Abnorm Skrevet 3. august 2006 Del Skrevet 3. august 2006 (endret) Har aldri tidligere vært plaget av virus, men den siste tiden har det vært mye. Har tidligere fått hjelp av dere her på forumet og det har hjelpt, men nå er det pån igjen. Denne gang blinker det et ikon nede i høyere hjørne. (rundt spørsmålstegn) Samtidig kommer det opp en beskjed innimellom: Your computer is infected! Jeg har også fått to nye "snarveier" på skriveborde som jeg tidligere ikke har hatt. Disse heter: "Security Trubleshooting" og "Online Security Guide" Dette oppsto etter jeg var inne på denne siden: http://www.haraldbjellvag.com/photoshop.html Har kjøpt meg photoshop og falt over denne siden da jeg søkte etter opplærings videoer. Jeg måtte også starte maskinen på nytt (virket som om den hang seg) Ved oppstart er den nå meget treg, noe den ikke tidligere har vært. Går utifra dere trenger denne loggen?? Begynner å bli vant med dette nå Logfile of HijackThis v1.99.1 Scan saved at 06:12:27, on 03.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\SPOOLSV.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\SYSTEM32\ISHOST.EXE C:\WINDOWS\system32\ismon.exe C:\WINDOWS\system32\isnotify.exe C:\WINDOWS\system32\issearch.exe C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\RTHDCPL.EXE C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Programfiler\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Messenger\msmsgs.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe D:\Popup Ad Filter\PopFilter.exe C:\WINDOWS\system32\TSKS~1\javaw.exe C:\WINDOWS\SYSTEM32\??STEM32\??CHOST.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\Programfiler\Raxco\PerfectDisk\PDSched.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\system32\notepad.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE C:\WINDOWS\System32\svchost.exe C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE C:\DOCUME~1\FREDRI~1.JOH\LOKALE~1\Temp\Midlertidig mappe 1 for hijackthis[1].zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - URLSearchHook: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll O2 - BHO: (no name) - {D53A70B8-FBA1-4377-A487-D351DF691257} - C:\WINDOWS\system32\ssqpm.dll (file missing) O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [pccguide.exe] "C:\Programfiler\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Popup Ad Filter] D:\Popup Ad Filter\PopFilter.exe O4 - HKCU\..\Run: [Asor] "C:\WINDOWS\system32\TSKS~1\javaw.exe" -vt yax O4 - HKCU\..\Run: [Wybqp] C:\WINDOWS\system32\??stem32\??chost.exe O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Allow Popups - D:\Popup Ad Filter\WhiteGetUrl.js O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147975426750 O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programfiler\Fellesfiler\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programfiler\Fellesfiler\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\winword.dll O20 - Winlogon Notify: ssqpm - C:\WINDOWS\system32\ssqpm.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winjrs32 - C:\WINDOWS\SYSTEM32\winjrs32.dll O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDSched.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe Endret 3. august 2006 av frecjoha Lenke til kommentar
PerB Skrevet 3. august 2006 Del Skrevet 3. august 2006 Du har en rekek filer som ikke burde være der (kan også være flere): C:\WINDOWS\SYSTEM32\ISHOST.EXE C:\WINDOWS\system32\ismon.exe C:\WINDOWS\system32\isnotify.exe C:\WINDOWS\system32\issearch.exe Søk på google på ISHOST.EXE for nærmere detaljer. Lenke til kommentar
Abnorm Skrevet 3. august 2006 Forfatter Del Skrevet 3. august 2006 De du nevnte over er nå slettet, men ser ikke ut til å gi resultater. Har nå også gjørt disse programmene i sikkerhetsmodus: Spybot - Search & Destroy Ad-Aware SE pro Disse fant masse skrot, men problemet er ikke løst. Her er en ny logg. Logfile of HijackThis v1.99.1 Scan saved at 09:01:25, on 03.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\SPOOLSV.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe C:\WINDOWS\RTHDCPL.EXE C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\Trend Micro\Internet Security 14\pccguide.exe C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\Programfiler\Windows Defender\MSASCui.exe C:\WINDOWS\SYSTEM32\??STEM32\??CHOST.EXE D:\Popup Ad Filter\PopFilter.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\TSKS~1\javaw.exe C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE C:\Programfiler\Raxco\PerfectDisk\PDSched.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE C:\DOCUME~1\FREDRI~1.JOH\LOKALE~1\Temp\Midlertidig mappe 5 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - URLSearchHook: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [pccguide.exe] "C:\Programfiler\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [Wybqp] C:\WINDOWS\system32\??stem32\??chost.exe O4 - HKCU\..\Run: [Popup Ad Filter] D:\Popup Ad Filter\PopFilter.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Asor] "C:\WINDOWS\system32\TSKS~1\javaw.exe" -vt yax O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Catalyst System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe O8 - Extra context menu item: Allow Popups - D:\Popup Ad Filter\WhiteGetUrl.js O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147975426750 O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programfiler\Fellesfiler\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programfiler\Fellesfiler\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDSched.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe Lenke til kommentar
berxter Skrevet 3. august 2006 Del Skrevet 3. august 2006 (endret) Du må til med Smitfraudfix: http://siri.urz.free.fr/Fix/SmitfraudFix_En.php Du kan like godt kjøre alternativ 2 (clean) i safe mode med en gang, da diagnosen er entydig Så tar du en runde med Ewido, også i safe mode slik: http://rstones12.geekstogo.com/ewidosetup.htm Og fjern 016-saken med Yazzle v hj a HJT. Så en fersk HJTlogg fra vanlig modus, så får vi se. Jeg antar vi må til med Killbox på C:\WINDOWS\SYSTEM32\??STEM32\??CHOST.EXE, du kan like godt gjøre det først som sist; bruk HJT på O4 - HKCU\..\Run: [Wybqp] C:\WINDOWS\system32\??stem32\??chost.exe først, så Killbox på hele folderen C:\WINDOWS\SYSTEM32\??STEM32\ Ikke glem ccleaner innimellom, husk å se etter at det ikke er haket av for "only remove temp files older than 48 hours" i advanced options. Bernt K Endret 3. august 2006 av berxter Lenke til kommentar
Abnorm Skrevet 3. august 2006 Forfatter Del Skrevet 3. august 2006 (endret) Da var det gjort... Alt ser bra ut nå Den irriterende boksen nede i hjørne er også borte... Her er min nye logg. Logfile of HijackThis v1.99.1 Scan saved at 09:37:42, on 03.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\SPOOLSV.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe C:\WINDOWS\RTHDCPL.EXE C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\Trend Micro\Internet Security 14\pccguide.exe C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\Programfiler\Windows Defender\MSASCui.exe C:\WINDOWS\SYSTEM32\??STEM32\??CHOST.EXE D:\Popup Ad Filter\PopFilter.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\TSKS~1\javaw.exe C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE C:\Programfiler\Raxco\PerfectDisk\PDSched.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\System32\svchost.exe C:\DOCUME~1\FREDRI~1.JOH\LOKALE~1\Temp\Midlertidig mappe 9 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - URLSearchHook: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [pccguide.exe] "C:\Programfiler\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [Popup Ad Filter] D:\Popup Ad Filter\PopFilter.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Asor] "C:\WINDOWS\system32\TSKS~1\javaw.exe" -vt yax O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Catalyst System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe O8 - Extra context menu item: Allow Popups - D:\Popup Ad Filter\WhiteGetUrl.js O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147975426750 O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programfiler\Fellesfiler\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programfiler\Fellesfiler\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDSched.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe Endret 3. august 2006 av frecjoha Lenke til kommentar
berxter Skrevet 3. august 2006 Del Skrevet 3. august 2006 (endret) Mnja, dette står igjen: C:\WINDOWS\SYSTEM32\??STEM32\??CHOST.EXE R3 - URLSearchHook: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll O2 - BHO: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll Brukte du Killbox? Delete on reboot, lim inn C:\WINDOWS\SYSTEM32\??STEM32 C:\WINDOWS\system32\dbql.dll reboot. Tror nesten du bør fleske til med en Panda Activescan, husk see report og save report, og legg ut loggen derfra sammen med en ny HJTlogg. Bernt K Endret 3. august 2006 av berxter Lenke til kommentar
Abnorm Skrevet 3. august 2006 Forfatter Del Skrevet 3. august 2006 Logfile of HijackThis Logfile of HijackThis v1.99.1 Scan saved at 19:44:17, on 03.08.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\SYSTEM32\SPOOLSV.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe C:\WINDOWS\RTHDCPL.EXE C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\PROGRAMFILER\WINDOWS DEFENDER\MSASCUI.EXE D:\Popup Ad Filter\PopFilter.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\TSKS~1\javaw.exe C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Raxco\PerfectDisk\PDSched.exe C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAMFILER\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\DOCUME~1\FREDRI~1.JOH\LOKALE~1\Temp\Midlertidig mappe 10 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - URLSearchHook: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll (file missing) O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll (file missing) O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O4 - HKLM\..\Run: [WINCINEMAMGR] C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [pccguide.exe] "C:\Programfiler\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Programfiler\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [Popup Ad Filter] D:\Popup Ad Filter\PopFilter.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Asor] "C:\WINDOWS\system32\TSKS~1\javaw.exe" -vt yax O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Catalyst System Tray.lnk = C:\Programfiler\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe O8 - Extra context menu item: Allow Popups - D:\Popup Ad Filter\WhiteGetUrl.js O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.1.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147975426750 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programfiler\Fellesfiler\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programfiler\Fellesfiler\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programfiler\Raxco\PerfectDisk\PDSched.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe Panda Activescan Incident Status Location Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe Adware:adware/monspirit Not disinfected c:\windows\HWS.exe Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. [email protected][1].txt Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. [email protected][2].txt Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@adtech[2].txt Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@atwola[2].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@burstnet[2].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. [email protected][1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@go[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. [email protected][1].txt Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@research-int[2].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. [email protected][1].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@statcounter[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. [email protected][1].txt Spyware:Cookie/TeensForCash Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@teensforcash[2].txt Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@toplist[1].txt Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@tradedoubler[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@tribalfusion[2].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. [email protected][1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@xiti[1].txt Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch. johansen@yadro[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch[13].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch[32].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Cookies\fredrik ch[57].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch. [email protected][2].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch. johansen@burstnet[1].txt Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch. johansen@cdfreaks[2].txt Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch. [email protected][2].txt Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch. johansen@com[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch. [email protected][2].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch. [email protected][2].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch. johansen@xiti[1].txt Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch. johansen@yadro[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Fredrik Ch. Johansen\Lokale innstillinger\Temp\Cookies\fredrik ch[12].txt Lenke til kommentar
berxter Skrevet 3. august 2006 Del Skrevet 3. august 2006 Jepp, da er de som HJT viste vekk. Panda viser to filer du må fjerne med Killbox: C:\WINDOWS\system32\oins.exe c:\windows\HWS.exe Ruinene av den vi fikset i sted får du HJT til å fixe (do a scan only, sett en hake ved, og "fix checked"): R3 - URLSearchHook: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll (file missing) O2 - BHO: (no name) - {7DF9BBFD-7A35-75C3-11FA-242753FBED9E} - C:\WINDOWS\system32\dbql.dll (file missing) Så skal det være reint. Sjekk med Panda at oins og hws er borte etter Killboxbruk. Det hender at hws.exe er gjenstridig, men la oss se. Har du skrudd av pccillins prosesser? Jeg savner Trendprosessene i HJTloggen: C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe i den nyeste loggen.... Bernt K Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå