Jonas Skrevet 14. april 2007 Del Skrevet 14. april 2007 Hei, Etter årets TG-besøk har jeg fått med meg noe mystisk med hjem. Fra tid til annen hører jeg en skummel stemme, virker nesten som hui-ing og hei-ing, samt popups. (Eh, vanskelig å beskrive en lyd) Virker dette kjent for noen? Finnes det noen løsning? Kjørte for øvrig Avast under hele uka, og diverse systemscans i ettertid. Logfile of HijackThis v1.99.1 Klikk for å se/fjerne innholdet nedenfor Scan saved at 17:10:52, on 14.04.2007Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Promise\Promise Disk Controller Manager\UtMsgAgt.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Steam\Steam.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Temp/Diverse/startside/3/startside.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.144.106.133:8000 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp5.tmp.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {bac31498-1d72-429c-9776-cd8809852946} - C:\WINDOWS\system32\msauo32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\Temp\VB\Tile-system\Runtime files\msdxm.ocx O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O8 - Extra context menu item: &Paste with syntax highlightning - D:\Temp\VB\VBtoHTML\Extensions\Internet Explorer\Script.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: O20 - Winlogon Notify: msauo32 - C:\WINDOWS\SYSTEM32\msauo32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe Lenke til kommentar
norbat Skrevet 14. april 2007 Del Skrevet 14. april 2007 Heisann, Last ned Vundofix, start programmet og klikk "Scan for Vundo"-knappen. Når programmet er kjørt ferdig, klikker du på knappen "Remove vundo". Last ned SAS, installer og oppdater. Kjør en complete scan. Pc'n vil restarte. Post en ny HJT-logg + loggen fra Vundofix + loggen fra SAS Lenke til kommentar
Pozzolan Skrevet 14. april 2007 Del Skrevet 14. april 2007 (endret) Hei, Slett følgende med hijackthis: O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp5.tmp.dll O2 - BHO: (no name) - {bac31498-1d72-429c-9776-cd8809852946} - C:\WINDOWS\system32\msauo32.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O20 - AppInit_DLLs: O20 - Winlogon Notify: msauo32 - C:\WINDOWS\SYSTEM32\msauo32.dll O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) Restart og post en ny logg. Du kan også prøve SuperAntiSpyware. Edit: Jaja... litt for treg Endret 14. april 2007 av stealthy Lenke til kommentar
Jonas Skrevet 14. april 2007 Forfatter Del Skrevet 14. april 2007 Vondufix fant ingen ting, og SAS lagde så vidt jeg vet ingen log av hva som ble funnet. Logfile of HijackThis v1.99.1 Klikk for å se/fjerne innholdet nedenfor Scan saved at 19:12:08, on 14.04.2007Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Steam\Steam.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\setup\avast.setup C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Temp/Diverse/startside/3/startside.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.144.106.133:8000 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {bac31498-1d72-429c-9776-cd8809852946} - C:\WINDOWS\system32\msauo32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\Temp\VB\Tile-system\Runtime files\msdxm.ocx O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: &Paste with syntax highlightning - D:\Temp\VB\VBtoHTML\Extensions\Internet Explorer\Script.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: msauo32 - C:\WINDOWS\SYSTEM32\msauo32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe Hvis det er relevant, så fikk jeg en feilmelding da HJT slettet AppInit_DLLs. Klikk for å se/fjerne innholdet nedenfor An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )Error #5 - Invalid procedure call or argument Please email me at [email protected], reporting the following: * What you were trying to fix when the error occurred, if applicable * How you can reproduce the error * A complete HijackThis scan log, if possible Windows version: Windows NT 5.01.2600 MSIE version: 6.0.2900.2180 HijackThis version: 1.99.1 This message has been copied to your clipboard. Click OK to continue the rest of the scan. Kommer tilbake med mer om problemet ikke skulle være fikset. Takker for all hjelp! Lenke til kommentar
wil Skrevet 14. april 2007 Del Skrevet 14. april 2007 Hei. Du kan jo se om du finner ut fila som lager den lyden da. For det må jo være en EXE file som kjører når du får opp de lydene. Eller en lyd fil av noe slag. Se om du finner den å slett den manuelt. Hvis du finner den så vil du sikkert få beskjed om at fila er i bruk av Windows. Da må du gå inni Safe Mode for å slette den. Enkelte ganger fungerer det. Prøv gjerne også en sikkerhetspakke/Antivirus som fjerner Spyware. Det kan også hjelpe. Ellers er jo SuperAntiSpyware et bra program da. Lenke til kommentar
norbat Skrevet 14. april 2007 Del Skrevet 14. april 2007 Hent Combofix, og kjør programmet. Ikke klikk på noe mens fix'en kjører. Det lager en logg som du poster sammen med en ny HJT-logg. (SAS-loggen finner du i: Preferences->statistics/logs) Lenke til kommentar
Jonas Skrevet 14. april 2007 Forfatter Del Skrevet 14. april 2007 Hent Combofix, og kjør programmet. Ikke klikk på noe mens fix'en kjører. Det lager en logg som du poster sammen med en ny HJT-logg. (SAS-loggen finner du i: Preferences->statistics/logs) 8384924[/snapback] Ah, slik. Var egentlig ikke noe interessant eller relevant i loggen. Kun en hel haug med cookies og gif-bilder fra IE temp-folder. Prøvde i tillegg Combofix, log følger. Klikk for å se/fjerne innholdet nedenfor "JBA" - 07-04-14 22:43:20 Service Pack 2ComboFix 07-04-05.Rev3 - Running from: "C:\Documents and Settings\JBA\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\tmp5.tmp.dll ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\nm -------\LEGACY_NM ((((((((((((((((((((((((((((((( Files Created from 2007-03-14 to 2007-04-14 )))))))))))))))))))))))))))))))))) 2007-04-14 20:35 <DIR> d-------- C:\DOCUME~1\JBA\APPLIC~1\teamspeak2 2007-04-14 18:06 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE 2007-04-14 18:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2007-04-14 18:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-04-14 18:01 <DIR> d-------- C:\DOCUME~1\JBA\APPLIC~1\SUPERAntiSpyware.com 2007-04-14 18:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com 2007-04-14 17:58 <DIR> d-------- C:\VundoFix Backups 2007-04-14 16:55 <DIR> d-------- C:\Program Files\Uniblue 2007-04-14 16:55 <DIR> d-------- C:\DOCUME~1\JBA\APPLIC~1\Uniblue 2007-04-14 16:50 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys 2007-04-14 14:35 106,767 --a------ C:\WINDOWS\ddbaxu.dll 2007-04-14 14:33 19,625 --a------ C:\WINDOWS\system32\msauo32.dll 2007-04-12 17:40 60,416 --a------ C:\WINDOWS\ALCFDRTM.EXE 2007-04-12 17:40 <DIR> d-------- C:\WINDOWS\system32\Lang 2007-04-12 17:37 9,324,032 --a------ C:\WINDOWS\system32\RTLCPL.EXE 2007-04-12 17:37 77,824 --a------ C:\WINDOWS\SOUNDMAN.EXE 2007-04-12 17:37 40,960 --------- C:\WINDOWS\system32\ChCfg.exe 2007-04-12 17:37 294,912 --------- C:\WINDOWS\alcupd.exe 2007-04-12 17:37 200,704 --------- C:\WINDOWS\alcrmv.exe 2007-04-12 17:37 2,317,504 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2007-04-12 17:37 192,512 --------- C:\WINDOWS\RtlExUpd.dll 2007-04-12 17:37 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll 2007-04-09 14:33 <DIR> d-------- C:\Program Files\Google 2007-04-08 06:56 <DIR> d-------- C:\Program Files\oDC 2007-04-08 03:56 0 --a------ C:\svcipa.exe 2007-04-05 05:17 <DIR> d-------- C:\DOCUME~1\JBA\APPLIC~1\dvdcss 2007-04-05 04:23 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll 2007-04-04 18:23 <DIR> d-------- C:\Program Files\Empire Interactive 2007-04-04 18:11 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys 2007-04-04 18:11 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys 2007-04-04 18:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2007-04-04 18:11 <DIR> d-------- C:\Program Files\D-Tools 2007-03-28 19:24 18,872 --a------ C:\DOCUME~1\JBA\APPLIC~1\GDIPFONTCACHEV1.DAT 2007-03-28 15:52 <DIR> d-------- C:\Program Files\PowerQuest 2007-03-28 15:47 7,680 --a------ C:\WINDOWS\system32\drivers\dontgo.sys 2007-03-28 15:47 17,408 --a------ C:\WINDOWS\system32\drivers\bb-run.sys 2007-03-28 15:47 125,952 --a------ C:\WINDOWS\system32\drivers\ulsata2.sys 2007-03-28 15:47 110,592 --a------ C:\WINDOWS\system32\ulutil2.dll 2007-03-28 15:42 <DIR> d-------- C:\Program Files\Promise 2007-03-24 01:32 299,520 --a------ C:\WINDOWS\uninst.exe 2007-03-24 01:32 <DIR> d-------- C:\DOCUME~1\JBA\APPLIC~1\Help 2007-03-24 01:31 <DIR> d-------- C:\DOCUME~1\JBA\WINDOWS 2007-03-24 01:26 <DIR> d-------- C:\temp (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-14 19:10 -------- d-------- C:\Program Files\steam 2007-04-14 15:55 -------- d-------- C:\Program Files\itunes 2007-04-14 15:44 -------- d-------- C:\Program Files\winamp 2007-04-14 15:38 82380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS 2007-04-12 17:37 -------- d--h----- C:\Program Files\installshield installation information 2007-04-08 13:57 -------- d-------- C:\Program Files\dc++ 2007-04-05 09:56 -------- d-------- C:\Program Files\wow 2007-04-04 18:24 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys 2007-04-04 14:48 -------- d-------- C:\Program Files\mirc 2007-03-24 01:20 -------- d-------- C:\Program Files\quicktime 2007-03-12 18:15 -------- d-------- C:\DOCUME~1\JBA\APPLIC~1\ventrilo 2007-03-05 00:22 -------- d-------- C:\Program Files\videolan 2007-02-21 23:11 583 --a------ C:\DOCUME~1\JBA\APPLIC~1\autogk.ini 2007-02-20 03:29 -------- d-------- C:\Program Files\msn messenger 2007-02-19 17:52 43602 --a------ C:\WINDOWS\system32\xvid-uninstall.exe 2007-02-19 17:51 -------- d-------- C:\Program Files\gabest 2007-02-19 17:49 -------- d-------- C:\Program Files\dvd decrypter 2007-02-15 17:44 -------- d-------- C:\Program Files\flvplayer 2007-02-15 01:53 -------- d-------- C:\Program Files\ipod 2007-01-17 23:01 1168 --a------ C:\WINDOWS\mozver.dat 2007-01-15 19:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe 2007-01-15 19:23 90112 --a------ C:\WINDOWS\system32\avastss.scr 2007-01-14 20:02 0 --a------ C:\WINDOWS\nsreg.dat 2007-01-07 10:09 62 --ahs---- C:\DOCUME~1\JBA\APPLIC~1\desktop.ini (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent" "SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE " "item"="Adobe Gamma Loader" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp psc 2000 Series.lnk" "backup"="C:\\WINDOWS\\pss\\hp psc 2000 Series.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpobnz08.exe " "item"="hp psc 2000 Series" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\officejet 6100.lnk" "backup"="C:\\WINDOWS\\pss\\officejet 6100.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hposol08.exe " "item"="officejet 6100" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AllBlk] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AllowBlock" "hkey"="HKCU" "command"="C:\\Documents and Settings\\JBA\\Desktop\\AllowBlock\\AllowBlock.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ddbaxu" "hkey"="HKLM" "command"="rundll32.exe \"C:\\WINDOWS\\ddbaxu.dll\",realset" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="daemon" "hkey"="HKLM" "command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -k" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -k" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvCpl" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Rundll32" "hkey"="HKLM" "command"="Rundll32.exe ulutil2.dll,SetWriteBack" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SOUNDMAN" "hkey"="HKLM" "command"="SOUNDMAN.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "rpcapd"=dword:00000003 "iPod Service"=dword:00000003 "UtMsgSvc"=dword:00000002 "dmadmin"=dword:00000003 "Pml Driver HPZ12"=dword:00000003 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msauo32 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8bcac07e-e2c8-11db-aa6c-806d6172696f}] Shell\AutoRun\command I:\Launch.exe Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1170261008.job ******************************************************************** catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-04-14 22:45:08 C:\ComboFix-quarantined-files.txt ... 07-04-14 22:45 Logfile of HijackThis v1.99.1 Klikk for å se/fjerne innholdet nedenfor Scan saved at 22:47:21, on 14.04.2007Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Steam\Steam.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Winamp\winamp.exe C:\Program Files\VideoLAN\VLC\vlc.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Temp/Diverse/startside/3/startside.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.144.106.133:8000 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {bac31498-1d72-429c-9776-cd8809852946} - C:\WINDOWS\system32\msauo32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\Temp\VB\Tile-system\Runtime files\msdxm.ocx O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: &Paste with syntax highlightning - D:\Temp\VB\VBtoHTML\Extensions\Internet Explorer\Script.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: msauo32 - C:\WINDOWS\SYSTEM32\msauo32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe Lenke til kommentar
norbat Skrevet 14. april 2007 Del Skrevet 14. april 2007 Last ned SDFix.exe. Pakk ut programmet. Hent deretter DrWeb (engangsscanner) og legg det på skrivebordet. Sørg for at du kan se skjulte filer og mapper: Kontrollpanel->mappealt.->vis->"vis skjulte filer og mapper" Kjør HJT, sett merke framfor følgende linjer og klikk 'Fix checked': O2 - BHO: (no name) - {bac31498-1d72-429c-9776-cd8809852946} - C:\WINDOWS\system32\msauo32.dll O20 - Winlogon Notify: msauo32 - C:\WINDOWS\SYSTEM32\msauo32.dll ------------ Er dette noe du kjenner til?: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Temp/Diverse/startside/3/startside.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.144.106.133:8000 ------------- Restart i sikker modus (tapp F8 under oppstart) Bruk utforsker til å finne og slette (i fet): C:\WINDOWS\system32\msauo32.dll C:\svcipa.exe Kjør RunThis.bat i SDfix-mappa. Det lages en rapport (Report.txt) som du poster senere. Kjør drweb-cureit.exe (si ja til å kjøre en express scan) Når dette er ferdig klikker du på Option -> Change settings. Under fanearket Scan, fjerner du haken ved Heuristic analysis. Under fanearket Actions, skal alle punkt under Malware settes til Rename. Velg partisjon du vil scanne og klikk deretter på den grønne pilen for å starte scanningen. Velg "yes to all" når det finner noe for første gang. Restart i normal tilstand Post loggen fra SDfix + en ny HJT-logg. Lenke til kommentar
Jonas Skrevet 15. april 2007 Forfatter Del Skrevet 15. april 2007 msauo32.dll var av en eller annen grunn i bruk selv i safemode. SDFix: Version 1.78 Klikk for å se/fjerne innholdet nedenfor Run by Administrator - 15.04.2007 - 17:44:39,45 Microsoft Windows XP [Version 5.1.2600] Running From: C:\PROGRA~1\SDfix\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted C:\WINDOWS\system32\svehost.exe - Deleted Removing Temp Files ADS Check: Checking if ADS is attached to system32 Folder C:\WINDOWS\system32 No streams found. Checking if ADS is attached to svchost.exe C:\WINDOWS\system32\svchost.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger" "C:\\Program Files\\Steam\\steamapps\\jonas22282460\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\jonas22282460\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- Backups Folder: - C:\PROGRA~1\SDfix\SDFix\backups\backups.zip Checking For Files with Hidden Attributes: [ Hel haug med Thumbs.db ] Finished Logfile of HijackThis v1.99.1 Klikk for å se/fjerne innholdet nedenfor Scan saved at 18:44:49, on 15.04.2007Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Steam\Steam.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Temp/Diverse/startside/3/startside.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.144.106.133:8000 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {bac31498-1d72-429c-9776-cd8809852946} - C:\WINDOWS\system32\msauo32.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\Temp\VB\Tile-system\Runtime files\msdxm.ocx O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [bootService] rundll32.exe "C:\WINDOWS\wvtqnk.dll",realset O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: &Paste with syntax highlightning - D:\Temp\VB\VBtoHTML\Extensions\Internet Explorer\Script.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: msauo32 - C:\WINDOWS\SYSTEM32\msauo32.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe Lenke til kommentar
norbat Skrevet 15. april 2007 Del Skrevet 15. april 2007 (endret) Du har en 'grim' infeksjon, men la oss se om vi ikke får has på den: Hent Avenger og pakk den ut på skrivebordet. Start programmet, sett prikk i "Input Script Manually" og klikk på lupen. I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under: --------------------------------------------- Files to delete: C:\WINDOWS\wvtqnk.dll C:\WINDOWS\SYSTEM32\msauo32.dll ---------------------------------------------- Klikk på Trafikklyset. Restart pc'n. Etter restart vil det komme en loggfil som forteller hva som har skjedd. Den poster du senere Start HJT, scan og sett merke framfor følgende linjer og klikk 'Fix checked': O2 - BHO: (no name) - {bac31498-1d72-429c-9776-cd8809852946} - C:\WINDOWS\system32\msauo32.dll O4 - HKLM\..\Run: [bootService] rundll32.exe "C:\WINDOWS\wvtqnk.dll",realset O20 - Winlogon Notify: msauo32 - C:\WINDOWS\SYSTEM32\msauo32.dll Oppdater SAS og kjør på ny en 'complete scan'. Post en ny HJT-logg. (Da du scannet med DrWeb, ble det funnet noe?) Endret 15. april 2007 av norbat Lenke til kommentar
Jonas Skrevet 16. april 2007 Forfatter Del Skrevet 16. april 2007 Logfile of HijackThis v1.99.1 Klikk for å se/fjerne innholdet nedenfor Scan saved at 01:49:42, on 17.04.2007Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Steam\Steam.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Temp/Diverse/startside/3/startside.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.144.106.133:8000 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\Temp\VB\Tile-system\Runtime files\msdxm.ocx O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: &Paste with syntax highlightning - D:\Temp\VB\VBtoHTML\Extensions\Internet Explorer\Script.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: msauo32 - msauo32.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe Lenke til kommentar
norbat Skrevet 17. april 2007 Del Skrevet 17. april 2007 Kjør HJT, sett merke framfor følgende linje og klikk 'Fix checked': O20 - Winlogon Notify: msauo32 - msauo32.dll (file missing) Kjenner du til disse: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Temp/Diverse/startside/3/startside.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.144.106.133:8000 - i såfall er det bare å la dem være i fred. Ut over dette ser loggen din fin ut. Hvordan kjører forøvrig pc'n? Lenke til kommentar
Jonas Skrevet 17. april 2007 Forfatter Del Skrevet 17. april 2007 Maskinen kjører kjempefint nå, ikke lagt merke til noe mer. Tusen takk for hjelpen! (Kjenner til startsiden og proxy-servern, de er mine) Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå