Jaap Skrevet 7. februar 2007 Del Skrevet 7. februar 2007 Eg har i det siste vore plaga av popups frå "CleanDriver", "systemdoctor". "errorsafe", "WinAntiVirus Pro 2007" o.l. F-prot finn dette: Report -------------------------------------------------------------------------------- C:\System Volume Information\_restore{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP800\A0074069.dll Infection: Trojan-Downloader.Win32.ConHook.c C:\WINDOWS\SYSTEM32\P2ECOM.0LL Infection: Trojan.Win32.P2E.al C:\WINDOWS\SYSTEM32\mslagent.0xe Infection: Trojan-Downloader.Win32.Wintrim.ao C:\WINDOWS\SYSTEM32\DTC32.0LL Infection: Trojan-Downloader.Win32.Wintrim.ai og: Malicious code found in file C:\SYSTEM VOLUME INFORMATION\_RESTORE{B82622C0-F5EB-4389-9CA2-5DB47444639C}\RP800\A0074069.DLL. Infection: Trojan-Downloader.Win32.ConHook.c Action: failed. Hijackloggen ser slik ut: Logfile of HijackThis v1.99.1 Scan saved at 23:23:21, on 07.02.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\WINDOWS\System32\basfipm.exe C:\Programfiler\Dell\Bluetooth Software\bin\btwdins.exe C:\Programfiler\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe C:\Programfiler\F-Secure\Anti-Virus\FSGK32.EXE C:\Programfiler\F-Secure\Anti-Virus\fssm32.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\RegSrvc.exe C:\Programfiler\Spyware Terminator\sp_rsser.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\F-Secure\Common\FSMA32.EXE C:\Programfiler\F-Secure\Common\FSMB32.EXE C:\Programfiler\F-Secure\Common\FCH32.EXE C:\Programfiler\F-Secure\Common\FAMEH32.EXE C:\Programfiler\Canon\CAL\CALMAIN.exe C:\Programfiler\F-Secure\Common\FNRB32.EXE C:\Programfiler\F-Secure\Common\FIH32.EXE C:\Programfiler\F-Secure\Anti-Virus\fsav32.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Apoint\Apoint.exe C:\WINDOWS\system32\carpserv.exe C:\Programfiler\Intel\NCS\PROSet\PRONoMgr.exe C:\Programfiler\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\DSentry.exe C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Programfiler\F-Secure\Common\FSM32.EXE C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe C:\Programfiler\Spyware Terminator\SpywareTerminatorShield.exe C:\Programfiler\Apoint\Apntex.exe C:\Programfiler\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Dell\Bluetooth Software\BTTray.exe C:\Programfiler\Digital Line Detect\DLG.exe C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE C:\Programfiler\UltimateZip\uzqkst.exe C:\Programfiler\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Programfiler\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Documents and Settings\JO\Lokale innstillinger\Temporary Internet Files\Content.IE5\F0KJNG5R\blbeta[1].exe C:\Programfiler\Outlook Express\msimn.exe C:\Programfiler\tavekk\tavekk.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/no/nor/gen/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.frisurf.no/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/no/nor/gen/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programfiler\FlashFXP\IEFlash.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint\Apoint.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Programfiler\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [spywareTerminator] "C:\Programfiler\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: UltimateZip Quick Start.lnk = C:\Programfiler\UltimateZip\uzqkst.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VPN Dialer (OnStartup).lnk = ? O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.frisurf.no/ O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano...um.7.0.0.12.cab O16 - DPF: {63B8AED1-4475-4FF4-A280-4B48572E1354} - http://www.buypass.no/Installasjoner/jnipc...ate_4.4.5.0.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.icanal.no/spill/commerce/catalo...es/ExentCtl.ocx O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170800798961 O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - https://fastsend.com/products/Fsplugin.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://eurofoto.no/activex/ImageUploader3.cab O16 - DPF: {E43DF60D-D6FA-42AB-921C-FE0A023C5BE1} (eWebEditProLibCtl.eWebEditPro) - http://adm.home.online.no/ewebeditpro2/ewebeditpro.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programfiler\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programfiler\Canon\CAL\CALMAIN.exe O23 - Service: Comdaer - CMD Technology, Inc. - (no file) O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Programfiler\F-Secure\BackWeb\7681197\Program\fsbwlan.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FNRB32.EXE O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Programfiler\F-Secure\Common\FSAA.EXE O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FSMA32.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FELLES~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programfiler\Spyware Terminator\sp_rsser.exe Nokon som kan hjelpe? Lenke til kommentar
Jaap Skrevet 7. februar 2007 Forfatter Del Skrevet 7. februar 2007 Har også kjørt F-Secure Blacklight Rootkit Eliminator, og funne desse filene: tyfrxccwea.exe tyfrxccwea.dat tyfrxccwea_nav.dat tyfrxccwea_navps.dat Bør eg sletta dei? Lenke til kommentar
norbat Skrevet 8. februar 2007 Del Skrevet 8. februar 2007 Følg langversjonen i veilendningen i følgende post: https://www.diskusjon.no/index.php?showtopic=691246 Lenke til kommentar
Jaap Skrevet 8. februar 2007 Forfatter Del Skrevet 8. februar 2007 Hei, eg har følgd langversjonen i veilendninga. Her følger også logg frå SAS: SUPERAntiSpyware Scan Log Generated 02/08/2007 at 11:41 AM Application Version : 3.5.1016 Core Rules Database Version : 3179 Trace Rules Database Version: 1189 Scan type : Quick Scan Total Scan Time : 00:25:33 Memory items scanned : 492 Memory threats detected : 0 Registry items scanned : 946 Registry threats detected : 0 File items scanned : 16650 File threats detected : 11 Adware.Tracking Cookie C:\Documents and Settings\JO\Cookies\JO@drivecleaner[1].txt C:\Documents and Settings\JO\Cookies\JO@1068415716[1].txt C:\Documents and Settings\JO\Cookies\[email protected][1].txt C:\Documents and Settings\JO\Cookies\JO@422[2].txt C:\Documents and Settings\JO\Cookies\JO@422[4].txt C:\Documents and Settings\JO\Cookies\JO@clickbank[2].txt C:\Documents and Settings\JO\Cookies\[email protected][2].txt C:\Documents and Settings\JO\Cookies\[email protected][1].txt C:\Documents and Settings\JO\Cookies\[email protected][1].txt C:\Documents and Settings\JO\Cookies\JO@winantivirus[2].txt C:\Documents and Settings\JO\Cookies\JO@1071183736[1].txt Lenke til kommentar
norbat Skrevet 8. februar 2007 Del Skrevet 8. februar 2007 En ny HJT-logg er ønskelig (ser du kjørte en quick scan med SAS. Man bør kjøre en 'complete scan' første gangen. Det tar lengre tid men scanner imidlertid alle filene på maskinen) Lenke til kommentar
Jaap Skrevet 9. februar 2007 Forfatter Del Skrevet 9. februar 2007 Hei, takk for respons! Har gått gjennom heile prosessen på nytt, med CCleaner, full scan med SAS, scan med HJT (under nytt namn). Her er HJT-loggen: Logfile of HijackThis v1.99.1 Scan saved at 07:30:12, on 09.02.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE C:\WINDOWS\System32\basfipm.exe C:\Programfiler\Dell\Bluetooth Software\bin\btwdins.exe C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe C:\Programfiler\F-Secure\Anti-Virus\FSGK32.EXE C:\Programfiler\F-Secure\Anti-Virus\fssm32.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\RegSrvc.exe C:\Programfiler\Spyware Terminator\sp_rsser.exe C:\Programfiler\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\F-Secure\Common\FSMA32.EXE C:\Programfiler\F-Secure\Common\FSMB32.EXE C:\Programfiler\F-Secure\Common\FCH32.EXE C:\Programfiler\F-Secure\Common\FAMEH32.EXE C:\Programfiler\Canon\CAL\CALMAIN.exe C:\Programfiler\F-Secure\Common\FNRB32.EXE C:\Programfiler\F-Secure\Common\FIH32.EXE C:\Programfiler\F-Secure\Anti-Virus\fsav32.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\Apoint\Apoint.exe C:\WINDOWS\system32\carpserv.exe C:\Programfiler\Intel\NCS\PROSet\PRONoMgr.exe C:\Programfiler\Dell\QuickSet\quickset.exe C:\WINDOWS\System32\DSentry.exe C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Programfiler\F-Secure\Common\FSM32.EXE C:\Programfiler\Apoint\Apntex.exe C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe C:\Programfiler\Spyware Terminator\SpywareTerminatorShield.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Digital Line Detect\DLG.exe C:\Programfiler\UltimateZip\uzqkst.exe C:\WINDOWS\explorer.exe C:\Programfiler\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Programfiler\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\TaVekk\TaVekk.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/no/nor/gen/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.frisurf.no/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/no/nor/gen/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programfiler\FlashFXP\IEFlash.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint\Apoint.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programfiler\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Programfiler\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programfiler\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [spywareTerminator] "C:\Programfiler\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" O4 - HKCU\..\Run: [Google Desktop Search] "C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: UltimateZip Quick Start.lnk = C:\Programfiler\UltimateZip\uzqkst.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VPN Dialer (OnStartup).lnk = ? O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.frisurf.no/ O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programfiler\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano...um.7.0.0.12.cab O16 - DPF: {63B8AED1-4475-4FF4-A280-4B48572E1354} - http://www.buypass.no/Installasjoner/jnipc...ate_4.4.5.0.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.icanal.no/spill/commerce/catalo...es/ExentCtl.ocx O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170800798961 O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - https://fastsend.com/products/Fsplugin.cab O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://eurofoto.no/activex/ImageUploader3.cab O16 - DPF: {E43DF60D-D6FA-42AB-921C-FE0A023C5BE1} (eWebEditProLibCtl.eWebEditPro) - http://adm.home.online.no/ewebeditpro2/ewebeditpro.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programfiler\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programfiler\Canon\CAL\CALMAIN.exe O23 - Service: Comdaer - CMD Technology, Inc. - (no file) O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Programfiler\F-Secure\BackWeb\7681197\Program\fsbwlan.exe O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Programfiler\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FNRB32.EXE O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Programfiler\F-Secure\Common\FSAA.EXE O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programfiler\F-Secure\Common\FSMA32.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Programfiler\Intel\NCS\Sync\NetSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\FELLES~1\SONYSH~1\AVLib\Sptisrv.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programfiler\Spyware Terminator\sp_rsser.exe og SAS-logg: SUPERAntiSpyware Scan Log Generated 02/08/2007 at 09:36 PM Application Version : 3.5.1016 Core Rules Database Version : 3179 Trace Rules Database Version: 1189 Scan type : Complete Scan Total Scan Time : 00:56:11 Memory items scanned : 479 Memory threats detected : 0 Registry items scanned : 6421 Registry threats detected : 0 File items scanned : 37490 File threats detected : 25 Trace.Known Threat Sources C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O1U7CLMV\checksoft[1].js C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\GH4Z01U1\top_pic_new[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\SLQRS9IB\ico2[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\GH4Z01U1\bar[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\GH4Z01U1\ico3[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O1U7CLMV\ico1[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\GH4Z01U1\index[4].htm C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O3IBOV2D\index[2].htm C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\SLQRS9IB\top_pic2[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\SLQRS9IB\top1_menu[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O3IBOV2D\checksoft[1].js C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O3IBOV2D\ico1[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O3IBOV2D\top1[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\GH4Z01U1\ico4[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O1U7CLMV\spacer[11].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O1U7CLMV\ico4[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O1U7CLMV\logo[2].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\GH4Z01U1\logo[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O3IBOV2D\2006[1].htm C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\GH4Z01U1\tracking[1].js C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\SLQRS9IB\wav_banner[1].swf C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\O1U7CLMV\ico5[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\GH4Z01U1\button2[1].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\SLQRS9IB\ico2[2].gif C:\Documents and Settings\Gjest\Lokale innstillinger\Temporary Internet Files\Content.IE5\SLQRS9IB\ico3[1].gif Lenke til kommentar
Gjest member-1768784 Skrevet 9. februar 2007 Del Skrevet 9. februar 2007 (endret) - Endret 10. april 2017 av member-1768784 Lenke til kommentar
norbat Skrevet 9. februar 2007 Del Skrevet 9. februar 2007 Kjør HJT og fix: O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab Ut over dette, ser loggen din fin ut. Plages du fortsatt med popups? Lenke til kommentar
Jaap Skrevet 9. februar 2007 Forfatter Del Skrevet 9. februar 2007 (endret) Det hjalp nok ikkje. Det kjem fortsatt popups. Endret 9. februar 2007 av Jaap Lenke til kommentar
norbat Skrevet 9. februar 2007 Del Skrevet 9. februar 2007 (endret) Når kommer popupen - når du bruker nettleseren eller sånn uten videre? Vi kan forsøke litt til: Du har noen 016-linjer i HJT som jeg ikke finner ut av og som kan slettes om du ikke kjenner til dem: O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano...um.7.0.0.12.cab O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - https://fastsend.com/products/Fsplugin.cab Hvis det er IE som er nettleseren og problemet kommer når du starter det, sjekk at midlertidige internettfiler er slettet (ccleaner skal ta dette men...). Du kan slette dem fra IE: Verktøy->Alternativer for internett. Slett infokapsler og midlertidige filer.. Du kan også ta en ekstra scan vha. DrWeb: Last ned DrWeb. Kjør drweb-cureit.exe (si ja til å kjøre en express scan) Når dette er ferdig klikker du på Option -> Change settings. Under fanearket Scan, fjerner du haken ved Heuristic analysis. Under fanearket Actions, skal alle punkt under Malware settes til Rename. Velg partisjon du vil scanne og klikk deretter på den grønne pilen for å starte scanningen. Velg "yes to all" når det finner noe for første gang. Endret 9. februar 2007 av norbat Lenke til kommentar
Jaap Skrevet 10. februar 2007 Forfatter Del Skrevet 10. februar 2007 Hm, blir ikkje kvitt det. Har kjørt dr.web, som fjerna nokre virus, F-prot som også fjerna virus og som ikkje lenger melder om dei virusa eg nemnde i starten av tråden. Har vidare kjørt Hitman som fjerna ein heil del ting, likevel kjem det popups. Mest Errorsafe, men også andre ting. Når kommer popupen - når du bruker nettleseren eller sånn uten videre? Når eg brukar nettlesaren, IE. Vi kan forsøke litt til: Du har noen 016-linjer i HJT som jeg ikke finner ut av og som kan slettes om du ikke kjenner til dem: O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab O16 - DPF: {4C0942C1-C405-4805-B3B6-EA16F2DDD1BD} (innova-Panorama-Viewer Object) - http://www.innova-webplaner.de/innova/pano...um.7.0.0.12.cab O16 - DPF: {8E6AA867-94D4-4B4F-8791-1B048F8C122A} (WebInterface Class) - https://fastsend.com/products/Fsplugin.cab Desse er kjende og ufarlege, har vore på maskinen lenge. Kva med det som vart funne av F-Secure Blacklight Rootkit Eliminator? tyfrxccwea.exe tyfrxccwea.dat tyfrxccwea_nav.dat tyfrxccwea_navps.dat Lenke til kommentar
norbat Skrevet 10. februar 2007 Del Skrevet 10. februar 2007 Kjenner dessverre ikke til hva tyfrxccwea.exe etc. tilhører, men det kan være verdt et forsøk å fjerne dem. Lag deg et gjenopprettingspunkt manuelt før du sletter (tilbehør->systemverktøy->systemgjenoppretting) Vi kan se om vi finner noe mer: Last ned og kjør Combofix. Det lager en logg som du poster Last ned og kjør Rootchk.exe. Den lager en logg-> C:\rootlog txt som du også poster. Lenke til kommentar
Jaap Skrevet 12. februar 2007 Forfatter Del Skrevet 12. februar 2007 Ser endeleg ut som det er i orden! ga nytt namn til: tyfrxccwea.exe tyfrxccwea.dat tyfrxccwea_nav.dat tyfrxccwea_navps.dat Etter det har det ikkje kome fleire popups. Mange takk for hjelpa! Lenke til kommentar
norbat Skrevet 12. februar 2007 Del Skrevet 12. februar 2007 (endret) Fint at det ordnet seg. Disse rootkit-greiene er noe ekle saker. Etter en slik 'rens' er det lurt å nullstille gjenopprettingsmappa slik at man ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett hake ved "Slå av .....", restart pc, fjern haken for å aktivere funksjonen igjen. Etterpå lager du deg et gjenopprettingspunkt manuelt Tilbehør->systemverktøy->systemgjenoppretting . Velg å opprette et nytt. Navgi det og klikk opprett. Endret 12. februar 2007 av norbat Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå