Programvare Skrevet 4. oktober 2009 Del Skrevet 4. oktober 2009 (endret) Heihei. Har fått på meg noen infeksjoner som ikke vil vekk, selv om jeg har prøvd mbam mange ganger og hijackthis attpåtil. Virker som om det er noen som jeg nesten greier å fjerne men som dukker opp igjen relativt fort. Første runde: HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:21:29, on 04.10.2009 Platform: Unknown Windows (WinNT 6.01.3004) MSIE: Internet Explorer v8.00 (8.00.7100.0000) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\PowerMenu\PowerMenu.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\MediaMonkey\MediaMonkey.exe C:\Program Files\Opera\opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\DllHost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKLM\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\system32\msxm192z.dll,w O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\Windows\system32\ASTSRV.EXE O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\Windows\system32\FastNetSrv.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SecureSrv - My Privacy Tools, Inc. - C:\Program Files\Hide My IP 2009\SecureSrv.exe O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe -- End of file - 4366 bytes Mbam før fjerning. Malwarebytes' Anti-Malware 1.41 Databaseversjon: 2903 Windows 6.1.7100 04.10.2009 10:46:11 mbam-log-2009-10-04 (10-46-05).txt Skanntype: Rask Skann Objekter skannet: 87702 Tid tilbakelagt: 4 minute(s), 40 second(s) Minneprosesser infisert: 1 Minnemoduler infisert: 2 Registernøkler infisert: 3 Registerverdier infisert: 12 Registerfiler infisert: 0 Mapper infisert: 1 Filer infisert: 10 Minneprosesser infisert: C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> No action taken. Minnemoduler infisert: C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> No action taken. C:\Windows\System32\msxm192z.dll (Trojan.Agent) -> No action taken. Registernøkler infisert: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> No action taken. Registerverdier infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ter8m (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> No action taken. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: C:\Program Files\Protection System (Rogue.ProtectionSystem) -> No action taken. Filer infisert: C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> No action taken. C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> No action taken. C:\Windows\Temp\VRT38BB.tmp (Rogue.Installer) -> No action taken. C:\Windows\Temp\VRT38CC.tmp (Rogue.Installer) -> No action taken. C:\Windows\Temp\VRT6BBC.tmp (Trojan.Downloader) -> No action taken. C:\Windows\Temp\VRT970C.tmp (Malware.Tool) -> No action taken. C:\Windows\Temp\VRTFB5E.tmp (Malware.Tool) -> No action taken. C:\Windows\SC.INS (Rogue.Installer) -> No action taken. C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> No action taken. C:\Windows\System32\msxm192z.dll (Trojan.Agent) -> No action taken. Mbam etter fjerning Malwarebytes' Anti-Malware 1.41 Databaseversjon: 2903 Windows 6.1.7100 04.10.2009 10:48:21 mbam-log-2009-10-04 (10-48-21).txt Skanntype: Rask Skann Objekter skannet: 87702 Tid tilbakelagt: 4 minute(s), 40 second(s) Minneprosesser infisert: 1 Minnemoduler infisert: 2 Registernøkler infisert: 3 Registerverdier infisert: 12 Registerfiler infisert: 0 Mapper infisert: 1 Filer infisert: 10 Minneprosesser infisert: C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Unloaded process successfully. Minnemoduler infisert: C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot. C:\Windows\System32\msxm192z.dll (Trojan.Agent) -> Delete on reboot. Registernøkler infisert: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ter8m (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully. Filer infisert: C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot. C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Delete on reboot. C:\Windows\Temp\VRT38BB.tmp (Rogue.Installer) -> Quarantined and deleted successfully. C:\Windows\Temp\VRT38CC.tmp (Rogue.Installer) -> Quarantined and deleted successfully. C:\Windows\Temp\VRT6BBC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Windows\Temp\VRT970C.tmp (Malware.Tool) -> Quarantined and deleted successfully. C:\Windows\Temp\VRTFB5E.tmp (Malware.Tool) -> Quarantined and deleted successfully. C:\Windows\SC.INS (Rogue.Installer) -> Quarantined and deleted successfully. C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Windows\System32\msxm192z.dll (Trojan.Agent) -> Delete on reboot. Andre runde: HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:55:19, on 04.10.2009 Platform: Unknown Windows (WinNT 6.01.3004) MSIE: Internet Explorer v8.00 (8.00.7100.0000) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskhost.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\PowerMenu\PowerMenu.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Opera\opera.exe C:\Program Files\MediaMonkey\MediaMonkey.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\Windows\system32\ASTSRV.EXE O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\Windows\system32\FastNetSrv.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SecureSrv - My Privacy Tools, Inc. - C:\Program Files\Hide My IP 2009\SecureSrv.exe O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe -- End of file - 4312 bytes Mbam før fjerning: Malwarebytes' Anti-Malware 1.41 Databaseversjon: 2904 Windows 6.1.7100 04.10.2009 10:59:57 mbam-log-2009-10-04 (10-59-54).txt Skanntype: Rask Skann Objekter skannet: 87580 Tid tilbakelagt: 5 minute(s), 14 second(s) Minneprosesser infisert: 1 Minnemoduler infisert: 1 Registernøkler infisert: 2 Registerverdier infisert: 8 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 4 Minneprosesser infisert: C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> No action taken. Minnemoduler infisert: C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> No action taken. Registernøkler infisert: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> No action taken. Registerverdier infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> No action taken. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> No action taken. C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> No action taken. C:\Windows\Temp\txpxr_618946307034.b1k (Trojan.Agent) -> No action taken. C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> No action taken. Mbam etter fjerning: Malwarebytes' Anti-Malware 1.41 Databaseversjon: 2904 Windows 6.1.7100 04.10.2009 11:00:28 mbam-log-2009-10-04 (11-00-28).txt Skanntype: Rask Skann Objekter skannet: 87580 Tid tilbakelagt: 5 minute(s), 14 second(s) Minneprosesser infisert: 1 Minnemoduler infisert: 1 Registernøkler infisert: 2 Registerverdier infisert: 8 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 4 Minneprosesser infisert: C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Unloaded process successfully. Minnemoduler infisert: C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot. Registernøkler infisert: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully. Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot. C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Delete on reboot. C:\Windows\Temp\txpxr_618946307034.b1k (Trojan.Agent) -> Quarantined and deleted successfully. C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully. Og helt til slutt etter reboot nr. 2, en HJT-logg, så har dere noe å gå på. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:04:13, on 04.10.2009 Platform: Unknown Windows (WinNT 6.01.3004) MSIE: Internet Explorer v8.00 (8.00.7100.0000) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\PowerMenu\PowerMenu.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Opera\opera.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\Windows\system32\ASTSRV.EXE O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\Windows\system32\FastNetSrv.exe O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SecureSrv - My Privacy Tools, Inc. - C:\Program Files\Hide My IP 2009\SecureSrv.exe O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe -- End of file - 4179 bytes Endret 4. oktober 2009 av Programvare Lenke til kommentar
Atiks Skrevet 4. oktober 2009 Del Skrevet 4. oktober 2009 Skannet du med hjt før mbam? Hvis du gjorde det last opp en ny hjt logg. Lenke til kommentar
Programvare Skrevet 4. oktober 2009 Forfatter Del Skrevet 4. oktober 2009 SAS gir blåskjerm i windows 7. Hvert fall i RC-verjsonen. Lenke til kommentar
Atiks Skrevet 4. oktober 2009 Del Skrevet 4. oktober 2009 (endret) . Endret 4. oktober 2009 av snippern Lenke til kommentar
Programvare Skrevet 4. oktober 2009 Forfatter Del Skrevet 4. oktober 2009 Jeg blir borte et par timer nå, men kommer tilbake etterpå. Lenke til kommentar
Atiks Skrevet 4. oktober 2009 Del Skrevet 4. oktober 2009 (endret) Last ned Dr.web og ta en skann med den. Jeg logger av så vis jeg ikke er på da du kommer tilbake kan noen andre ta over. Endret 4. oktober 2009 av snippern Lenke til kommentar
snippsat Skrevet 4. oktober 2009 Del Skrevet 4. oktober 2009 (endret) Hijackthis loggen ser bra. Virker pcen greit nå? Du kan godt kjøre dr.web,da kjører som dette. Last ned DrWeb og legg det på skrivebordet. Restart i Sikker modus (trykkk flere gange på F8 under oppstart) Ikke adminstrator men normal. Kjør drweb-cureit.exe (si ja til å kjøre en express scan) Når dette er ferdig klikker du på Option -> Change settings. Under fanearket Scan, fjerner du haken ved Heuristic analysis. Under fanearket Actions, skal alle punkt under Malware settes til Rename. Velg partisjon du vil scanne og klikk deretter på den grønne pilen for å starte scanningen. Velg "yes to all" når det finner noe for første gang. Når scanningen er ferdig, gå til "file" – Trykk på- "Save Report list". En fil med navn "drweb.csv" vil da ligge på skrivebordet. Den poster du senere Endret 4. oktober 2009 av SNIPPSAT Lenke til kommentar
Programvare Skrevet 4. oktober 2009 Forfatter Del Skrevet 4. oktober 2009 Pc-en fungerer helt greit, når jeg kjører noen runder med mbam, så tar det en dag eller to så er det proppfullt av pornolinker på desktop og av og til går pc-en helt i stå og må manuelt rebootes. Virker som om det er noen som liksom ikke vil helt vekk. Skal prøve drweb, men har hatt veldig mye problemer med å faktiks boote i safemode, så er ikke sikkert det fungerer. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå