morgan_kane Skrevet 19. september 2009 Del Skrevet 19. september 2009 (endret) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:38:05, on 19.09.2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v8.00 (8.00.6001.18813) Boot mode: Normal Running processes: C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftdcc.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\PDF Complete\pdfsty.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe C:\Windows\System32\WDBtnMgr.exe C:\Program Files\Creative\SBLive 24-Bit External\Volume Panel\VolPanlu.exe C:\Windows\System32\rundll32.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Hp\HP Software Update\hpwuschd2.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Jan-Robin\Desktop\lol\lol.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,"C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftdcc.exe" O1 - Hosts: ::1 localhost O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {AE48B4E7-002B-4891-8E26-ED5E888FAE7D} - (no file) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [softGridTray] C:\Program Files\Softricity\SoftGrid for Windows Desktops\SFTTray.exe /autostart O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM\..\Run: [iFXSPMGT] C:\Windows\system32\ifxspmgt.exe /NotifyLogon O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe" O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBLive 24-Bit External\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [Creative SB Monitoring Utility] RunDll32 sbavmon.dll,SBAVMonitor O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETTVERKSTJENESTE') O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send bilde til &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send side til &Bluetooth-enhet... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O13 - Gopher Prefix: O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = skole.troms.vgs.no O17 - HKLM\Software\..\Telephony: DomainName = skole.troms.vgs.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = skole.troms.vgs.no O20 - AppInit_DLLs: cwAgent.dll,APSHook.dll O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: cwBCClient (BC-Agent) - Codework Limited - C:\Windows\system32\cwClient.exe O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe O23 - Service: SoftGrid Client (sftlist) - Softricity, Inc. - C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftlist.exe O23 - Service: SoftGrid Virtual Service Agent (sftvsa) - Softricity, Inc. - C:\Program Files\Softricity\SoftGrid for Windows Desktops\sftvsa.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: SWIHPWMI - Sierra Wireless Inc. - C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe -- End of file - 11835 bytes er merkelig nok bare på skolebrukern min det skjer. får først opp at en ip skjule side er blokket og så kommer det mange ip etter fulgt av search i linken. kan noen hjelp meg? fikk conficker en dag men microsoft sitt verktøy for skadelig programvare fjernet det. legger ved et bilde av deler av trend micro scan sine logg av besøkene til disse ipene. Endret 19. september 2009 av morgan_kane Lenke til kommentar
Morten58 Skrevet 23. september 2009 Del Skrevet 23. september 2009 Det er mulig at rester etter Browse Control kan være årsaken? Jeg fant bare noen FÅ rester, men jeg kjenner heller ikke til hvilke filer det bruker. Ukjente filer i WinSock kan også være en del av årsaken. Fra HJT-logg: O2 - BHO: (no name) - {AE48B4E7-002B-4891-8E26-ED5E888FAE7D} - (no file) O20 - AppInit_DLLs: cwAgent.dll,APSHook.dll og 11 tilfeller av disse etter hverandre: O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll Jeg tror disse også har sammenheng med problemet. Disse skal ikke fikses ifølge HJT. ------ Fra en annen HJT-logg jeg fant på nettet: C:\WINDOWS\system32\cwClient.exe O2 - BHO: Track.Trace - {AE48B4E7-002B-4891-8E26-ED5E888FAE7D} - C:\WINDOWS\system32\cwBCTrace.dll O20 - AppInit_DLLs: cwAgent.dll O23 - Service: cwBCClient (BC-Agent) - Codework Limited - C:\WINDOWS\system32\cwClient.exe og 6 av disse etter hverandre: O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wsck32.dll ------ Browse Control Programmet blir installert av skoler såvidt jeg kunne skjønne, og skal hindre ulovlig nettadgang. Jeg kjenner temmelig dårlig både til skole-PCer og dette programmet. Jeg slenger inn en link til FreakForum.nu - siden den inneholder beskrivelse av hvilke filer som hørte til programmet. ------ Jeg sjekker vanligvis ikke logger, så dette er bare en slags antydning om hva jeg TROR kan være årsak her. Du bør helst få svar fra noen av de som spesialiserer seg på malware også. Forslaget mitt er egentlig å reinstallere dette programmet eller bare gjenopprette filene (få ting til å virke igjen). Om du ønsker å fjerne det har du litt bedre oversikt neste gang. Lenke til kommentar
morgan_kane Skrevet 24. september 2009 Forfatter Del Skrevet 24. september 2009 prøvde å google litt rundt en av de linkene PCen prøver å besøke og det var noe conficker download opplegg... Lenke til kommentar
norbat Skrevet 24. september 2009 Del Skrevet 24. september 2009 Last ned Combofix og post loggen den lager (link i veiledningen) Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå