frgmnt Skrevet 20. november 2006 Del Skrevet 20. november 2006 (endret) I går klarte jeg å få en trojaner via MSN. Jeg prøvde å kjøre et program som heter Trojan Remover, noe som tydeligvis ikke virker. Har også skannet med Avast flere ganger. Allikevel virker det som om virusfilene bare kommer tilbake. Prøvde å bruke CCleaner nettopp, og datamaskinen fungerer akkurat nå som den skal. Kan noen sjekke loggen min, og evt. fortelle meg hva jeg skal gjøre for å bli kvitt dette? Takk! ----------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 21:06:02, on 20.11.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\Programfiler\Windows Defender\MSASCui.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\Fellesfiler\{524BF166-063F-1044-0608-05050331002f}\Update.exe C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe C:\Programfiler\Opera\Opera.exe C:\Documents and Settings\*******\Skrivebord\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [Creative Detector] C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe /R O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=Q305&bd=presario&pf=laptop O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe Endret 7. mai 2007 av frgmnt Lenke til kommentar
norbat Skrevet 20. november 2006 Del Skrevet 20. november 2006 Kjør HJT og fjern: R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) Det er ellers lite å se i loggen din, men du kan kjøre en full scan med SAS og legg ut loggen fra den (Preference->Statistics/logs) sammen med en ny logg fra HJT (Ta først å rename hijakcthis.exe til hjt.exe da noen virus/spyware gjemmer seg for program som heter Hijakcthis) Lenke til kommentar
frgmnt Skrevet 21. november 2006 Forfatter Del Skrevet 21. november 2006 (endret) Jeg lastet ned SAS, og den fant tydeligvis noe rusk: SUPERAntiSpyware Scan Log Generated 11/22/2006 at 00:06 AM Application Version : 3.3.1020 Core Rules Database Version : 3107 Trace Rules Database Version: 1133 Scan type : Quick Scan Total Scan Time : 00:04:59 Memory items scanned : 409 Memory threats detected : 0 Registry items scanned : 687 Registry threats detected : 48 File items scanned : 946 File threats detected : 1 Adware.Tracking Cookie C:\Documents and Settings\----\Cookies\----@doubleclick[1].txt Adware.WhenU HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0} HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\ProxyStubClsid HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\ProxyStubClsid32 HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\TypeLib HKCR\Interface\{572FB162-C0BA-4EDF-8CFF-E3846153B9B0}\TypeLib#Version HKCR\AppId\{127DF9B4-D75D-44A6-AF78-8C3A8CEB03DB} HKCR\AppId\ACM.DLL HKCR\AppId\ACM.DLL#AppID HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842} HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\ProxyStubClsid HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\ProxyStubClsid32 HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\TypeLib HKCR\Interface\{72A836D1-BC00-43C0-A941-17960E4FB842}\TypeLib#Version HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086} HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\ProxyStubClsid HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\ProxyStubClsid32 HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\TypeLib HKCR\Interface\{43382522-A846-46F4-AC57-1F71AE6E1086}\TypeLib#Version Adware.180solutions/Search Assistant HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9} HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}\ProxyStubClsid HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}\ProxyStubClsid32 HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}\TypeLib HKCR\Interface\{2B0ECEAC-F597-4858-A542-D966B49055B9}\TypeLib#Version HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD} HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}\ProxyStubClsid HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}\ProxyStubClsid32 HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}\TypeLib HKCR\Interface\{DDEA2E1D-8555-45E5-AF09-EC9AA4EA27AD}\TypeLib#Version HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5} HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}\ProxyStubClsid HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}\ProxyStubClsid32 HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}\TypeLib HKCR\Interface\{F1F1E775-1B21-454D-8D38-7C16519969E5}\TypeLib#Version Adware.Avenue Media/Internet Optimizer HKU\S-1-5-21-1956696214-1337794530-419701984-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\AMeOpt HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\AMeOpt HKU\S-1-5-21-1956696214-1337794530-419701984-1006\SOFTWARE\Policies\Avenue Media HKLM\SOFTWARE\Policies\Avenue Media Adware.Toolbar888 HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208} HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0 HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0 HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0\win32 HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\FLAGS HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\HELPDIR HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B} HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid32 HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib#Version ------------------------------------------- Gjorde også et nytt søk med HJT, her kommer loggen: Logfile of HijackThis v1.99.1 Scan saved at 00:23:33, on 22.11.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe C:\Documents and Settings\*******\Skrivebord\hjt.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\Windows Defender\MSASCui.exe C:\Programfiler\Fellesfiler\{524BF166-063F-1044-0608-05050331002f}\Update.exe C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\system32\dumprep.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [Creative Detector] C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=Q305&bd=presario&pf=laptop O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe ---------------------------------- Avast! meldte nettopp om en trojaner igjen, noe som ikke har skjedd siden søndag. Dessuten er datamaskinen rar i oppstarten, det virker nesten som om den starter opp to ganger. Takk for hjelpen, forresten. Endret 7. mai 2007 av frgmnt Lenke til kommentar
norbat Skrevet 22. november 2006 Del Skrevet 22. november 2006 1. Slå av systemgjenopprettingen, restart og slå den på igjen og lag deg et nytt gjenopprettingspkt. 2. Last ned CCleaner og kjør en rens + noen ganger med 'Saker'. 3. Kjør en full scan med SAS 4. Kjør en runde med Avast Lenke til kommentar
frgmnt Skrevet 24. november 2006 Forfatter Del Skrevet 24. november 2006 Nå har jeg gjort alt det du skrev. Det hele så riktig så bra ut, helt til Avast fant en trojansk hest ved navn Win32: PurityScan-AD to steder. Den ble ifølge Avast vellykket flyttet til kisten. Vil du jeg skal poste logg fra SAS? Lenke til kommentar
norbat Skrevet 24. november 2006 Del Skrevet 24. november 2006 Post en ny HJT Kan du si noe om hvor Avast finner denne trojaneren? Lenke til kommentar
frgmnt Skrevet 24. november 2006 Forfatter Del Skrevet 24. november 2006 Den ble funnet to steder: C:\Documents and Settings\Mitt navn\winstall.exe\[MoleBox] C:\System Volume Information\_restore{3D419849-1197-4061-845A-54BF968A6B65}\RP2\A0000021.exe\[MoleBox] Her har du HJT-loggen min: Logfile of HijackThis v1.99.1 Scan saved at 18:45:33, on 24.11.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\Programfiler\Windows Defender\MSASCui.exe C:\Programfiler\Fellesfiler\{524BF166-063F-1044-0608-05050331002f}\Update.exe C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\iPod\bin\iPodService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wisptis.exe C:\Programfiler\Opera\Opera.exe C:\Programfiler\MSN Messenger\msnmsgr.exe C:\Documents and Settings\Mitt navn\Skrivebord\hjt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [Creative Detector] C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe /R O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=Q305&bd=presario&pf=laptop O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe Lenke til kommentar
frgmnt Skrevet 24. november 2006 Forfatter Del Skrevet 24. november 2006 Nå kjørte jeg også en internet scan fra Symantec, og fikk følgende beskjed: C:\WINDOWS\system32\msasvc.ex$ is infected with Trojan.Anserin Det vil si en trojansk hest Avast ikke fant. Lenke til kommentar
norbat Skrevet 25. november 2006 Del Skrevet 25. november 2006 (endret) Vi prøver dette: Slå av systemgjenopprettinga (kontrollpanel->system->systemgjenoppretting) Sørg for at du kan se skjulte filer og mapper (kontrollpanel->mappealternativer->vis->"vis skjulte filer og mapper" Start i sikker modus (tapp f8 under oppstart) Åpne utforsker og slett fila (i bold) C:\Documents and Settings\Mitt navn\winstall.exe C:\WINDOWS\system32\msasvc.exe Kjør CCleaner Kjør en full scan med Superantispyware (SAS) Restart i normal modus Legg ut en HJT-logg samt loggen fra SAS (preferences->statistics/logs) Endret 25. november 2006 av norbat Lenke til kommentar
frgmnt Skrevet 25. november 2006 Forfatter Del Skrevet 25. november 2006 Okey, nå har jeg gjort alt dette. Klarte imidlertid ikke å finne winstall.exe. SAS-logg: SUPERAntiSpyware Scan Log Generated 11/25/2006 at 03:03 PM Application Version : 3.3.1020 Core Rules Database Version : 3135 Trace Rules Database Version: 1152 Scan type : Complete Scan Total Scan Time : 00:19:59 Memory items scanned : 209 Memory threats detected : 0 Registry items scanned : 5159 Registry threats detected : 0 File items scanned : 24854 File threats detected : 9 Adware.Tracking Cookie C:\Documents and Settings\**** ****\Cookies\**** ****@advertising[1].txt C:\Documents and Settings\**** ****\Cookies\**** ****@doubleclick[1].txt C:\Documents and Settings\**** ****\Cookies\**** ****@track.adform[1].txt C:\Documents and Settings\**** ****\Cookies\**** ****@tradedoubler[2].txt Adware.ToolBar888 C:\PROGRAMFILER\FELLESFILER\{324BF166-063F-1044-0608-05050331002F}\888.DLL Adware.888Toolbar/Installer C:\PROGRAMFILER\FELLESFILER\{324BF166-063F-1044-0608-05050331002F}\ACTIVATE.EXE Trojan.Hacktool C:\PROGRAMFILER\FELLESFILER\{524BF166-063F-1044-0608-05050331002F}\SYSTEM.DLL C:\PROGRAMFILER\FELLESFILER\{524BF166-0640-1044-0608-05050331002F}\SYSTEM.DLL Trojan.Update-Mcboo C:\PROGRAMFILER\FELLESFILER\{524BF166-063F-1044-0608-05050331002F}\UPDATE.EXE -------------------------------------------- HJT-logg: Logfile of HijackThis v1.99.1 Scan saved at 15:57:23, on 25.11.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\Programfiler\Windows Defender\MSASCui.exe C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\Opera\Opera.exe C:\Documents and Settings\***\Skrivebord\hjt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [Creative Detector] C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe /R O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=Q305&bd=presario&pf=laptop O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe Lenke til kommentar
norbat Skrevet 25. november 2006 Del Skrevet 25. november 2006 Stadig plaget med rusk og rask? Sjekk om Toolbar888 finnes i Legg til/fjern programlisten Last ned DrWeb Restart i sikker modus (tapp f8 under oppstart) Kjør drweb-cureit.exe (si ja til å kjøre en express scan) Når dette er ferdig klikker du på Option -> Change settings. Under fanearket Scan, fjerner du haken ved Heuristic analysis. Under fanearket Actions, skal alle punkt under Malware settes til Rename. Velg partisjon du vil scanne og klikk deretter på den grønne pilen for å starte scanningen. Velg "yes to all" når det finner noe for første gang. Lenke til kommentar
frgmnt Skrevet 25. november 2006 Forfatter Del Skrevet 25. november 2006 Vel, jeg merker ingenting, men hvis det fremdeles er noen luringer som har gjemt seg unna, så blir jeg gjerne kvitt dem. Fant ingenting ved navn Toolbar888 blant programmene mine, skal jeg fremdeles kjøre DrWeb? Jeg gjør det, jeg. Lenke til kommentar
norbat Skrevet 25. november 2006 Del Skrevet 25. november 2006 (endret) Filene som blir funnet ligger i: C:\PROGRAMFILER\FELLESFILER\{324BF166-063F-1044-0608-05050331002F} C:\PROGRAMFILER\FELLESFILER\{524BF166-063F-1044-0608-05050331002F} Skulle anta at disse mappen kan slettes. Å kjøre en scan med DrWeb skader imidlertid ikke. Endret 25. november 2006 av norbat Lenke til kommentar
frgmnt Skrevet 25. november 2006 Forfatter Del Skrevet 25. november 2006 (endret) Filene som blir funnet ligger i: C:\PROGRAMFILER\FELLESFILER\{324BF166-063F-1044-0608-05050331002F} C:\PROGRAMFILER\FELLESFILER\{524BF166-063F-1044-0608-05050331002F} Skulle anta at disse mappen kan slettes. Å kjøre en scan med DrWeb skader imidlertid ikke. 7356953[/snapback] DrWeb fant og slettet to filer: Update.ex$ (som jeg tror ligger i den nederste mappen du nevner), og system32:lzx32.sys. Disse filene var ifølge DrWeb henholdsvis Trojan.Downloader.14828 og Trojan.Spambot, om det har noe å si. Jeg skal sjekke mappene nå også. Edit: Jeg har slettet de to mappene pluss en til som var helt "lik". Endret 26. november 2006 av frgmnt Lenke til kommentar
frgmnt Skrevet 2. desember 2006 Forfatter Del Skrevet 2. desember 2006 Det ser jammen ikke ut til at jeg blir kvitt dette. Har fått blåskjerm to ganger og skriver nå i sikkermodus. Fikk også nylig mail fra NextGentel om at maskinen min sender ut spam. Vurderer en formatering, men må få tak i XP-cd'en først. Noen andre litt mindre drastiske muligheter? Lenke til kommentar
norbat Skrevet 2. desember 2006 Del Skrevet 2. desember 2006 Last ned SDfix.exe til skrivebordet ditt Kjør fila og den vil pakke ut filer til ei mappe, typisk C:\SDFix Fra sikker modus kjører du fra SDFix-mappa: RunThis.bat Skriv Y for å starte rensingen Når det er ferdig blir du bedt om å restarte Når pc'n restarter vil SDFix kjøre igjen og fullføre. Programmet lager en logg. Kunne du posten den sammen med en ny HJT-logg? Lenke til kommentar
frgmnt Skrevet 2. desember 2006 Forfatter Del Skrevet 2. desember 2006 Takk, skal prøve dette. Når maskinen starter igjen etter at jeg får blåskjerm, kommer det opp melding om at det er feil i følgende filer: C:\DOCUME~1\****~1\LOKALE~1\Temp\WER7bf4.dir00\Mini120206-01.dmp C:\DOCUME~1\****~1\LOKALE~1\Temp\WER7bf4.dir00\sysdata.xml Lenke til kommentar
porcelaiN Skrevet 2. desember 2006 Del Skrevet 2. desember 2006 Var det den "check:Phttp://blalblabl/pic.pif" linken du fikk? Lenke til kommentar
frgmnt Skrevet 2. desember 2006 Forfatter Del Skrevet 2. desember 2006 Ja, noe sånt. Det er vel noe som spres raskt for tiden. Jeg kommer for øvrig ikke inn på brannmuren min, på grunn av "et uidentifisert problem". Den er avslått og jeg får altså ikke slått den på igjen. Her er loggene: SDFix: Version 1.44 **************** 02.12.2006 - 13:00:25,12 Microsoft Windows XP [Versjon 5.1.2600] Running From: C:\SDFix Stage One - Safe Mode Checking Services... Service Name: File Path: MsaSvc Deleted... Starting Registry Repairs... Restoring Default Hosts File... Stage One Complete Rebooting... Stage Two - Normal Mode Checking For Malware: -------------------- Backing Up and Removing any Files Found... Final Check: Services: --------- Rootkit pe386 Present! Authorized Applications Export: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Programfiler\MSN Messenger\msnmsgr.exe REG_SZ C:\Programfiler\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0 C:\Programfiler\MSN Messenger\msncall.exe REG_SZ C:\Programfiler\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List C:\Programfiler\MSN Messenger\msnmsgr.exe REG_SZ C:\Programfiler\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0 C:\Programfiler\MSN Messenger\msncall.exe REG_SZ C:\Programfiler\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) Files: ------ Backups Folder: - C:\SDFix\backups\backups.zip Checking for files with Hidden Attributes: C:\WINDOWS\system32\D73CD0F8CE.dll C:\WINDOWS\system32\cdplayer.exe.manifest C:\WINDOWS\system32\logonui.exe.manifest C:\hiberfil.sys C:\IO.SYS C:\MSDOS.SYS C:\pagefile.sys C:\WINDOWS\system32\D73CD0F8CE.sys C:\WINDOWS\system32\KGyGaAvL.sys FINISHED! ------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 13:09:25, on 02.12.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\Windows Defender\MSASCui.exe C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe C:\Programfiler\Opera\Opera.exe C:\Documents and Settings\******\Skrivebord\hjt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Programfiler\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [Creative Detector] C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe /R O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=Q305&bd=presario&pf=laptop O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Programfiler\HPQ\SHARED\HPQWMI.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe Lenke til kommentar
CustomTP Skrevet 2. desember 2006 Del Skrevet 2. desember 2006 tror den trojanen var en ute å galoperte andre steder, men min kaspersky tokk det med en gang... kjæresten min hadde norton og hun fikk samme problemer som deg. innstalerte kaspersky 6 og rensket opp.... kjørte tuneupp utilities etter på for å fjerne de slettede filene helt...(vet ikke om det sidte med tuneupp var nødvendig men hjalp i hvertfall... Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå