Hjelp til fjerning av diverse spyware

[granskog1]

Har slitt med mye virus/spywaredritt i det siste, og noen av disse er virkelig seiglivet. Kjørte SuperAntiSpyware i sikkermodus:

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

Generated 04/13/2007 at 09:53 AM

 

Application Version : 3.6.1000

 

Core Rules Database Version : 3217

Trace Rules Database Version: 1227

 

Scan type : Quick Scan

Total Scan Time : 00:06:50

 

Memory items scanned : 189

Memory threats detected : 0

Registry items scanned : 672

Registry threats detected : 24

File items scanned : 11716

File threats detected : 10

 

Unclassified.Unknown Origin

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}

HKCR\CLSID\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}

HKCR\CLSID\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}

HKCR\CLSID\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32

HKCR\CLSID\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32#ThreadingModel

HKCR\CLSID\{385AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\PCTOOLS\PCTOOLS.DLL

HKLM\Software\Microsoft\Internet Explorer\Toolbar#{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}

HKCR\CLSID\{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}

HKCR\CLSID\{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}

HKCR\CLSID\{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}\InprocServer32

HKCR\CLSID\{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}\InprocServer32#ThreadingModel

HKCR\CLSID\{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}\ProgID

HKCR\CLSID\{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}\Programmable

HKCR\CLSID\{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}\TypeLib

HKCR\CLSID\{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}\VersionIndependentProgID

HKCR\KWBand.CExplorerBar.1

HKCR\KWBand.CExplorerBar

HKCR\TypeLib\{FD5EC997-35AB-49B6-A504-D0879643845F}

HKCR\TypeLib\{FD5EC997-35AB-49B6-A504-D0879643845F}\1.0

HKCR\TypeLib\{FD5EC997-35AB-49B6-A504-D0879643845F}\1.0\0

HKCR\TypeLib\{FD5EC997-35AB-49B6-A504-D0879643845F}\1.0\0\win32

HKCR\TypeLib\{FD5EC997-35AB-49B6-A504-D0879643845F}\1.0\FLAGS

HKCR\TypeLib\{FD5EC997-35AB-49B6-A504-D0879643845F}\1.0\HELPDIR

C:\WINDOWS\SYSTEM32\4621NTOS.DLL

HKU\S-1-5-21-1292428093-842925246-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{DFCB34B6-902D-426E-AE2B-1B294AE19F4F}

 

Trojan.Downloader-Sino/QQ

C:\WINDOWS\SYSTEM32\WBEM\GJMBH.DLL

C:\WINDOWS\SYSTEM32\WBEM\OAEBJ.DLL

C:\WINDOWS\SYSTEM32\WBEM\UESJT.DLL

C:\WINDOWS\SYSTEM32\WBEM\FCCAX.DLL

C:\WINDOWS\SYSTEM32\WBEM\DTIHN.DLL

C:\WINDOWS\SYSTEM32\WBEM\LFZJY.DLL

C:\WINDOWS\SYSTEM32\WBEM\GNWUA.DLL

C:\WINDOWS\SYSTEM32\WBEM\ATPNN.DLL

 

etter reboot har jeg nå kjørt HJT:

 

Klikk for å se/fjerne innholdet nedenfor

Logfile of HijackThis v1.99.1

Scan saved at 10:01:00 AM, on 4/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Prevx1\PXAgent.exe

C:\Program Files\Prevx1\PXConsole.exe

C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\AceLogix\StartupGuard\sg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\MSRundll.exe

C:\Documents and Settings\anders\Desktop\hijackthis\test.exe

C:\WINDOWS\system32\wuauclt.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ah-medical.com/index.asp

R3 - URLSearchHook: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\PCTOOLS\PCTOOLS.DLL (file missing)

O2 - BHO: (no name) - {b3b9f846-18bc-4621-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: CPPIE Class - {C6844939-C324-41E0-84D0-D42F8DA5EBAD} - C:\WINDOWS\system32\hbcmd.dll

O2 - BHO: (no name) - {e19ced64-97dc-467d-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\467dcfsb.dll (file missing)

O3 - Toolbar: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [startup Guard] C:\Program Files\AceLogix\StartupGuard\sg.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

O23 - Service: Windows Accounts Driver (WindowsRemote) - Unknown owner - C:\WINDOWS\system32\ie.exe (file missing)

 

 

Flere av feltene i HJT-loggen har file missing - jeg antar at disse da er fikset..?

 

Jeg hadde også noe som het Win32.Trojan-PSW.Lineage, la inn prevx1 for å prøve å få bukt med det. Det programmet klager nå over fila c:\windows\system32\lfrmewrk.exe. Hvis jeg prøver å slette denne, opprettes den bare på nytt med en gang.

 

C:\WINDOWS\system32\MSRundll.exe tror jeg også er noe humbug greier. Den dukker også opp igjen etter en stund.

 

all hjelp mottas med takk

[norbat]

Kjør HJT , sett merke framfor følgende linjer og klikk 'Fix checked':

 

R3 - URLSearchHook: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\PCTOOLS\PCTOOLS.DLL (file missing)

O2 - BHO: (no name) - {b3b9f846-18bc-4621-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: CPPIE Class - {C6844939-C324-41E0-84D0-D42F8DA5EBAD} - C:\WINDOWS\system32\hbcmd.dll

O2 - BHO: (no name) - {e19ced64-97dc-467d-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\467dcfsb.dll (file missing)

O3 - Toolbar: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O23 - Service: Windows Accounts Driver (WindowsRemote) - Unknown owner - C:\WINDOWS\system32\ie.exe (file missing)

 

Klikk Start->Kjør

Skriv: services.msc

 

Se om du finner tjenesten WindowsRemote. Dobbeltklikk på tjenesten og velg Deaktivert under oppstartstype

 

Sørg for at du kan se skjulte filer og mapper:

Kontrollpanel->mappealt.->vis->"vis skjulte filer og mapper".

 

Last ned SDFix.exe.

Pakk ut programmet.

 

Hent deretter DrWeb (engangsscanner). Legg det på skrivebordet.

 

Restart i sikker modus (tapp F8 under oppstart, velg sikker modus)

 

Bruk utforsker til å finne og slette (i fet):

C:\WINDOWS\system32\MSRundll.exe

C:\WINDOWS\system32\hbcmd.dll

C:\WINDOWS\system32\ie.exe <-mulig den ikke finnes

 

Kjør RunThis.bat i SDfix-mappa .

Det lages en rapport (Report.txt) som du poster senere.

 

Kjør drweb-cureit.exe (si ja til å kjøre en express scan)

Når dette er ferdig klikker du på Option -> Change settings.

Under fanearket Scan, fjerner du haken ved Heuristic analysis.

Under fanearket Actions, skal alle punkt under Malware settes til Rename.

Velg partisjon du vil scanne og klikk deretter på den grønne pilen for

å starte scanningen. Velg "yes to all" når det finner noe for første gang.

 

Restart i normal tilstand

 

Post en ny HJT-logg + loggen fra SDfix.

Fortell gjerne om DrWeb fant noe samt hvordan pc'n kjører.

(Process.exe vil bli funnet av DrWeb, men det tilhører SDfix og er ikke farlig)

Endret 12. april 2007 av norbat

[Trainman]

Kjør HJT og sett hake foran følgende:

 

R3 - URLSearchHook: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\PCTOOLS\PCTOOLS.DLL (file missing)

O2 - BHO: (no name) - {b3b9f846-18bc-4621-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: (no name) - {e19ced64-97dc-467d-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\467dcfsb.dll (file missing)

O3 - Toolbar: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing

O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

O23 - Service: Windows Accounts Driver (WindowsRemote) - Unknown owner - C:\WINDOWS\system32\ie.exe (file missing)

[granskog1]

fulgte norbats guide:

Ingen service som heter Windowsremote e.l.

 

Finner ingen egen SDfix-logg, men er tre tekstfiler med følgende innhold:

Klikk for å se/fjerne innholdet nedenfor

kill.txt

 

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Error, Cannot find a process with an image name of wupdmgr.exe

 

 

ndloc.txt

C:\WINDOWS\system32\drivers\ndis.sys

 

report.txt

 

SDFix: Version 1.78

 

Run by anders - Fri 04/13/2007 - 11:27:22.96

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: F:\down\SDFix\SDFix

 

Safe Mode:

Checking Services:

 

 

 

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

 

drweb-cureit fant mye.

Blant annet:

Trojan.NtRootKit.226

Adware.Newweb

Adware.Baidu

Trojan.Downloader.20783

 

Fix i HJT hjelper ikke. Alt kommer tilbake ved neste scan. Men slik ser det ut nå:

Klikk for å se/fjerne innholdet nedenfor

Logfile of HijackThis v1.99.1

Scan saved at 12:38:06 PM, on 4/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Prevx1\PXAgent.exe

C:\Program Files\Prevx1\PXConsole.exe

C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\AceLogix\StartupGuard\sg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\MSRundll.exe

C:\Documents and Settings\anders\Desktop\hijackthis\test.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ah-medical.com/index.asp

R3 - URLSearchHook: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\PCTOOLS\PCTOOLS.DLL (file missing)

O2 - BHO: (no name) - {b3b9f846-18bc-4621-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: CPPIE Class - {C6844939-C324-41E0-84D0-D42F8DA5EBAD} - C:\WINDOWS\system32\hbcmd.dll

O2 - BHO: (no name) - {e19ced64-97dc-467d-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\467dcfsb.dll (file missing)

O3 - Toolbar: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [startup Guard] C:\Program Files\AceLogix\StartupGuard\sg.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdnns.dll' missing

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

O23 - Service: Windows Accounts Driver (WindowsRemote) - Unknown owner - C:\WINDOWS\system32\ie.exe (file missing)

 

 

 

lfrmewrk.exe ligger fortsatt og lurker i system32. hver gang jeg starter et utforskervindu eller ie-vindu prøver den å kjøre, men blir blokkert av Prevx1 (som da sier fra). Sånn ellers så funker pcn som den skal, merker ikke noe til den dritten som ligger der.

[norbat]

Det ligger en rootkit der som gjør saken litt værre.

 

Gå til Kontrollpanel->system->systemgjenoppretting .

Sett merke framfor "Slå av .....",

restart pc.

 

Hent Combofix, kjør programmet. Den lager en logg som du poster senere. Ikke klikk på noe vindu mens combofix kjører.

 

Restart i sikker modus (tapp F8 under oppstart, velg sikker modus)

 

Kjør HJT, sett merke framfor følgende linjer og klikk 'Fix checked':

R3 - URLSearchHook: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\PCTOOLS\PCTOOLS.DLL (file missing)

O2 - BHO: (no name) - {b3b9f846-18bc-4621-ae2b-1b294ae19f4f} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O2 - BHO: CPPIE Class - {C6844939-C324-41E0-84D0-D42F8DA5EBAD} - C:\WINDOWS\system32\hbcmd.dll

O2 - BHO: (no name) - {e19ced64-97dc-467d-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\467dcfsb.dll (file missing)

O3 - Toolbar: 18bc - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - C:\WINDOWS\system32\4621ntos.dll (file missing)

O23 - Service: Windows Accounts Driver (WindowsRemote) - Unknown owner - C:\WINDOWS\system32\ie.exe (file missing)

 

Bruk utforsker til å finne:

lfrmewrk.exe -> bytt navn til lfrmewrk.bak

 

Bruk utforsker til å finne og slette (i fet):

C:\WINDOWS\system32\MSRundll.exe

C:\WINDOWS\system32\hbcmd.dll

C:\WINDOWS\system32\ie.exe

 

 

Klikk: Start->Kjør

Skriv: cmd [OK]

Skriv: sc stop WindowsRemote [Enter]

Skriv sc delete WindowsRemote [Enter]

Skriv: Exit [Enter]

 

Hvis dette ikke fungerer (fordi tjenesten ikke kalles WindowsRemote, se om du finner en tjeneste (følg framgangsmåten fra forrige post) som heter Windows Accounts Driver. Velg oppstartstype: Deaktivert

 

Restart i normal tilstand

 

Post loggen fra Combofix + ny logg fra HJT

Endret 13. april 2007 av norbat

[granskog1]

Nå begynner ting å hjelpe her vettu.

 

combofix-logg:

Klikk for å se/fjerne innholdet nedenfor

"anders" - 07-04-13 23:47:22 Service Pack 2

ComboFix 07-04-05 - Running from: "F:\down"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\Goauld.dll

C:\Program Files\Internet Explorer\pluuvbcg.dll

C:\Program Files\Internet Explorer\mpxdepsv.dll

C:\Program Files\Internet Explorer\yqwzsvvv.dll

C:\Program Files\Winamp\aogozvjv.dll

C:\Program Files\DAEMON Tools\rrpaynlx.dll

C:\Program Files\DAEMON Tools\fnlfybmf.dll

C:\Program Files\DAEMON Tools\aeevciqp.dll

C:\Program Files\Cisco Systems\VPN Client\drnntust.dll

C:\Program Files\Cisco Systems\VPN Client\hyiwmsxb.dll

C:\Program Files\Cisco Systems\VPN Client\wvqwykgn.dll

C:\Program Files\Cisco Systems\VPN Client\iaskxefg.dll

C:\Program Files\Cisco Systems\VPN Client\dobakoig.dll

C:\Program Files\Cisco Systems\VPN Client\fwfqnolt.dll

C:\Program Files\Cisco Systems\VPN Client\irioabou.dll

C:\Program Files\Cisco Systems\VPN Client\jchogcks.dll

C:\Program Files\Cisco Systems\VPN Client\mxoyuxyj.dll

C:\Program Files\Cisco Systems\VPN Client\srrvhvme.dll

C:\Program Files\Cisco Systems\VPN Client\pffsyawf.dll

C:\Program Files\Cisco Systems\VPN Client\gaesvscd.dll

C:\Program Files\Cisco Systems\VPN Client\qxuiqmfj.dll

C:\Program Files\Cisco Systems\VPN Client\wsqbtoqe.dll

C:\Program Files\Cisco Systems\VPN Client\epahwpxo.dll

C:\Program Files\Cisco Systems\VPN Client\nmrfzrbu.dll

C:\Program Files\Cisco Systems\VPN Client\uznxdley.dll

C:\Program Files\Cisco Systems\VPN Client\ewenynhe.dll

C:\Program Files\Cisco Systems\VPN Client\kragbosz.dll

C:\Program Files\Cisco Systems\VPN Client\vkbkclie.dll

C:\Program Files\Cisco Systems\VPN Client\bxxdfmla.dll

C:\Program Files\Cisco Systems\VPN Client\luobbooo.dll

C:\Program Files\Cisco Systems\VPN Client\spkleizj.dll

C:\Program Files\Cisco Systems\VPN Client\cmbjhkdq.dll

C:\Program Files\Cisco Systems\VPN Client\izxullol.dll

C:\Program Files\Cisco Systems\VPN Client\swvsggjz.dll

C:\Program Files\Cisco Systems\VPN Client\yjsljhuv.dll

C:\Program Files\Cisco Systems\VPN Client\mnopkvnc.dll

C:\Program Files\Cisco Systems\VPN Client\wkffgxqi.dll

C:\Program Files\Cisco Systems\VPN Client\dxbyrrbm.dll

C:\Program Files\Cisco Systems\VPN Client\ojttmina.dll

C:\Program Files\Cisco Systems\VPN Client\zolrlwjg.dll

C:\Program Files\Cisco Systems\VPN Client\kkqxevsi.dll

C:\Program Files\Cisco Systems\VPN Client\dowesqus.dll

C:\Program Files\Cisco Systems\VPN Client\mlucosxz.dll

C:\Program Files\Cisco Systems\VPN Client\wilzkmbn.dll

C:\Program Files\Cisco Systems\VPN Client\uiwhqlfj.dll

C:\Program Files\Cisco Systems\VPN Client\egvfmnix.dll

C:\Program Files\Cisco Systems\VPN Client\odldipld.dll

C:\Program Files\Cisco Systems\VPN Client\uqioljoy.dll

C:\Program Files\Cisco Systems\VPN Client\enymplrf.dll

C:\Program Files\Cisco Systems\VPN Client\okxkknvl.dll

C:\Program Files\Cisco Systems\VPN Client\ihtxbpjk.dll

C:\Program Files\Cisco Systems\VPN Client\sernwjnr.dll

C:\Program Files\Cisco Systems\VPN Client\rcdlmraw.dll

C:\Program Files\Cisco Systems\VPN Client\cjwsdshp.dll

C:\Program Files\Cisco Systems\VPN Client\gedlcrsv.dll

C:\Program Files\Cisco Systems\VPN Client\jngnishb.dll

C:\Program Files\Cisco Systems\VPN Client\kpshxmvx.dll

C:\Program Files\Cisco Systems\VPN Client\xjqoibty.dll

C:\Program Files\Cisco Systems\VPN Client\ewfgldeb.dll

C:\Program Files\Cisco Systems\VPN Client\uozpsysd.dll

C:\Program Files\Cisco Systems\VPN Client\yrucczln.dll

C:\Program Files\Cisco Systems\VPN Client\ojhljdrp.dll

C:\Program Files\Cisco Systems\VPN Client\pxsmvowg.dll

C:\Program Files\Cisco Systems\VPN Client\fpfvcjdp.dll

C:\Program Files\Cisco Systems\VPN Client\azdywwfn.dll

C:\Program Files\Cisco Systems\VPN Client\tzrlwotm.dll

C:\Program Files\Cisco Systems\VPN Client\ouvokaer.dll

C:\Program Files\Cisco Systems\VPN Client\xywsaarn.dll

C:\Program Files\Cisco Systems\VPN Client\pckpqkel.dll

C:\Program Files\Cisco Systems\VPN Client\cqghzdbs.dll

C:\Program Files\Cisco Systems\VPN Client\ttqppidd.dll

C:\Program Files\Cisco Systems\VPN Client\qyoeougt.dll

C:\Program Files\Cisco Systems\VPN Client\uffswmol.dll

C:\Program Files\Cisco Systems\VPN Client\gzwyaosa.dll

C:\Program Files\Cisco Systems\VPN Client\xgviuveb.dll

C:\Program Files\Cisco Systems\VPN Client\hhmzhqsu.dll

C:\Program Files\Cisco Systems\VPN Client\gbkxplwu.dll

C:\Program Files\Cisco Systems\VPN Client\nkvdpibn.dll

C:\Program Files\Cisco Systems\VPN Client\hjzhwvwo.dll

C:\Program Files\Cisco Systems\VPN Client\imzavohb.dll

C:\Program Files\Cisco Systems\VPN Client\oyjeeyqu.dll

C:\Program Files\Cisco Systems\VPN Client\sxpljsnv.dll

C:\Program Files\Cisco Systems\VPN Client\iwniklln.dll

C:\Program Files\Cisco Systems\VPN Client\egdrwpri.dll

C:\Program Files\Cisco Systems\VPN Client\ubqbvmqx.dll

C:\Program Files\Cisco Systems\VPN Client\fztudtbp.dll

C:\Program Files\Cisco Systems\VPN Client\ftmoktsc.dll

C:\Program Files\Cisco Systems\VPN Client\lvwyredt.dll

C:\Program Files\Cisco Systems\VPN Client\vtuomygz.dll

C:\Program Files\Cisco Systems\VPN Client\ydocfzyk.dll

C:\Program Files\Cisco Systems\VPN Client\mzthfmrs.dll

C:\Program Files\Cisco Systems\VPN Client\nnswfmpg.dll

C:\Program Files\Cisco Systems\VPN Client\wkjuaoku.dll

C:\Program Files\Cisco Systems\VPN Client\avdhlhdf.dll

C:\Program Files\Cisco Systems\VPN Client\qfypskrg.dll

C:\Program Files\Cisco Systems\VPN Client\uiuqzhbm.dll

C:\Program Files\Cisco Systems\VPN Client\upfwtflc.dll

C:\Program Files\Cisco Systems\VPN Client\pnjsakgv.dll

C:\Program Files\Cisco Systems\VPN Client\wmvikqdb.dll

C:\Program Files\Cisco Systems\VPN Client\qdoxwxhe.dll

C:\Program Files\Cisco Systems\VPN Client\lugvzmlp.dll

C:\WINDOWS\system32\drivers\ntlanui4.sys

C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\r1005.dat

C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\b1005.dat

C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\k1005.dat

C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\a1005.dat

C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\p1005.dat

C:\Program Files\Common Files\cpush\Uninst.exe

C:\DOCUME~1\anders\APPLIC~1.\cuckoo\SendSoftInfo2

C:\DOCUME~1\anders\APPLIC~1.\cuckoo\windows.log

C:\DOCUME~1\anders\APPLIC~1.\cuckoo\pluglist.xml

C:\DOCUME~1\anders\APPLIC~1.\cuckoo\~lu.dat

C:\DOCUME~1\anders\APPLIC~1.\cuckoo\ThirdSoftInfo2

C:\Program Files\Common Files\system\updaterun.exe

C:\WINDOWS\system32\advport.dll

C:\WINDOWS\system32\drivers\acpidisk.sys

C:\WINDOWS\system32\iexp_log.txt

C:\WINDOWS\system32\mprmsgse.axz

C:\WINDOWS\system32\mscpx32r.det

C:\WINDOWS\system32\wbem\ocmor.dll

C:\ie.exe

C:\WINDOWS\temp\~my1.tmp

C:\WINDOWS\system\dvl

C:\WINDOWS\config\starter\config.htm

C:\WINDOWS\system\lvl

C:\WINDOWS\system32\msrundll.exe

C:\WINDOWS\system32\wbem\mof\good\esery.mof

C:\WINDOWS\usb8028x.log

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Microsoft\PCTools

C:\DOCUME~1\ALLUSE~1\APPLIC~1\td

C:\DOCUME~1\anders\LOCALS~1\APPLIC~1.\baidu

C:\Program Files\Common Files\cpush

C:\DOCUME~1\anders\APPLIC~1.\cuckoo

 

 

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\acpidisk

-------\ndcia

-------\ntlanui4

-------\qknr

-------\romman

-------\stdio

-------\usb8028

-------\usb8028x

-------\LEGACY_ACPIDISK

-------\LEGACY_BDGUARD

-------\LEGACY_CDNPROT

-------\LEGACY_CDNTRAN

-------\LEGACY_ISPONER

-------\LEGACY_NDCIA

-------\LEGACY_QKNR

-------\LEGACY_ROMMAN

-------\LEGACY_RPCS

-------\LEGACY_STDIO

-------\LEGACY_USB8028

-------\LEGACY_USB8028X

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-13 to 2007-04-13 ))))))))))))))))))))))))))))))))))

 

 

2007-04-13 12:48 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE

2007-04-13 11:32 <DIR> d-------- C:\DOCUME~1\anders\DoctorWeb

2007-04-13 11:29 583 --a------ C:\DOCUME~1\anders\clean.reg

2007-04-13 09:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-04-13 09:42 <DIR> d-------- C:\DOCUME~1\anders\APPLIC~1\SUPERAntiSpyware.com

2007-04-13 09:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-04-12 13:03 4,980,736 --a------ C:\DOCUME~1\anders\ntuser.dat

2007-04-12 12:06 522 --a------ C:\WINDOWS\system32\drivers\pxfsf.dat

2007-04-12 11:53 77,312 --a------ C:\WINDOWS\ua2.dll

2007-04-12 11:53 <DIR> d-------- C:\DOCUME~1\anders\APPLIC~1\Prevx

2007-04-12 11:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx

2007-04-12 06:12 <DIR> d-------- C:\WINDOWS\pss

2007-04-12 04:45 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2007-04-12 04:44 <DIR> d-------- C:\DOCUME~1\anders\.housecall6.6

2007-04-12 04:41 <DIR> d--hs---- C:\WINDOWS\CSC

2007-04-12 04:11 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy

2007-04-12 03:48 <DIR> d-------- C:\Program Files\icfj

2007-04-12 03:47 1,015,296 --a------ C:\WINDOWS\system32\javascript.dll

2007-04-12 03:46 581,632 -r------- C:\WINDOWS\system32\bofang.dll

2007-04-12 03:46 176 --a------ C:\ie.vbs

2007-04-12 03:46 118,784 -r------- C:\WINDOWS\system32\hbcmd.dll

2007-04-12 03:46 102,400 -r------- C:\WINDOWS\system32\lfrmewrk.exe

2007-04-09 06:03 117,083 --a------ C:\WINDOWS\system32\drivers\203.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Startup Guard"="C:\\Program Files\\AceLogix\\StartupGuard\\sg.exe"

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"RivaTuner"="\"C:\\Program Files\\RivaTuner v2.0 RC 15.8\\RivaTuner.exe\" /T"

"nwiz"="nwiz.exe /install"

"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{4DEC9B29-F08F-4cbc-B179-592B9283FAB1}"=""

"{4DEC9B29-F08F-4cbc-B179-592B9283FAB0}"=""

"{E464D6D7-935B-4203-9E74-8A6C60906B37}"=""

"{05397E9D-30D1-4216-AACB-F9EA1F1E4E85}"=""

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0lsanp\0

 

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-1292428093-842925246-839522115-1003\scripts\logon\0\0

script REG_SZ C:\WINDOWS\drwtsm32.exe

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

Usnsvc REG_MULTI_SZ usnsvc\0\0

 

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31a6235b-89cc-11da-8c53-806d6172696f}]

Shell\AutoRun\command D:\ASUSACPI.exe

 

 

********************************************************************

 

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

 

Completion time: 07-04-13 23:53:10

C:\ComboFix-quarantined-files.txt ... 07-04-13 23:53

 

msrundll.exe og ie.exe var nå borte. Så jeg sletta kun hbcmd.dll, og renamet lfrmewrk.

 

sletting av windowsremote gikk greit.

 

lurer jammen meg på om alt er i orden i nyeste HJT-loggen:

Klikk for å se/fjerne innholdet nedenfor

Logfile of HijackThis v1.99.1

Scan saved at 12:02:20 AM, on 4/14/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Prevx1\PXAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Prevx1\PXConsole.exe

C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\AceLogix\StartupGuard\sg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\anders\Desktop\hijackthis\test.exe

 

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [startup Guard] C:\Program Files\AceLogix\StartupGuard\sg.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

[norbat]

Så litt kort ut den HJT-loggen. Er den kjørt fra normal tilstand?

 

Uansett. Kjør Combofix en gang til og post loggen + ny HJT-logg (fra normal tilstand)

[granskog1]

Ny combofix:

Klikk for å se/fjerne innholdet nedenfor

"anders" - 07-04-14 0:53:27 Service Pack 2

ComboFix 07-04-05 - Running from: "F:\down"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\usb8028x.log

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-14 to 2007-04-14 ))))))))))))))))))))))))))))))))))

 

 

2007-04-13 12:48 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE

2007-04-13 11:32 <DIR> d-------- C:\DOCUME~1\anders\DoctorWeb

2007-04-13 11:29 583 --a------ C:\DOCUME~1\anders\clean.reg

2007-04-13 09:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-04-13 09:42 <DIR> d-------- C:\DOCUME~1\anders\APPLIC~1\SUPERAntiSpyware.com

2007-04-13 09:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com

2007-04-12 13:03 4,980,736 --a------ C:\DOCUME~1\anders\ntuser.dat

2007-04-12 11:53 77,312 --a------ C:\WINDOWS\ua2.dll

2007-04-12 11:53 <DIR> d-------- C:\DOCUME~1\anders\APPLIC~1\Prevx

2007-04-12 11:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx

2007-04-12 06:12 <DIR> d-------- C:\WINDOWS\pss

2007-04-12 04:45 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys

2007-04-12 04:44 <DIR> d-------- C:\DOCUME~1\anders\.housecall6.6

2007-04-12 04:41 <DIR> d--hs---- C:\WINDOWS\CSC

2007-04-12 04:11 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy

2007-04-12 03:48 <DIR> d-------- C:\Program Files\icfj

2007-04-12 03:47 1,015,296 --a------ C:\WINDOWS\system32\javascript.dll

2007-04-12 03:46 581,632 -r------- C:\WINDOWS\system32\bofang.dll

2007-04-12 03:46 176 --a------ C:\ie.vbs

2007-04-09 06:03 117,083 --a------ C:\WINDOWS\system32\drivers\203.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Startup Guard"="C:\\Program Files\\AceLogix\\StartupGuard\\sg.exe"

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"RivaTuner"="\"C:\\Program Files\\RivaTuner v2.0 RC 15.8\\RivaTuner.exe\" /T"

"nwiz"="nwiz.exe /install"

"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{4DEC9B29-F08F-4cbc-B179-592B9283FAB1}"=""

"{4DEC9B29-F08F-4cbc-B179-592B9283FAB0}"=""

"{E464D6D7-935B-4203-9E74-8A6C60906B37}"=""

"{05397E9D-30D1-4216-AACB-F9EA1F1E4E85}"=""

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0lsanp\0

 

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\s-1-5-21-1292428093-842925246-839522115-1003\scripts\logon\0\0

script REG_SZ C:\WINDOWS\drwtsm32.exe

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

Usnsvc REG_MULTI_SZ usnsvc\0\0

 

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{31a6235b-89cc-11da-8c53-806d6172696f}]

Shell\AutoRun\command D:\ASUSACPI.exe

 

 

********************************************************************

 

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

 

Completion time: 07-04-14 0:54:34

C:\ComboFix-quarantined-files.txt ... 07-04-14 00:54

C:\ComboFix2.txt ... 07-04-13 23:53

 

ny HJT:

Klikk for å se/fjerne innholdet nedenfor

Logfile of HijackThis v1.99.1

Scan saved at 12:55:50 AM, on 4/14/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Prevx1\PXAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Prevx1\PXConsole.exe

C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\AceLogix\StartupGuard\sg.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Documents and Settings\anders\Desktop\hijackthis\test.exe

 

O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [startup Guard] C:\Program Files\AceLogix\StartupGuard\sg.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

 

 

Kjørt i normal modus. Ser alt bra ut?

[norbat]

Hei,

HJT-loggen ser ren.

 

Vil allikevel be deg om å gjøre en ting til:

Hent SREng og pakk det ut på skrivebordet

 

Dobbeltklikk på SREng.exe for å starte programmet.

Velg 'Smart scan' og klikk på 'Scan'-knappen

Når scanningen er ferdig, klikker du på 'Save Reports'-knappen og lagrer det på skrivebordet.

 

Loggen kopierer du og poster.

 

Du kan slå på systemgjenopprettingen igjen ved å fjerne haken framfor "Slå av...." på samme sted der du slo den av.

Endret 13. april 2007 av norbat

[granskog1]

Sorry for sent svar her (nesten litt frekt så flink som du er til å hjelpe norbat), men her er SRenglogg:

 

Klikk for å se/fjerne innholdet nedenfor

2007-04-19,06:40:24

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
   All Boot Items (Including Registry, Startup Folders, Services and so on)
   Browser Add-ons
   Runing Processes (Including process model information)
   File Associations
   Winsock Provider
   Autorun.Inf
   HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
   <Startup Guard><C:\Program Files\AceLogix\StartupGuard\sg.exe>  []
   <MSMSGS><"C:\Program Files\Messenger\msmsgs.exe" /background>  [(Verified)Microsoft Windows Publisher]
   <SUPERAntiSpyware><C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe>  [SUPERAntiSpyware.com]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
   <PrevxOne><"C:\Program Files\Prevx1\PXConsole.exe">  [Prevx]
   <NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
   <RivaTuner><"C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T>  []
   <nwiz><nwiz.exe /install>  []
   <DAEMON Tools><"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033>  [(Verified)DAEMON Tools Code Signing Services]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   <shell><Explorer.exe>  [(Verified)Microsoft Windows Publisher]
   <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   <UIHost><logonui.exe>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
   <{4DEC9B29-F08F-4cbc-B179-592B9283FAB1}><c:\program files\cisco systems\vpn client\ftmoktsc.dll>  [N/A]
   <{4DEC9B29-F08F-4cbc-B179-592B9283FAB0}><c:\program files\cisco systems\vpn client\pnjsakgv.dll>  [N/A]
   <{E464D6D7-935B-4203-9E74-8A6C60906B37}><c:\program files\cisco systems\vpn client\fztudtbp.dll>  [N/A]
   <{05397E9D-30D1-4216-AACB-F9EA1F1E4E85}><c:\program files\daemon tools\aeevciqp.dll>  [N/A]
   <{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}><C:\Program Files\SUPERAntiSpyware\SASSEH.DLL>  [SuperAdBlocker.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
   <WinlogonNotify: !SASWinLogon><C:\Program Files\SUPERAntiSpyware\SASWINLO.dll>  [SUPERAntiSpyware.com]

==================================
Startup Folders
N/A

==================================
Services
[Adobe LM Service / Adobe LM Service][Stopped/Manual Start]
 <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><>
[C3819F66 / C3819F66][Stopped/Disabled]
 <C:\WINDOWS\system32\C3819F66.EXE -service><N/A>
[Cisco Systems, Inc. VPN Service / CVPND][Running/Auto Start]
 <"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"><Cisco Systems, Inc.>
[EC9BE51D / EC9BE51D][Stopped/Disabled]
 <C:\WINDOWS\system32\EC9BE51D.EXE -d><N/A>
[Human Interface Device Access / HidServ][Stopped/Disabled]
 <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
 <"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Kmlnksatas / Kmlnksatas][Stopped/Disabled]
 <><N/A>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
 <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[Prevx Agent / PREVXAgent][Running/Auto Start]
 <"C:\Program Files\Prevx1\PXAgent.exe" -f><Prevx>

==================================
Drivers
[Service for Realtek AC97 Audio (WDM) / ALCXWDM][Running/Manual Start]
 <system32\drivers\ALCXWDM.SYS><Realtek Semiconductor Corp.>
[aslm75 / aslm75][Running/System Start]
 <\??\C:\WINDOWS\system32\drivers\aslm75.sys><N/A>
[bucomp2 / bucomp25][Stopped/Boot Start]
 <\SystemRoot\System32\DRIVERS\bucomp25.sys><N/A>
[Creative SBLive! Gameport / ctljystk][Stopped/Manual Start]
 <system32\DRIVERS\ctljystk.sys><Creative Technology Ltd.>
[Cisco Systems VPN Adapter / CVirtA][Stopped/Manual Start]
 <system32\DRIVERS\CVirtA.sys><Cisco Systems, Inc.>
[Cisco Systems Inc. IPSec Driver / CVPNDRVA][Running/Auto Start]
 <\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys><Cisco Systems, Inc.>
[dahbdfbg / dahbdfbg][Stopped/Boot Start]
 <\SystemRoot\system32\drivers\dahbdfbg.sys><N/A>
[Deterministic Network Enhancer Miniport / DNE][Running/Manual Start]
 <system32\DRIVERS\dne2000.sys><Deterministic Networks, Inc.>
[dtscsi / dtscsi][Running/Manual Start]
 <\SystemRoot\System32\Drivers\dtscsi.sys><N/A>
[Creative SB Live! (WDM) / emu10k][Stopped/Manual Start]
 <system32\drivers\emu10k1m.sys><Creative Technology Ltd.>
[Creative Interface Manager Driver (WDM) / emu10k1][Stopped/Manual Start]
 <system32\drivers\ctlfacem.sys><Creative Technology Ltd.>
[Hamachi Network Interface / hamachi][Stopped/Manual Start]
 <system32\DRIVERS\hamachi.sys><Applied Networking Inc.>
[IVI ASPI Shell / Iviaspi][Running/Manual Start]
 <system32\drivers\iviaspi.sys><InterVideo, Inc.>
[Sony Ericsson 750 driver (WDM) / k750bus][Stopped/Manual Start]
 <system32\DRIVERS\k750bus.sys><MCCI>
[Sony Ericsson 750 USB WMC Modem Filter / k750mdfl][Stopped/Manual Start]
 <system32\DRIVERS\k750mdfl.sys><MCCI>
[Sony Ericsson 750 USB WMC Modem Drivers / k750mdm][Stopped/Manual Start]
 <system32\DRIVERS\k750mdm.sys><MCCI>
[Sony Ericsson 750 USB WMC Device Management Drivers / k750mgmt][Stopped/Manual Start]
 <system32\DRIVERS\k750mgmt.sys><MCCI>
[Sony Ericsson 750 USB WMC OBEX Interface Drivers / k750obex][Stopped/Manual Start]
 <system32\DRIVERS\k750obex.sys><MCCI>
[ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start]
 <system32\DRIVERS\ASACPI.sys><>
[mutzdw3 / mutzdw33][Stopped/Boot Start]
 <\SystemRoot\System32\DRIVERS\mutzdw33.sys><N/A>
[nv / nv][Running/Manual Start]
 <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[nvata / nvata][Running/Boot Start]
 <\SystemRoot\system32\DRIVERS\nvata.sys><NVIDIA Corporation>
[oqxske5 / oqxske57][Stopped/Boot Start]
 <\SystemRoot\System32\DRIVERS\oqxske57.sys><N/A>
[PREVX Kernel Mode Agent / PrevxDriver][Running/Boot Start]
 <\SystemRoot\system32\DRIVERS\pxfsf.sys><Prevx Limited, http://www.prevx1.com/>
[PREVX Emulator driver / PREVXEmulator][Stopped/Manual Start]
 <system32\DRIVERS\PxEmu.sys><Prevx Limited, http://www.prevx1.com/>
[PREVX TDI filter / PREVXTdi][Running/System Start]
 <system32\DRIVERS\pxtdi.sys><Prevx Limited, http://www.prevx1.com/>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
 <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
 <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[PREVX Rootkitscan driver / PXRDDriver][Running/System Start]
 <system32\DRIVERS\pxrd.sys><N/A>
[RivaTuner32 / RivaTuner32][Running/Manual Start]
 <\??\C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner32.sys><N/A>
[SASDIFSV / SASDIFSV][Running/System Start]
 <\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS><>
[SASENUM / SASENUM][Running/Manual Start]
 <\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS><SuperAdBlocker, Inc.>
[SASKUTIL / SASKUTIL][Running/System Start]
 <\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys><>
[Secdrv / Secdrv][Running/Auto Start]
 <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[StarForce Protection Environment Driver (version 1.x) / sfdrv01][Running/Boot Start]
 <\SystemRoot\System32\drivers\sfdrv01.sys><Protection Technology>
[StarForce Protection Helper Driver (version 2.x) / sfhlp02][Running/Boot Start]
 <\SystemRoot\System32\drivers\sfhlp02.sys><Protection Technology>
[Creative SoundFont Manager Driver (WDM) / sfman][Stopped/Manual Start]
 <system32\drivers\sfmanm.sys><Creative Technology Ltd.>
[StarForce Protection VFS Driver (version 2.x) / sfvfs02][Running/Boot Start]
 <\SystemRoot\System32\drivers\sfvfs02.sys><Protection Technology>
[sptd / sptd][Running/Boot Start]
 <\SystemRoot\System32\Drivers\sptd.sys><N/A>
[Spy Emergency Driver / SpyEmrg][Running/System Start]
 <System32\Drivers\spyemrg.sys><NETGATE>
[tmcomm / tmcomm][Running/Auto Start]
 <\??\C:\WINDOWS\system32\drivers\tmcomm.sys><Trend Micro Inc.>
[vsdatant / vsdatant][Stopped/Manual Start]
 <\??\C:\WINDOWS\system32\vsdatant.sys><Zone Labs Inc.>
[wvomib9 / wvomib99][Stopped/Boot Start]
 <\SystemRoot\System32\DRIVERS\wvomib99.sys><N/A>
[NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller / yukonwxp][Running/Manual Start]
 <system32\DRIVERS\yk51x86.sys><Marvell>

==================================
Browser Add-ons
[Java Plug-in]
 {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[QuickTime Object]
 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, Apple Computer, Inc.>
[Java Plug-in]
 {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in]
 {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in]
 {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_06]
 {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
 {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[QuickTime Object]
 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, Apple Computer, Inc.>
[Adobe PDF Reader Link Helper]
 {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Windows Genuine Advantage Validation Tool]
 {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, Microsoft Corporation>
[Windows Media Player]
 {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
 {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
 {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[]
 {53707962-6F74-2D53-2644-206D7942484F} <C:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[URLDetector Class]
 {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} <C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll, Prevx Ltd.>
[WUWebControl Class]
 {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, Microsoft Corporation>
[Windows Media Player]
 {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Active Desktop Mover]
 {72267F6A-A6F9-11D0-BC94-00C04FB67863} <%SystemRoot%\system32\SHELL32.dll, N/A>
[SSVHelper Class]
 {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[Microsoft Web Browser]
 {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[Java Plug-in]
 {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll, Sun Microsystems, Inc.>
[SearchAssistantOC]
 {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[RDS.DataSpace]
 {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[VIDEO__X_MS_ASF Moniker Class]
 {CD3AFA8F-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
 {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
 {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>

==================================
Running Processes
[PID: 884][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1000][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1024][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
   [C:\Program Files\SUPERAntiSpyware\SASWINLO.dll]  [SUPERAntiSpyware.com, 1, 0, 0, 1030]
   [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1072][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1084][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1248][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1356][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1480][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1532][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1728][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1944][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 408][C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe]  [Cisco Systems, Inc., 4.6.00.0049]
   [C:\WINDOWS\system32\vsdata.dll]  [Zone Labs Inc., 4.0.146.033]
   [C:\WINDOWS\system32\VSINIT.dll]  [Zone Labs Inc., 4.0.146.033]
[PID: 516][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
   [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
   [C:\Program Files\SUPERAntiSpyware\SASSEH.DLL]  [SuperAdBlocker.com, 1, 0, 0, 1008]
   [C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll]  [Sun Microsystems, Inc., 8.0.0.8968]
   [C:\Program Files\OpenOffice.org 2.0\program\uwinapi.dll]  [Sun Microsystems, Inc., 8.0.0.8968]
   [C:\Program Files\OpenOffice.org 2.0\program\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
   [C:\Program Files\OpenOffice.org 2.0\program\stlport_vc7145.dll]  [STLport Consulting, Inc., 4.5.2003.0120]
   [C:\Program Files\OpenOffice.org 2.0\program\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
   [C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 7.0.0.0]
[PID: 800][C:\Program Files\Prevx1\PXConsole.exe]  [Prevx, 1.0.0.1]
   [C:\Program Files\Prevx1\qt-mt336.dll]  [N/A, ]
   [C:\Program Files\Prevx1\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
   [C:\Program Files\Prevx1\libAPI.dll]  [Prevx, 2.0.6.2]
   [C:\Program Files\Prevx1\libCOM.dll]  [Prevx, 2.0.10.0]
   [C:\Program Files\Prevx1\libCORE.dll]  [N/A, ]
   [C:\Program Files\Prevx1\MSVCP71.DLL]  [Microsoft Corporation, 7.10.3077.0]
   [C:\Program Files\Prevx1\zlib1.dll]  [, 1.2.2]
   [C:\Program Files\Prevx1\PME.dll]  [Prevx, 1.0.0.6]
   [C:\Program Files\Prevx1\SDB.dll]  [, 1, 0, 0, 1]
   [C:\Program Files\Prevx1\rksi.dll]  [Prevx, 2.0.10.0]
   [C:\Program Files\Prevx1\pxnet.dll]  [N/A, ]
   [C:\Program Files\Prevx1\libcurl.dll]  [The cURL library, http://curl.haxx.se/, 7.16.0]
[PID: 836][C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe]  [, 2, 0, 15, 8]
   [C:\Program Files\RivaTuner v2.0 RC 15.8\PlugIns\Monitoring\VT1103.dll]  [, 1, 0, 0, 0]
[PID: 852][C:\Program Files\DAEMON Tools\daemon.exe]  [DT Soft Ltd., 4.03.0.0]
   [C:\Program Files\DAEMON Tools\daemon.dll]  [DT Soft Ltd., 4.03.0.0]
   [C:\Program Files\DAEMON Tools\PFCTOC.DLL]  [Padus(R), Inc., 1, 0, 0, 12]
   [C:\Program Files\DAEMON Tools\Plugins\Images\bw5mount.dll]  [, 1.0.6.0]
   [C:\Program Files\DAEMON Tools\Plugins\Images\ccdmount.dll]  [GENERIC, 1.10.0.0]
   [C:\Program Files\DAEMON Tools\Plugins\Images\mdsmount.dll]  [GENERIC, 1.12.0.0]
   [C:\Program Files\DAEMON Tools\Plugins\Images\nrgmount.dll]  [GENERIC, 1.11.0.0]
   [C:\Program Files\DAEMON Tools\Plugins\Images\pdimount.dll]  [GENERIC, 1.01.0.0]
[PID: 936][C:\Program Files\AceLogix\StartupGuard\sg.exe]  [N/A, ]
[PID: 960][C:\Program Files\Messenger\msmsgs.exe]  [Microsoft Corporation, 4.7.3000]
[PID: 976][C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe]  [SUPERAntiSpyware.com, 3, 6, 0, 1000]
   [C:\Program Files\SUPERAntiSpyware\deupx.dll]  [SuperAntiSpyware.com, 1, 0, 0, 2]
[PID: 1772][C:\WINDOWS\system32\wscntfy.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 3552][C:\Program Files\Mozilla Firefox\firefox.exe]  [Mozilla Corporation, 1.8.0.11: 2007031202]
   [C:\Program Files\Mozilla Firefox\js3250.dll]  [Netscape Communications Corporation, 4.0]
   [C:\Program Files\Mozilla Firefox\nspr4.dll]  [Netscape Communications Corporation, 4.6.5]
   [C:\Program Files\Mozilla Firefox\xpcom_core.dll]  [Mozilla Foundation, 1.8.0.11: 2007031202]
   [C:\Program Files\Mozilla Firefox\plc4.dll]  [Netscape Communications Corporation, 4.6.5]
   [C:\Program Files\Mozilla Firefox\plds4.dll]  [Netscape Communications Corporation, 4.6.5]
   [C:\Program Files\Mozilla Firefox\smime3.dll]  [Mozilla Foundation, 3.11.5]
   [C:\Program Files\Mozilla Firefox\nss3.dll]  [Mozilla Foundation, 3.11.5]
   [C:\Program Files\Mozilla Firefox\softokn3.dll]  [Mozilla Foundation, 3.11.4]
   [C:\Program Files\Mozilla Firefox\ssl3.dll]  [Mozilla Foundation, 3.11.5]
   [C:\Program Files\Mozilla Firefox\xpcom_compat.dll]  [Mozilla Foundation, 1.8.0.11: 2007031202]
   [C:\Program Files\Mozilla Firefox\components\jar50.dll]  [Mozilla Foundation, 1.8.0.11: 2007031202]
   [C:\Program Files\Mozilla Firefox\freebl3.dll]  [Mozilla Foundation, 3.11.4]
   [C:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.62]
   [C:\WINDOWS\system32\msacm32.drv]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
   [C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll]  [, ]
   [C:\Program Files\SUPERAntiSpyware\SASSEH.DLL]  [SuperAdBlocker.com, 1, 0, 0, 1008]
[PID: 3436][C:\Documents and Settings\anders\Desktop\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1       localhost

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

[norbat]

Hei,

Last ned SDFix.exe.

Pakk ut programmet.

 

Restart i sikker modus (tapp F8 under oppstart)

 

Kjør RunThis.bat i SDfix-mappa.

Det lages en rapport (Report.txt) som du poster senere.

 

Restart i normal tilstand

 

Sjekk følgende filer: (sørg fortsatt for at du kan se skjulte filer og mapper)

C:\WINDOWS\ua2.dll

C:\WINDOWS\system32\bofang.dll

C:\ie.vbs

C:\WINDOWS\system32\drivers\203.exe

 

Det du gjør er å gå til http://virusscan.jotti.org/. Oppe på siden, klikker du på 'Velg'-knappen for å "laste" opp de overnevnte filene (en i gangen) og klikk 'Submit'. Det vil bli foretatt en sjekk av filen(e) og gi et restultat som forteller at enten er den ren eller så er den infisert.

 

Hvis infisert: Bruk utforsker til å slette filen. Mulig du må ut i sikker modus.

Hvis ren:

 

Post loggen fra SDfix og evt. fortell om noen av filene over var korrupte.

Endret 18. april 2007 av norbat