Trainman Skrevet 26. mars 2007 Del Skrevet 26. mars 2007 (endret) Det er denne det er spørsmål om: Klikk for å se/fjerne innholdet nedenfor Running processes:C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe D:\Programfiler1\blåtann\BTNtService.exe C:\WINDOWS\system32\svchost.exe D:\PROGRA~2\Ad-Aware SE Plus\Ad-Watch.exe C:\Programfiler\Grisoft\AVG7\avgcc.exe C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe D:\Programfiler1\Opera\Opera.exe D:\ERLING\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ O2 - BHO: (no name) - {9EC0F375-B98D-4DA5-A934-2641FE96B40F} - C:\WINDOWS\system32\ljjih.dll O2 - BHO: (no name) - {D2A0728D-AB2F-4B91-9EEF-590C70EA075D} - C:\WINDOWS\SYSTEM32\fccbcyx.dll O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~2\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Programfiler1\Adobe\Reader\AdobeCollabSync.exe O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = D:\Programfiler1\Adobe\Reader\reader_sl.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~2\MICROS~1\office\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~2\MICROS~1\office\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - http://www.tele2mail.com/static/apps/utils/AccountHelper.cab O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler1\Superantispyware\SASWINLO.dll O20 - Winlogon Notify: fccbcyx - C:\WINDOWS\SYSTEM32\fccbcyx.dll O20 - Winlogon Notify: ljjih - C:\WINDOWS\system32\ljjih.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Programfiler1\blåtann\BTNtService.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) -- End of file - 3662 bytes De som heter "02-BHO:" osv har jeg prøvd å slette men det går ikke. Hva er det for noe. Man skal kanskje ikke slette noe man ikke vet hva er for noe, men jeg mistenker at jeg ikke har noe bruk for de. Finner de på 020 som "winlogon Notify" også. På forhånd takk. Edit: Tilleggsopplysninger Endret 30. mars 2007 av Trainman Lenke til kommentar
norbat Skrevet 26. mars 2007 Del Skrevet 26. mars 2007 Heisann, Last ned Vundofix til skrivebordet Dobbeltklikk på Vundufix.exe Klikk på Scan for Vundo-knappen Klikk på Remove Vundo-knappen Svar ja og ok på de vinduene som kommer Det lages en logg (C:\vundofix.txt) som du poster senere. Følg deretter langversjonen i følgende post: https://www.diskusjon.no/index.php?showtopic=691246 Lenke til kommentar
Trainman Skrevet 26. mars 2007 Forfatter Del Skrevet 26. mars 2007 Har scannet flere ganger med SAS, AVG-Antivirus/Spyware. Finner 1-2 nye ting hver gang. Kjører CCleaner også jevnlig. I sikkermodus får jeg kun svart skjerm. Hvorfor det? SAS har nå funnet: Trojan.Downloader Quake11, og Trojan.Virtumonde/Resident. Ikke sett de før. Det virker som at det ligger noe grums dypt nede i systemet og at alle antiskrot programmene bare tar det som blir trigget av det som ligger dypt der nede. Lenke til kommentar
norbat Skrevet 26. mars 2007 Del Skrevet 26. mars 2007 Når du har kjørt scanningene vil jeg gjerne se loggen fra SAS (preferences->statistics/logs) + loggen fra Vundofix (C:\vundofix.txt) + en ny HJT-logg (før du kjører HJT, forandrer du programnavnet, hijackthis.exe, til noe annet, eks. test.exe) Lenke til kommentar
Trainman Skrevet 26. mars 2007 Forfatter Del Skrevet 26. mars 2007 SUPERAntiSpyware Scan Log Generated 03/26/2007 at 11:14 PM Application Version : 3.6.1000 Core Rules Database Version : 3206 Trace Rules Database Version: 1216 Scan type : Complete Scan Total Scan Time : 01:31:43 Memory items scanned : 380 Memory threats detected : 2 Registry items scanned : 4987 Registry threats detected : 0 File items scanned : 30328 File threats detected : 2 Trojan.Downloader-Quake11 C:\WINDOWS\SYSTEM32\VOTYXOSK.DLL C:\WINDOWS\SYSTEM32\VOTYXOSK.DLL Trojan.Virtumonde/Resident C:\WINDOWS\SYSTEM32\WXGJGLBB.DLL C:\WINDOWS\SYSTEM32\WXGJGLBB.DLL VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 22:36:17 26.03.2007 Listing files found while scanning.... C:\WINDOWS\system32\hijjl.bak1 C:\WINDOWS\system32\hijjl.bak2 C:\WINDOWS\system32\hijjl.ini C:\WINDOWS\system32\hijjl.ini2 C:\WINDOWS\system32\hijjl.tmp C:\WINDOWS\system32\ljjih.dll C:\WINDOWS\system32\wxgjglbb.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\hijjl.bak1 C:\WINDOWS\system32\hijjl.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\hijjl.bak2 C:\WINDOWS\system32\hijjl.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\hijjl.ini C:\WINDOWS\system32\hijjl.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\hijjl.ini2 C:\WINDOWS\system32\hijjl.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\hijjl.tmp C:\WINDOWS\system32\hijjl.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\ljjih.dll C:\WINDOWS\system32\ljjih.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\wxgjglbb.dll C:\WINDOWS\system32\wxgjglbb.dll Has been deleted! Performing Repairs to the registry. Done! Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 23:55:19, on 26.03.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\SCardSvr.exe C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe D:\PROGRA~2\Ad-Aware SE Plus\Ad-Watch.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe D:\Programfiler1\blåtann\BTNtService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\alg.exe D:\Programfiler1\Opera\Opera.exe D:\Programfiler1\Superantispyware\SUPERAntiSpyware.exe D:\ERLING\Test.exe.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ O2 - BHO: (no name) - {4D111494-003B-4D79-80DC-1BAFC7002DE1} - C:\WINDOWS\system32\ljjih.dll (file missing) O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\wxgjglbb.dll (file missing) O2 - BHO: (no name) - {C9AF7637-D942-4D93-BA4A-614266CB889A} - C:\WINDOWS\system32\ljjjj.dll O2 - BHO: (no name) - {D2A0728D-AB2F-4B91-9EEF-590C70EA075D} - C:\WINDOWS\SYSTEM32\fccbcyx.dll O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~2\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Programfiler1\Adobe\Reader\AdobeCollabSync.exe O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = D:\Programfiler1\Adobe\Reader\reader_sl.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~2\MICROS~1\office\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~2\MICROS~1\office\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - http://www.tele2mail.com/static/apps/utils/AccountHelper.cab O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler1\Superantispyware\SASWINLO.dll O20 - Winlogon Notify: fccbcyx - C:\WINDOWS\SYSTEM32\fccbcyx.dll O20 - Winlogon Notify: ljjjj - C:\WINDOWS\system32\ljjjj.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Programfiler1\blåtann\BTNtService.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) -- End of file - 4070 bytes I tillegg har jeg "SoundService" som AdWatch sier legger til en DLL fil i system32 mappa. Den skal ligge i Run-nøkkelen i "Lokal maskin-Software-Microsoft-Windows-Current version-run, men der ligger det ingenting. Lenke til kommentar
norbat Skrevet 26. mars 2007 Del Skrevet 26. mars 2007 Kjør Vundofix en gang til. Hent også Blacklight (klikk på 'I accept') og kjør en scann. Post deretter en ny vundofix-logg + loggen fra blacklight + ny HJT-logg. Lenke til kommentar
Trainman Skrevet 27. mars 2007 Forfatter Del Skrevet 27. mars 2007 Skal gjøre det i kveld. Tusen takk for hjelpen så langt. Lenke til kommentar
Trainman Skrevet 27. mars 2007 Forfatter Del Skrevet 27. mars 2007 Her er litt saker å bryne seg på. Driveclean.exe er en hissig sak som ikke gir seg så lett. Spyware?? SoundService starter fortsatt opp i en folder den ikke finnes i, endrer på registeret og legger til en ny DLL - fil i system32 mappen. Ny fil hver gang. Får ingen treff når jeg googler etter fila. Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 19:59:08, on 27.03.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe D:\Programfiler1\blåtann\BTNtService.exe C:\WINDOWS\system32\svchost.exe D:\PROGRA~2\Ad-Aware SE Plus\Ad-Watch.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe D:\Programfiler1\Opera\Opera.exe C:\Programfiler\Internet Explorer\iexplore.exe D:\ERLING\Test.exe.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ O2 - BHO: (no name) - {0EC07E03-3A92-4010-B0CB-C7AFBFB4CA73} - C:\WINDOWS\system32\yayxu.dll O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\rcwtsvjg.dll O2 - BHO: (no name) - {D2A0728D-AB2F-4B91-9EEF-590C70EA075D} - C:\WINDOWS\SYSTEM32\fccbcyx.dll O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~2\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Programfiler1\Adobe\Reader\AdobeCollabSync.exe O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = D:\Programfiler1\Adobe\Reader\reader_sl.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~2\MICROS~1\office\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~2\MICROS~1\office\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - http://www.tele2mail.com/static/apps/utils/AccountHelper.cab O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler1\Superantispyware\SASWINLO.dll O20 - Winlogon Notify: fccbcyx - C:\WINDOWS\SYSTEM32\fccbcyx.dll O20 - Winlogon Notify: yayxu - C:\WINDOWS\system32\yayxu.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Programfiler1\blåtann\BTNtService.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) Klikk for å se/fjerne innholdet nedenfor VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 22:36:17 26.03.2007 Listing files found while scanning.... C:\WINDOWS\system32\hijjl.bak1 C:\WINDOWS\system32\hijjl.bak2 C:\WINDOWS\system32\hijjl.ini C:\WINDOWS\system32\hijjl.ini2 C:\WINDOWS\system32\hijjl.tmp C:\WINDOWS\system32\ljjih.dll C:\WINDOWS\system32\wxgjglbb.dll Beginning removal... Attempting to delete C:\WINDOWS\system32\hijjl.bak1 C:\WINDOWS\system32\hijjl.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\hijjl.bak2 C:\WINDOWS\system32\hijjl.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\hijjl.ini C:\WINDOWS\system32\hijjl.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\hijjl.ini2 C:\WINDOWS\system32\hijjl.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\hijjl.tmp C:\WINDOWS\system32\hijjl.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\ljjih.dll C:\WINDOWS\system32\ljjih.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\wxgjglbb.dll C:\WINDOWS\system32\wxgjglbb.dll Has been deleted! Performing Repairs to the registry. Done! VundoFix V6.3.17 Checking Java version... Sun Java not detected Scan started at 20:24:06 27.03.2007 Listing files found while scanning.... C:\WINDOWS\system32\rcwtsvjg.dll C:\WINDOWS\system32\uxyay.bak1 C:\WINDOWS\system32\uxyay.ini C:\WINDOWS\system32\yayxu.dll -- End of file - 3971 bytes Blacklight fant ingenting! Hvorfor får jeg svart skjerm i sikker modus? Spent på om det er noe håp. Lenke til kommentar
Trainman Skrevet 27. mars 2007 Forfatter Del Skrevet 27. mars 2007 (endret) Her er en logg fra VirtumundoBeGone Klikk for å se/fjerne innholdet nedenfor [03/27/2007, 21:03:49] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Andreas og Eline\Skrivebord\VirtumundoBeGone.exe" )[03/27/2007, 21:04:00] - Detected System Information: [03/27/2007, 21:04:00] - Windows Version: 5.1.2600, Service Pack 2 [03/27/2007, 21:04:00] - Current Username: Andreas og Eline (Admin) [03/27/2007, 21:04:00] - Windows is in NORMAL mode. [03/27/2007, 21:04:00] - Searching for Browser Helper Objects: [03/27/2007, 21:04:00] - BHO 1: {182B90A3-F372-438A-800C-6814B4DE417B} () [03/27/2007, 21:04:00] - WARNING: BHO has no default name. Checking for Winlogon reference. [03/27/2007, 21:04:00] - Checking for HKLM\...\Winlogon\Notify\cbxuvwv [03/27/2007, 21:04:00] - Found: HKLM\...\Winlogon\Notify\cbxuvwv - This is probably Virtumundo. [03/27/2007, 21:04:00] - Assigning {182B90A3-F372-438A-800C-6814B4DE417B} MSEvents Object [03/27/2007, 21:04:00] - BHO list has been changed! Starting over... [03/27/2007, 21:04:00] - BHO 1: {182B90A3-F372-438A-800C-6814B4DE417B} (MSEvents Object) [03/27/2007, 21:04:00] - ALERT: Found MSEvents Object! [03/27/2007, 21:04:00] - BHO 2: {86E03023-B636-453F-93FC-D6CB1E9E6C9A} () [03/27/2007, 21:04:00] - WARNING: BHO has no default name. Checking for Winlogon reference. [03/27/2007, 21:04:00] - Checking for HKLM\...\Winlogon\Notify\efeec [03/27/2007, 21:04:00] - Found: HKLM\...\Winlogon\Notify\efeec - This is probably Virtumundo. [03/27/2007, 21:04:00] - Assigning {86E03023-B636-453F-93FC-D6CB1E9E6C9A} MSEvents Object [03/27/2007, 21:04:01] - BHO list has been changed! Starting over... [03/27/2007, 21:04:01] - BHO 1: {182B90A3-F372-438A-800C-6814B4DE417B} (MSEvents Object) [03/27/2007, 21:04:01] - ALERT: Found MSEvents Object! [03/27/2007, 21:04:01] - BHO 2: {86E03023-B636-453F-93FC-D6CB1E9E6C9A} (MSEvents Object) [03/27/2007, 21:04:01] - ALERT: Found MSEvents Object! [03/27/2007, 21:04:01] - Finished Searching Browser Helper Objects [03/27/2007, 21:04:01] - *** Detected MSEvents Object [03/27/2007, 21:04:01] - Trying to remove MSEvents Object... [03/27/2007, 21:04:02] - Terminating Process: IEXPLORE.EXE [03/27/2007, 21:04:03] - Terminating Process: RUNDLL32.EXE [03/27/2007, 21:04:04] - Disabling Automatic Shell Restart [03/27/2007, 21:04:04] - Terminating Process: EXPLORER.EXE [03/27/2007, 21:04:04] - Suspending the NT Session Manager System Service [03/27/2007, 21:04:05] - Terminating Windows NT Logon/Logoff Manager [03/27/2007, 21:04:05] - Re-enabling Automatic Shell Restart [03/27/2007, 21:04:05] - File to disable: C:\WINDOWS\SYSTEM32\cbxuvwv.dll [03/27/2007, 21:04:05] - Renaming C:\WINDOWS\SYSTEM32\cbxuvwv.dll -> C:\WINDOWS\SYSTEM32\cbxuvwv.dll.vir [03/27/2007, 21:04:05] - File successfully renamed! [03/27/2007, 21:04:06] - Removing HKLM\...\Browser Helper Objects\{182B90A3-F372-438A-800C-6814B4DE417B} [03/27/2007, 21:04:06] - Removing HKCR\CLSID\{182B90A3-F372-438A-800C-6814B4DE417B} [03/27/2007, 21:04:06] - Adding Kill Bit for ActiveX for GUID: {182B90A3-F372-438A-800C-6814B4DE417B} [03/27/2007, 21:04:06] - Deleting ATLEvents/MSEvents Registry entries [03/27/2007, 21:04:06] - Removing HKLM\...\Winlogon\Notify\cbxuvwv [03/27/2007, 21:04:06] - Searching for Browser Helper Objects: [03/27/2007, 21:04:06] - BHO 1: {86E03023-B636-453F-93FC-D6CB1E9E6C9A} (MSEvents Object) [03/27/2007, 21:04:06] - ALERT: Found MSEvents Object! [03/27/2007, 21:04:06] - Finished Searching Browser Helper Objects [03/27/2007, 21:04:06] - *** Detected MSEvents Object [03/27/2007, 21:04:06] - Trying to remove MSEvents Object... [03/27/2007, 21:04:07] - Terminating Process: IEXPLORE.EXE [03/27/2007, 21:04:07] - Terminating Process: RUNDLL32.EXE [03/27/2007, 21:04:08] - Disabling Automatic Shell Restart [03/27/2007, 21:04:08] - Terminating Process: EXPLORER.EXE [03/27/2007, 21:04:08] - Suspending the NT Session Manager System Service [03/27/2007, 21:04:08] - Terminating Windows NT Logon/Logoff Manager [03/27/2007, 21:04:09] - Re-enabling Automatic Shell Restart [03/27/2007, 21:04:09] - File to disable: C:\WINDOWS\system32\efeec.dll [03/27/2007, 21:04:09] - Renaming C:\WINDOWS\system32\efeec.dll -> C:\WINDOWS\system32\efeec.dll.vir [03/27/2007, 21:04:09] - File successfully renamed! [03/27/2007, 21:04:09] - Removing HKLM\...\Browser Helper Objects\{86E03023-B636-453F-93FC-D6CB1E9E6C9A} [03/27/2007, 21:04:09] - Removing HKCR\CLSID\{86E03023-B636-453F-93FC-D6CB1E9E6C9A} [03/27/2007, 21:04:09] - Adding Kill Bit for ActiveX for GUID: {86E03023-B636-453F-93FC-D6CB1E9E6C9A} [03/27/2007, 21:04:09] - Deleting ATLEvents/MSEvents Registry entries [03/27/2007, 21:04:09] - Removing HKLM\...\Winlogon\Notify\efeec [03/27/2007, 21:04:09] - Searching for Browser Helper Objects: [03/27/2007, 21:04:09] - Finished Searching Browser Helper Objects [03/27/2007, 21:04:09] - Finishing up... [03/27/2007, 21:04:09] - A restart is needed. [03/27/2007, 21:06:14] - Attempting to Restart via STOP error (Blue Screen!) [03/27/2007, 21:09:27] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Andreas og Eline\Skrivebord\VirtumundoBeGone.exe" ) [03/27/2007, 21:09:31] - Detected System Information: [03/27/2007, 21:09:31] - Windows Version: 5.1.2600, Service Pack 2 [03/27/2007, 21:09:31] - Current Username: Andreas og Eline (Admin) [03/27/2007, 21:09:31] - Windows is in NORMAL mode. [03/27/2007, 21:09:31] - Searching for Browser Helper Objects: [03/27/2007, 21:09:31] - Finished Searching Browser Helper Objects [03/27/2007, 21:09:31] - Finishing up... [03/27/2007, 21:09:31] - Nothing found! Exiting... Endret 27. mars 2007 av Trainman Lenke til kommentar
norbat Skrevet 27. mars 2007 Del Skrevet 27. mars 2007 Kan du legge ut en ny HJT-logg Lenke til kommentar
Trainman Skrevet 27. mars 2007 Forfatter Del Skrevet 27. mars 2007 Kan du legge ut en ny HJT-logg 8253179[/snapback] Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 00:21:49, on 28.03.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe D:\Programfiler1\blåtann\BTNtService.exe C:\WINDOWS\system32\svchost.exe D:\PROGRA~2\Ad-Aware SE Plus\Ad-Watch.exe D:\Programfiler1\Adobe\Reader\reader_sl.exe C:\Programfiler\Trend Micro\Tmasy\Tmasy.exe D:\Programfiler1\Opera\Opera.exe C:\WINDOWS\system32\wuauclt.exe D:\ERLING\Test.exe.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~2\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Programfiler\Trend Micro\Tmasy\Tmasy.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Programfiler1\Adobe\Reader\AdobeCollabSync.exe O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = D:\Programfiler1\Adobe\Reader\reader_sl.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://D:\PROGRA~2\MICROS~1\office\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~2\MICROS~1\office\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {8F48147B-78D9-40F9-ACC0-BDDE59B246F4} (AccountHelper Class) - http://www.tele2mail.com/static/apps/utils/AccountHelper.cab O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler1\Superantispyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Programfiler1\blåtann\BTNtService.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing) -- End of file - 3456 bytes Lenke til kommentar
norbat Skrevet 28. mars 2007 Del Skrevet 28. mars 2007 Loggen ser da rimelig fin ut. Du bør 'nullstille' gjenopprettingsmappa systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av .....", restart pc, fjern merket igjen for å aktivere funksjonen. Etterpå lager du deg et gjenopprettingspunkt manuelt Tilbehør->systemverktøy->systemgjenoppretting . Velg å opprette et nytt. Navgi det og klikk opprett. Kan du fortelle litt hvordan pc'n kjører og evt. problemer du har? Lenke til kommentar
Trainman Skrevet 28. mars 2007 Forfatter Del Skrevet 28. mars 2007 Skal fikse det med systemgjenopprettingen. Godt råd! For øyeblikket virker pc`en veldig bra. Ikke noe DriveClean eller noe annet som spretter opp. Du skal en kjempestor takk for nyttige og gode tips. Lenke til kommentar
norbat Skrevet 28. mars 2007 Del Skrevet 28. mars 2007 (endret) Høres fint ut. Vi bør ta en ekstra sjekk for å se om det er noe som skal fjernes: Hent Combofix og legg det på skrivebordet. Kjør Combofix Når programmet er ferdig åpnes en loggfil: combofix.txt Kunne du ha postet den. Endret 29. mars 2007 av norbat Lenke til kommentar
Trainman Skrevet 29. mars 2007 Forfatter Del Skrevet 29. mars 2007 Høres fint ut.Vi bør ta en ekstra sjekk for å se om det er noe som skal fjernes: Hent Combofix og legg det på skrivebordet. Kjør Combofix Når programmet er ferdig åpnes en loggfil: combofix.txt Kunne du ha postet den. 8261023[/snapback] Har jobbet til sent i kveld, men her er loggen fra Combofix Klikk for å se/fjerne innholdet nedenfor 2007-03-28 00:17 178,408 --a------ C:\WINDOWS\system32\muweb.dll2007-03-27 23:53 <DIR> d-------- C:\Programfiler\Trend Micro 2007-03-27 20:56 635,741 ---hs---- C:\WINDOWS\system32\ceefe.bak1 2007-03-26 23:31 633,047 ---hs---- C:\WINDOWS\system32\jjjjl.bak1 2007-03-26 22:36 <DIR> d-------- C:\VundoFix Backups 2007-03-26 16:06 <DIR> dr-h----- C:\DOCUME~1\ANDREA~1\Siste 2007-03-26 13:47 <DIR> d-------- C:\DOCUME~1\ANDREA~1\PROGRA~1\Talkback 2007-03-26 11:06 123,972 --a------ C:\WINDOWS\system32\givnokib.dll 2007-03-25 19:24 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-03-25 11:07 123,972 --a------ C:\WINDOWS\system32\hlarooqg.dll 2007-03-25 01:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Iomatic 2007-03-24 20:51 40,960 --a------ C:\WINDOWS\system32\ssubtmr6.dll 2007-03-24 17:47 123,972 --a------ C:\WINDOWS\system32\pjoplyaw.dll 2007-03-24 13:23 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-03-24 10:48 123,972 --a------ C:\WINDOWS\system32\wmoenqka.dll 2007-03-24 10:47 <DIR> d-------- C:\DOCUME~1\ANDREA~1\PROGRA~1\Opera 2007-03-22 22:03 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL 2007-03-22 10:02 <DIR> d-------- C:\DOCUME~1\ANDREA~1\PROGRA~1\SUPERAntiSpyware.com 2007-03-22 10:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SUPERAntiSpyware.com 2007-03-22 10:00 <DIR> d--h----- C:\WINDOWS\PIF 2007-03-22 09:55 <DIR> d-------- C:\WINDOWS\system32\nb-NO 2007-03-16 18:37 <DIR> d-------- C:\DOCUME~1\ANDREA~1\PROGRA~1\DivX 2007-03-16 01:50 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-03-16 01:50 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-03-16 01:50 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-03-16 01:50 129,784 --------- C:\WINDOWS\system32\pxafs.dll 2007-03-16 01:50 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe 2007-03-16 01:50 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe 2007-03-16 01:24 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-03-16 01:18 34,308 --a------ C:\WINDOWS\system32\Chip.dll 2007-03-15 11:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Windows Genuine Advantage 2007-03-15 10:03 <DIR> d-------- C:\DOCUME~1\ANDREA~1\PROGRA~1\Azureus 2007-03-12 16:31 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-03-12 01:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Teleca 2007-03-12 01:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\Sony Ericsson 2007-03-12 01:06 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll 2007-03-12 01:05 892,928 --a------ C:\WINDOWS\system32\NCTAudioInformation.dll 2007-03-12 01:05 647,168 --a------ C:\WINDOWS\system32\NCTAudioLibrary.dll 2007-03-12 01:05 413,760 --a------ C:\WINDOWS\system32\mpg4c32.dll 2007-03-12 01:05 344,064 --a------ C:\WINDOWS\system32\Msvcr70.dll 2007-03-12 01:05 335,872 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll 2007-03-12 01:05 327,680 --a------ C:\WINDOWS\system32\NCTAudioGrabber.dll 2007-03-12 01:05 315,392 --a------ C:\WINDOWS\system32\NCTAudioPlayer2.dll 2007-03-12 01:05 307,200 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll 2007-03-12 01:05 196,608 --a------ C:\WINDOWS\system32\NCTWMAFile2.dll 2007-03-12 01:05 1,839,104 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll 2007-03-12 01:05 1,703,936 --a------ C:\WINDOWS\system32\NCTAudioFile.dll 2007-03-03 11:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\QubeSoft 2007-02-28 14:13 <DIR> d-------- C:\DOCUME~1\ANDREA~1\PROGRA~1\RegistrySmart 2007-02-28 13:57 <DIR> d-------- C:\Programfiler\MSXML 6.0 2007-02-28 13:51 <DIR> d-------- C:\DOCUME~1\ANDREA~1\PROGRA~1\Sony Ericsson (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-26 17:55 -------- d-------- C:\Programfiler\google 2007-03-26 15:42 5139 --a------ C:\WINDOWS\mozver.dat 2007-03-25 11:10 69766 --a------ C:\WINDOWS\system32\perfc014.dat 2007-03-25 11:10 408202 --a------ C:\WINDOWS\system32\perfh014.dat 2007-03-23 23:05 -------- d--h----- C:\Programfiler\installshield installation information 2007-03-22 14:34 -------- d-------- C:\Programfiler\elektroniske tjenester 2007-03-22 01:03 -------- d-------- C:\Programfiler\java 2007-03-12 20:22 85120 --a------ C:\WINDOWS\system32\drivers\Rtnicxp.sys 2007-03-05 01:03 73216 --a------ C:\WINDOWS\st6unst.exe 2007-03-05 01:03 286720 --------- C:\WINDOWS\setup1.exe 2007-03-04 23:44 -------- d-------- C:\Programfiler\msn messenger 2007-02-28 21:25 -------- d-------- C:\Programfiler\windows media bonus pack for windows xp 2007-02-23 06:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe 2007-02-23 06:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-02-23 06:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2007-02-23 06:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2007-02-23 06:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-02-23 06:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-02-23 06:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-02-23 06:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2007-02-23 06:25 639066 --a------ C:\WINDOWS\system32\divx.dll 2007-02-23 06:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll 2007-02-23 06:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll 2007-02-23 06:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll 2007-02-23 06:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll 2007-02-23 06:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll 2007-02-23 06:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2007-02-23 06:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2007-02-16 03:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe 2007-02-05 16:43 1481728 --------- C:\WINDOWS\system32\mssrch.dll 2007-02-05 16:42 1504768 --------- C:\WINDOWS\system32\tquery.dll 2007-02-05 16:41 134656 --------- C:\WINDOWS\system32\uncdms.dll 2007-02-05 16:41 122368 --------- C:\WINDOWS\system32\uncph.dll 2007-02-05 16:41 108544 --------- C:\WINDOWS\system32\uncne.dll 2007-02-05 16:40 98304 --------- C:\WINDOWS\system32\unccplext.dll 2007-02-05 16:40 260096 --------- C:\WINDOWS\system32\oeph.dll 2007-02-05 16:36 52224 --------- C:\WINDOWS\system32\msstrc.dll 2007-02-05 16:36 27136 --------- C:\WINDOWS\system32\rtffilt.dll 2007-02-05 16:36 111104 --------- C:\WINDOWS\system32\xmlfilter.dll 2007-02-05 16:35 248320 --------- C:\WINDOWS\system32\msshsq.dll 2007-02-05 16:35 167424 --------- C:\WINDOWS\system32\mssphtb.dll 2007-02-05 16:34 300032 --------- C:\WINDOWS\system32\searchindexer.exe 2007-02-05 16:33 331776 --------- C:\WINDOWS\system32\mssph.dll 2007-02-05 16:32 65536 --------- C:\WINDOWS\system32\propdefs.dll 2007-02-05 16:32 182784 --------- C:\WINDOWS\system32\searchprotocolhost.exe 2007-02-05 16:31 76800 --------- C:\WINDOWS\system32\searchfilterhost.exe 2007-02-05 16:30 23552 --------- C:\WINDOWS\system32\msscb.dll 2007-02-05 16:29 98816 --------- C:\WINDOWS\system32\mssitlb.dll 2007-02-05 16:29 51200 --------- C:\WINDOWS\system32\msscntrs.dll 2007-02-05 16:29 255488 --------- C:\WINDOWS\system32\srchadmin.dll 2007-02-05 16:28 733696 --------- C:\WINDOWS\system32\propsys.dll 2007-02-05 16:28 32256 --------- C:\WINDOWS\system32\mssprxy.dll 2007-02-05 16:24 2048 --------- C:\WINDOWS\system32\uncres.dll 2007-02-05 16:24 11264 --------- C:\WINDOWS\system32\oephres.dll 2007-02-05 15:24 99999 --------- C:\WINDOWS\system32\structuredqueryschema.bin 2007-02-05 15:24 18271 --------- C:\WINDOWS\system32\structuredqueryschematrivial.bin 2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll 2007-01-03 12:22 23856 --a------ C:\WINDOWS\system32\spupdsvc.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "AWMON"="\"D:\\PROGRA~2\\Ad-Aware SE Plus\\Ad-Watch.exe\"" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^BlueSoleil.lnk] "path"="C:\\Documents and Settings\\All Users\\Start-meny\\Programmer\\Oppstart\\BlueSoleil.lnk" "backup"="C:\\WINDOWS\\pss\\BlueSoleil.lnkCommon Startup" "location"="Common Startup" "command"="D:\\PROGRA~2\\BLTANN~1\\BLUESO~1.EXE " "item"="BlueSoleil" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="APVXDWIN" "hkey"="HKLM" "command"="\"D:\\Programfiler\\APVXDWIN.EXE\" /s" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SCANINICIO] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Inicio" "hkey"="HKLM" "command"="\"D:\\Programfiler\\Inicio.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WmdmPmSN"=dword:00000003 "TermService"=dword:00000002 "TapiSrv"=dword:00000003 "Schedule"=dword:00000002 "RDSessMgr"=dword:00000003 "mnmsrvc"=dword:00000003 "ERSvc"=dword:00000002 "UPS"=dword:00000003 "SENS"=dword:00000002 "NipSvc"=dword:00000003 "helpsvc"=dword:00000002 "RasMan"=dword:00000002 "RasAuto"=dword:00000002 "BthServ"=dword:00000002 "WSearch"=dword:00000002 "WMPNetworkSvc"=dword:00000003 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"="" "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" "{182B90A3-F372-438A-800C-6814B4DE417B}"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoStartBanner"=hex:01,00,00,00 "NoLogoff"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "StartMenuLogoff"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "StartMenuLogoff"=dword:00000001 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\1-Click Maintenance.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Lenke til kommentar
norbat Skrevet 29. mars 2007 Del Skrevet 29. mars 2007 Hent Avenger og pakk det ut. Start programmet, sett prikk i "Input Script Manually" og klikk på lupen. I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under: --------------------------------------------- Files to delete: C:\WINDOWS\system32\ceefe.bak1 C:\WINDOWS\system32\jjjjl.bak1 ---------------------------------------------- Klikk på Trafikklyset. Restart pc'n. Etter restart vil det komme en loggfil som forteller hva som har skjedd. Du trenger ikke å poste den. Ut over dette virker pc'n din fri for spyware Lenke til kommentar
Trainman Skrevet 29. mars 2007 Forfatter Del Skrevet 29. mars 2007 Skal utføres! Takker igjen så mye for hjelpen Norbat. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå