running from: C:\Documents and Settings\HP_Eier\Skrivebord\ComboFix.exe Command switches used :: C:\Documents and Settings\HP_Eier\Skrivebord\CFScript.txt.txt * Created a new restore point FILE :: C:\WINDOWS\Tasks\AE00B2DE91832382.job C:\WINDOWS\Tasks\B629F8B5917A6301.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\VundoFix Backups C:\VundoFix Backups\addmorefiles.txt C:\WINDOWS\Tasks\AE00B2DE91832382.job C:\WINDOWS\Tasks\B629F8B5917A6301.job G:\Autorun.inf G:\RECYCLER\DC8E5CE8.db G:\RECYCLER\desktop.exe G:\RECYCLER\desktop.ini . ((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 ))))))))))))))))))))))))))))))) . 2008-10-26 12:23 . 2008-10-26 12:23 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-10-26 12:23 . 2008-10-26 12:23 <DIR> d-------- C:\Documents and Settings\HP_Eier\Programdata\Malwarebytes 2008-10-26 12:23 . 2008-10-26 12:23 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-10-26 12:23 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-10-26 12:23 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-10-26 11:53 . 2005-02-25 04:36 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Hitman Pro 3 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Hitman Pro 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Symantec 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\SampleView 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Apple Computer 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask 2008-10-26 11:35 . 2008-10-26 11:35 <DIR> d-------- C:\_backupD 2008-10-26 11:09 . 2004-08-04 03:56 88,440 -rahs---- C:\WINDOWS\system32\mgrShell.exe 2008-10-26 10:53 . 2004-01-01 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Intervideo 2008-10-26 10:53 . 2008-10-26 11:35 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata 2008-10-26 10:53 . 2008-10-26 11:35 <DIR> dr------- C:\Documents and Settings\Administrator\Mine dokumenter 2008-10-26 10:53 . 2008-10-26 11:27 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler 2008-10-26 10:53 . 2008-10-26 17:32 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger 2008-10-26 10:53 . 2008-10-26 11:27 <DIR> dr------- C:\Documents and Settings\Administrator\Favoritter 2008-10-26 10:53 . 2008-10-26 11:27 <DIR> d-------- C:\Documents and Settings\Administrator 2008-10-26 10:49 . 2008-10-26 10:54 850 --a------ C:\Snarvei til HiJackThis.lnk 2008-10-26 09:46 . 2008-10-26 09:46 131,072 --a------ C:\WINDOWS\system32\eventcls32.dll 2008-10-25 23:37 . 2008-10-25 23:37 <DIR> d-------- C:\WINDOWS\system32\regdacl 2008-10-25 23:37 . 2008-10-25 23:37 280,286 --a------ C:\win32delfkil.exe 2008-10-25 23:37 . 2008-10-25 23:37 90,112 --a------ C:\WINDOWS\system32\regdacl.exe 2008-10-25 23:37 . 2008-10-25 23:37 53,248 --a------ C:\WINDOWS\system32\process.exe 2008-10-25 23:37 . 2008-10-25 23:37 16,384 --a------ C:\WINDOWS\system32\restart.exe 2008-10-25 23:37 . 2008-10-25 23:37 4,096 --a------ C:\WINDOWS\system32\reboot.exe 2008-10-25 20:28 . 2008-10-25 20:28 <DIR> d-------- C:\Programfiler\Lavasoft 2008-10-25 20:28 . 2008-10-26 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-10-25 20:01 . 2008-10-25 20:01 <DIR> d-------- C:\Documents and Settings\HP_Eier\Programdata\Electronic Arts 2008-10-25 17:16 . 2008-10-25 20:08 <DIR> d--hs---- C:\WINDOWS\system32\GroupPolicyManifest 2008-10-25 17:16 . 2008-10-25 17:16 318,464 --ahs---- C:\WINDOWS\system32\3D1.tmp 2008-10-25 17:16 . 2008-10-25 20:07 1,325 --ahs---- C:\WINDOWS\system32\GroupPolicy000.dat 2008-10-25 17:15 . 2008-10-25 17:15 131,072 --a------ C:\WINDOWS\system32\dpcdll32.dll 2008-10-25 17:15 . 2008-10-26 11:35 131,072 --a------ C:\WINDOWS\system32\dpcdll32(4).dll 2008-10-05 21:43 . 2008-10-26 11:34 <DIR> d-------- C:\tftpboot 2008-10-05 21:07 . 2008-10-05 21:07 <DIR> d-------- C:\SD Memory Card.temp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-10-26 10:27 --------- d-----w C:\Programfiler\Help and Support Additions 2008-10-26 10:27 --------- d-----w C:\Documents and Settings\HP_Eier\Programdata\Plus Browse 2008-10-25 22:39 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared 2004-12-18 16:41 4,574,944 ----a-w C:\Programfiler\winamp507_full.exe 2004-12-06 16:30 3,716,232 ----a-w C:\Programfiler\msgplus-setup.exe 2004-08-04 02:56 88,440 --sha-r C:\WINDOWS\system32\mgrShell.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="C:\Programfiler\java\jre1.6.0\bin\jusched.exe" [2007-06-16 77824] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "Home Theater SchSvr"="C:\Programfiler\Fellesfiler\InterVideo\SchSvr\SchSvr.exe" [2004-07-30 155648] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 233472] "ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-24 339968] "CTDVDDET"="C:\Programfiler\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056] "Creative WebCam Tray"="C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE" [2003-06-26 184320] "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-02-12 145408] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "StartMS"="C:\Programfiler\Creative\Shared Files\Media Sniffer\StartMS.EXE" [2003-03-26 57344] "SetDefaultMIDI"="MIDIDEF.EXE" [2003-06-21 C:\WINDOWS\MIDIDEF.EXE] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-29 241664] hp psc 2000 Series.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpobnz08.exe [2003-04-06 323646] hpoddt01.exe.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672] Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696] Photo Loader supervisory.lnk - C:\Programfiler\CASIO\Photo Loader\Plauto.exe [2006-04-01 229376] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\30c0e59a486] 2008-10-25 17:15 131072 C:\WINDOWS\system32\dpcdll32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=C:\WINDOWS\System32\dpcdll32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.ACDV"= ACDV.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2006-01-11 10:25 71312 C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2004-05-10 21:45 286720 C:\Programfiler\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt] --a------ 2004-11-08 13:45 218240 C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\usrprmpt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] --a------ 2005-05-14 11:14 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2005-04-16 20:45 180269 C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe] --a------ 2004-02-02 09:03 70760 C:\Programfiler\Norton Internet Security\URLLSTCK.EXE R3 Cap7134;ASUS TV7134 WDM Video Capture;C:\WINDOWS\System32\DRIVERS\Cap7134.sys [2004-06-23 334432] R3 PhTVTune;ASUS WDM TV Tuner;C:\WINDOWS\System32\DRIVERS\PhTVTune.sys [2004-05-27 24608] R3 PRISM_A00;Intersil PRISM 802.11a/g Driver;C:\WINDOWS\System32\DRIVERS\PCTELSAP.SYS [2004-01-30 350282] S3 cxbu0wdm;CardMan 3x21;C:\WINDOWS\System32\DRIVERS\cxbu0wdm.sys [2006-07-11 84608] S3 P1120VID;Creative WebCam NX Ultra;C:\WINDOWS\System32\DRIVERS\P1120Vid.sys [2003-09-19 759050] . Contents of the 'Scheduled Tasks' folder 2005-03-28 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1101728463.job - C:\Programfiler\HP\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52] 2008-08-15 C:\WINDOWS\Tasks\Norton AntiVirus - Søk på min datamaskin.job - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe [2003-12-10 14:02] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-MessengerPlus3 - C:\Programfiler\Messenger Plus! 3\MsgPlus.exe ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-10-26 17:32:49 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\System32\dpcdll32.dll -> C:\WINDOWS\system32\Ati2evxx.dll PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\System32\dpcdll32.dll . Completion time: 2008-10-26 17:34:34 ComboFix-quarantined-files.txt 2008-10-26 16:34:15 ComboFix2.txt 2008-10-26 15:18:42 ComboFix3.txt 2008-10-26 13:54:28 Pre-Run: 313,070,899,200 byte ledig Post-Run: 313,051,734,016 byte ledig 158 --- E O F --- 2008-10-26 10:53:49 Lenke til kommentar
norbat Skrevet 26. oktober 2008 Del Skrevet 26. oktober 2008 Gå til nettstedet VirusTotal og last opp følgende filer for sjekk: C:\WINDOWS\system32\reboot.exe Åpne notisblokk igjen, kopier og lim inn det som står i fet skrift under, lagre fila på skrivebordet med navnet CFScript.txt Dra og slipp fila over Combofix-iconet. Combofix vil starte igjen. File:: C:\WINDOWS\system32\dpcdll32.dll C:\WINDOWS\system32\dpcdll32(4).dll Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\30c0e59a486] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=- FileLook:: C:\WINDOWS\system32\regdacl.exe DirLook:: C:\WINDOWS\system32\GroupPolicyManifest C:\tftpboot Lenke til kommentar
mittsy Skrevet 26. oktober 2008 Forfatter Del Skrevet 26. oktober 2008 Da kjørte jeg Virustotal og lastet opp den filen du ga meg for sjekk... Etter det lagde jeg tekstdokumentet og slapp det over Combofix igjen... Maskinen startet seg på nytt og nå står det bare at Combofix lager log rapporten og at jeg ikke må åpne noen andre programmer før Combofix er ferdig, men ingenting skjer... noe jeg har gjort feil..? Lenke til kommentar
mittsy Skrevet 26. oktober 2008 Forfatter Del Skrevet 26. oktober 2008 Nå kom loggen opp Den var enormt lang men nå ser det ut som om den er fikset :!: Håper den holder seg sånn nå da:) Den stoppet et par minutter siste gangen jeg kjørte Combofix også men så startet explorer og restarte seg igjen... Men tuuuuusen takk for all hjelpen og at du tok deg tid til å svare:) Titter nok innom her igjen om den starter opp igjen;) Tuuusen takk igjen:) Lenke til kommentar
norbat Skrevet 26. oktober 2008 Del Skrevet 26. oktober 2008 Fant Virustotal noe på fila? Ønsker å se combofix-loggen. Hvis den er lang, kan du legge ved combofix.txt-fila som et vedlegg Lenke til kommentar
mittsy Skrevet 26. oktober 2008 Forfatter Del Skrevet 26. oktober 2008 Legger ved begge loggene både fra combofix og virustotal... combofix_siste_logg.txt Virustotal.txt Lenke til kommentar
norbat Skrevet 26. oktober 2008 Del Skrevet 26. oktober 2008 Da avslutter vi med dette: Opprett en ny cfscript-fil med følgende innhold. Samme prosedyre som sist: File:: C:\WINDOWS\system32\eventcls32.dll C:\win32delfkil.exe C:\WINDOWS\system32\regdacl.exe C:\WINDOWS\system32\process.exe C:\WINDOWS\system32\restart.exe C:\WINDOWS\system32\reboot.exe C:\WINDOWS\system32\3D1.tmp C:\WINDOWS\system32\GroupPolicy000.dat C:\WINDOWS\system32\mgrShell.exe Folder:: C:\WINDOWS\system32\regdacl C:\WINDOWS\system32\GroupPolicyManifest Trenger ingen flere logger. Fortell hvordan pc'n kjører. Lenke til kommentar
mittsy Skrevet 27. oktober 2008 Forfatter Del Skrevet 27. oktober 2008 Hei igjen! Gjorde de siste tingene du vilel jeg skulle gjøre og nå kjører pcen strålende:) Tusen takk for hjelpen! er en engel som tok deg tid til det:) Lenke til kommentar
r2d290 Skrevet 27. oktober 2008 Del Skrevet 27. oktober 2008 Du bør oppdatere Java Det er viktig å bruke den seneste versjonen av Java, siden tidligere versjoner kan inneholde sikkerhetshull som vil øke sansynligheten for at du blir infisert igjen. Det ser ut til at din verjson av Java er utdatert Oppdatere Java: Trykk på følgende link, og last ned nyeste versjon av Java:http://java.com/en/download/index.jsp [*]Gå til Start > Kontrollpanel > Legg til/fjern programmer. [*]Søk i listen over alle tidligere versjoner av Java (JRE, J2SE Runtime, J2RE osv.... ) Alle disse versjonene bør ha dette bildet foran: Velg alle du finner, og trykk på Fjern [*]Deretter installerer du den Java-versjonen som du lastet ned i starten. Fortell hvordan det gikk med oppdateringen. Combofix må avinstalleres. Gå til Start > Kjør Skriv følgende i boksen: combofix /u PS: legg merke til mellomrommet mellom X og /u Trykk Enter. Denne kommandoen vil: Fjerne følgende:ComboFix og dets tilhørende filer og mapper. VundoFix backups, hvis de eksisterer. Mappen C:\Deckard, hvis den eksisterer Mappen C:\OtMoveIt, hvis den eksisterer [*] Nullstille klokke-instillingene. [*] Skjule filetternavn hvis det er nødvendig. [*] Skjule System/Skjulte filer og mapper hvis det er nødvendig. [*] Nullstille systemgjennoprettingspunkter. Dersom du mener at problemet med maskinen din er løst, kan du endre emnetittelen din, ved å trykke på i førsteposten din, og velge full endring. Øverst der emnetittelen din er, skriver du: [LØST] foran emnetittelen din. Eks: [LØST] Har fått virus på maskinen Dette vil være med på å holde forumet mer oversiktlig for supporterne, samt at nye folk som får samme problemet lettere vil finne en passende tråd å se i. -Surf trygt- Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå