Haddock Skrevet 29. april 2007 Del Skrevet 29. april 2007 (endret) Har fått et jævli irriterende spywareprogram som jeg ikke har peiling på hvordan jeg fjerner, har også en del andre popups og pc'n oppfører seg veldig spesielt for tida, henger seg opp av og til under oppstart og internetvinduer detter plutsselig bare ut av og til hvis dere skjønner... (må trykke på siden hele tiden for og få den markert slik at jeg kan skrive på den osv.) Noen som ser noe feil i hijackthis loggen, eller vet hvordan jeg kan få fjernet drivecleaner? Logfile of HijackThis v1.99.1 Scan saved at 15:56:08, on 29.04.2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\Programfiler\ewido\security suite\ewidoctrl.exe C:\Norman\Bin\Zanda.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\FELLES~1\Stardock\SDMCP.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\Norman\bin\ZLH.EXE C:\Programfiler\QuickTime\qttask.exe C:\WINDOWS\System32\svehost.exe C:\WINDOWS\System32\clcl7.exe C:\Norman\Nvc\bin\nvcoas.exe C:\Norman\Nvc\BIN\nipsvc.exe C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Norman\bin\NJEEVES.EXE C:\Programfiler\Winamp\winamp.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Documents and Settings\Malossi Hyper Racing\Skrivebord\Ny mappe\Test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O1 - Hosts: 72.36.156.164 view.atdmt.com O1 - Hosts: 72.36.156.164 rad.msn.com O1 - Hosts: 72.36.156.164 themis.geocities.yahoo.com O1 - Hosts: 72.36.156.164 us.a1.yimg.com O1 - Hosts: 72.36.156.164 ad.n2434.doubleclick.net O1 - Hosts: 72.36.156.164 n3349ad.doubleclick.net O1 - Hosts: 72.36.156.164 altfarm.mediaplex.com O1 - Hosts: 72.36.156.164 ad.doubleclick.net O1 - Hosts: 72.36.156.164 z1.adserver.com O1 - Hosts: 72.36.156.164 ar1.atwola.com O1 - Hosts: 72.36.156.164 disney.go.com O1 - Hosts: 72.36.156.164 rcm.amazon.com O1 - Hosts: 72.36.156.164 familyfun.go.com O1 - Hosts: 72.36.156.164 dist.belnk.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - C:\WINDOWS\System32\ipv6monl.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {b88af703-0c92-4186-bcbc-a3d8ed889ee8} - C:\WINDOWS\system32\kbdrov.dll O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\System32\tmp9.tmp.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [syspanel] scanSYS.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [intel system tool] C:\WINDOWS\System32\svehost.exe O4 - HKLM\..\Run: [infoData] rundll32.exe "C:\WINDOWS\rqppqp.dll",realset O4 - HKLM\..\Run: [clcl7] C:\WINDOWS\System32\clcl7.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\rmxxthx.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by143fd.bay143.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://campuscentercam.its.wesleyan.edu/activex/AMC.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.28.44.184/activex/AMC.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: O20 - Winlogon Notify: kbdrov - C:\WINDOWS\SYSTEM32\kbdrov.dll O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FELLES~1\Stardock\mcpstub.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe Edit : Glemte og endre navnet på programmet til "test" Endret 29. april 2007 av Haddock Lenke til kommentar
norbat Skrevet 29. april 2007 Del Skrevet 29. april 2007 (endret) Litt av en samling du har fått Kjør HJT, sett merke framfor følgende linjer og klikk 'Fix checked': Klikk for å se/fjerne innholdet nedenfor O1 - Hosts: 72.36.156.164 view.atdmt.com O1 - Hosts: 72.36.156.164 rad.msn.com O1 - Hosts: 72.36.156.164 themis.geocities.yahoo.com O1 - Hosts: 72.36.156.164 us.a1.yimg.com O1 - Hosts: 72.36.156.164 ad.n2434.doubleclick.net O1 - Hosts: 72.36.156.164 n3349ad.doubleclick.net O1 - Hosts: 72.36.156.164 altfarm.mediaplex.com O1 - Hosts: 72.36.156.164 ad.doubleclick.net O1 - Hosts: 72.36.156.164 z1.adserver.com O1 - Hosts: 72.36.156.164 ar1.atwola.com O1 - Hosts: 72.36.156.164 disney.go.com O1 - Hosts: 72.36.156.164 rcm.amazon.com O1 - Hosts: 72.36.156.164 familyfun.go.com O1 - Hosts: 72.36.156.164 dist.belnk.com O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - C:\WINDOWS\System32\ipv6monl.dll O2 - BHO: (no name) - {b88af703-0c92-4186-bcbc-a3d8ed889ee8} - C:\WINDOWS\system32\kbdrov.dll O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\System32\tmp9.tmp.dll O4 - HKLM\..\Run: [syspanel] scanSYS.exe O4 - HKLM\..\Run: [intel system tool] C:\WINDOWS\System32\svehost.exe O4 - HKLM\..\Run: [infoData] rundll32.exe "C:\WINDOWS\rqppqp.dll",realset O4 - HKLM\..\Run: [clcl7] C:\WINDOWS\System32\clcl7.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - O20 - AppInit_DLLs: O20 - Winlogon Notify: kbdrov - C:\WINDOWS\SYSTEM32\kbdrov.dll Last ned Vundofix, start programmet og klikk "Scan for Vundo"-knappen. Når programmet er kjørt ferdig, klikker du på knappen "Remove vundo". Det lages en logg som du poster senere. Last ned SDFix.exe. Pakk ut programmet. Last ned SAS, installer og oppdater. Sørg for at du kan se skjulte filer og mapper (kontrollpanel->mappealt.->vis->"vis skjulte filer og mapper") Restart i sikker modus (tapp f8 under oppstart) Kjør RunThis.bat i SDfix-mappa. Det lages en rapport (Report.txt) Kjør en full scan med SAS. Restart i normal modus Post en ny HJT-logg sammen med loggen fra SDfix, vundofix og SAS (Preferences->statistics/logs) Endret 29. april 2007 av norbat Lenke til kommentar
Haddock Skrevet 30. april 2007 Forfatter Del Skrevet 30. april 2007 Tusen takk for raskt svar! Her er alle loggene, nok av lesestoff... Dokument.txt Lenke til kommentar
norbat Skrevet 30. april 2007 Del Skrevet 30. april 2007 Kjør HJT, sett merke framfor følgende linjer og klikk 'Fix checked': O2 - BHO: (no name) - {b88af703-0c92-4186-bcbc-a3d8ed889ee8} - (no file) O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) Hent CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'. Kjør også noen runder med 'Saker' til det ikke finner flere feil. Restart pc'n Fortell hvordan den kjører. Lenke til kommentar
Haddock Skrevet 20. mai 2007 Forfatter Del Skrevet 20. mai 2007 Hei igjen! Beklager at jeg er så sen med å svare! Har fortsatt en god del popuper og spyware, bla. et annet antivirusprogr som sender utallige feilmeldinger og advarsler. Har også en god del popuper som dukker opp i noen millisekunder før de forsvinner igjen, blir ganske plagsomt etter som jeg konstant detter ut av nettsiden jeg er på. Tar altså sin tid og skrive dette... Detter ut av div. andre programmer også som følge av dette, har blitt umulig å spille på pc'n. Hender seg også at pc'n bare skrur seg av og starter på nytt igjen, hender sånn ca en gang per dag, med noen unntak. Fikk meg en støkk av dette når jeg endelig var ferdig med en 5 sider lang innleveringsoppgave som ikke var lagret da dette skjedde. Kan nesten ikke bare formatere disken heller, har ikke noe og midlertidig lagre viktige filer på... Lenke til kommentar
norbat Skrevet 20. mai 2007 Del Skrevet 20. mai 2007 (endret) Hent Rootchk, legg det på skrivebordet. Kjør programmet. Det vil lage en logg. Post loggen fra Rootchk + en ny HJT-logg Endret 20. mai 2007 av norbat Lenke til kommentar
Haddock Skrevet 20. mai 2007 Forfatter Del Skrevet 20. mai 2007 Klikk for å se/fjerne innholdet nedenfor ********************************* ROOTCHK-(19-05-07)-LOG, by ejvindh20.05.2007 22:26:03.71 The rootkits that are detected by this tool were not found. ********************************* ROOTCHK-LOG-end catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-20 22:26:04 Windows 5.1.2600 Service Pack 1 NTFS scanning hidden processes ... scanning hidden services ... HKLM\SYSTEM\CurrentControlSet\Services\winmgmt58ed-376 scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\windev-58ed-376.sys C:\WINDOWS\system32\windev-peers.ini scan completed successfully hidden processes: 0 hidden services: 1 hidden files: 2 Logfile of HijackThis v1.99.1 Scan saved at 22:39:31, on 20.05.2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\Programfiler\ewido\security suite\ewidoctrl.exe C:\PROGRA~1\FELLES~1\Stardock\SDMCP.exe C:\Norman\Bin\Zanda.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Norman\bin\ZLH.EXE C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Norman\Nvc\BIN\nipsvc.exe C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Norman\Nvc\bin\nvcoas.exe C:\Norman\bin\NJEEVES.EXE C:\Programfiler\Internet Explorer\iexplore.exe C:\Documents and Settings\Malossi Hyper Racing\Skrivebord\Ny mappe\Test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\System32\tmp2.tmp.dll O2 - BHO: (no name) - {b88af703-0c92-4186-bcbc-a3d8ed889ee8} - C:\WINDOWS\system32\key949.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\jkhhii.dll",realset O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: PowerReg Scheduler V3.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by143fd.bay143.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://campuscentercam.its.wesleyan.edu/activex/AMC.cab O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.28.44.184/activex/AMC.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: c:\windows\system32\pmnonmm.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: atlame - C:\WINDOWS\SYSTEM32\atlame.dll O20 - Winlogon Notify: key949 - C:\WINDOWS\SYSTEM32\key949.dll O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FELLES~1\Stardock\mcpstub.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe Lenke til kommentar
norbat Skrevet 20. mai 2007 Del Skrevet 20. mai 2007 Hent Virtumundobegone.exe, legg det på skrivebordet. Lukk alle andre programmer, dobbeltklikk på VirtumundoBeGone.exe klikk på Continue, klikk på Start. Klikk på Yes for at kjøre fixet. Klikk så på 'Save log'. Det kan skje at fixet avslutter med "BSOD"(blå skjerm og frosset PC). Ta bare å restart (bruk evt. av/på-knappen på pc'n). På skrivebordet vil det komme en tekstfil som heter VBG.TXT, den poster du senere. Oppdater SAS og kjør en 'full scan'. Post deretter loggen fra VBG og SAS + en ny HJT-logg. Lenke til kommentar
Haddock Skrevet 20. mai 2007 Forfatter Del Skrevet 20. mai 2007 Da ver det gjort Logger.rtf Lenke til kommentar
b21a Skrevet 21. mai 2007 Del Skrevet 21. mai 2007 Oppdater til SP2, så skal du se ting blir bedre. Lenke til kommentar
norbat Skrevet 21. mai 2007 Del Skrevet 21. mai 2007 Vi bør vente med SP2 til pc'n er renset for spy... Kjør HJT, sett merke framfor følgende linjer og klikk 'Fix checked': O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\System32\tmp2.tmp.dll (file missing) O2 - BHO: (no name) - {b88af703-0c92-4186-bcbc-a3d8ed889ee8} - C:\WINDOWS\system32\key949.dll O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\jkhhii.dll",realset O4 - Startup: PowerReg Scheduler V3.exe O20 - Winlogon Notify: key949 - C:\WINDOWS\SYSTEM32\key949.dll Hent Avenger og pakk det ut. Start programmet, sett prikk i "Input Script Manually" og klikk på lupen. I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under: Files to delete: C:\WINDOWS\system32\key949.dll C:\WINDOWS\jkhhii.dll Klikk på Trafikklyset. Restart pc'n. Post en ny HJT-logg. Sjekk for oppdateringer for windows (vent litt med SP2) Lenke til kommentar
Haddock Skrevet 21. mai 2007 Forfatter Del Skrevet 21. mai 2007 (endret) Done! Men fannt ikke den jkhhii.dll fila i HJT Klikk for å se/fjerne innholdet nedenfor Logfile of The Avenger version 1, by Swandog46Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\dpgbnmgm ******************* Script file located at: \??\C:\Program Files\olbwdjgd.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\key949.dll deleted successfully. File C:\WINDOWS\jkhhii.dll not found! Deletion of file C:\WINDOWS\jkhhii.dll failed! Could not process line: C:\WINDOWS\jkhhii.dll Status: 0xc0000034 Completed script processing. ******************* Finished! Terminate. Logfile of HijackThis v1.99.1 Scan saved at 20:00:08, on 21.05.2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\Programfiler\ewido\security suite\ewidoctrl.exe C:\Norman\Bin\Zanda.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\FELLES~1\Stardock\SDMCP.exe C:\WINDOWS\Explorer.EXE C:\HP\KBD\KBD.EXE C:\Norman\Nvc\BIN\nipsvc.exe C:\Programfiler\QuickTime\qttask.exe C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Norman\Nvc\bin\nvcoas.exe C:\Norman\bin\NJEEVES.EXE C:\Programfiler\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Documents and Settings\Malossi Hyper Racing\Skrivebord\Ny mappe\Test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\System32\tmp74.tmp.dll O2 - BHO: (no name) - {b88af703-0c92-4186-bcbc-a3d8ed889ee8} - C:\WINDOWS\system32\key949.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\qonlkl.dll",realset O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: PowerReg Scheduler V3.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by143fd.bay143.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://campuscentercam.its.wesleyan.edu/activex/AMC.cab O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.28.44.184/activex/AMC.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: c:\windows\system32\pmnonmm.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: key949 - C:\WINDOWS\SYSTEM32\key949.dll O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FELLES~1\Stardock\mcpstub.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe Endret 21. mai 2007 av Haddock Lenke til kommentar
norbat Skrevet 21. mai 2007 Del Skrevet 21. mai 2007 (endret) Vi prøver en gang til : Kjør HJT, sett merke framfor følgende linjer og klikk 'Fix checked' O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\System32\tmp74.tmp.dll O2 - BHO: (no name) - {b88af703-0c92-4186-bcbc-a3d8ed889ee8} - C:\WINDOWS\system32\key949.dll O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\qonlkl.dll",realset O4 - Startup: PowerReg Scheduler V3.exe O20 - AppInit_DLLs: c:\windows\system32\pmnonmm.dll O20 - Winlogon Notify: key949 - C:\WINDOWS\SYSTEM32\key949.dll Start Avenger igjen, sett prikk i "Input Script Manually" og klikk på lupen. I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under: Registry keys to delete: HKLM\SYSTEM\CurrentControlSet\Services\winmgmt58ed-376 Files to delete: C:\WINDOWS\System32\tmp74.tmp.dll C:\WINDOWS\system32\key949.dll C:\WINDOWS\qonlkl.dll c:\windows\system32\pmnonmm.dll C:\WINDOWS\system32\windev-58ed-376.sys C:\WINDOWS\system32\windev-peers.ini Klikk på Trafikklyset. Restart pc'n. Etter restart vil det komme en loggfil som forteller hva som har skjedd. Den poster du sammen med en ny HJT-logg. (EDIT: i mens loggen blir analysert, kan du hente AVG anti-rootkit og se om den finner noe) Endret 21. mai 2007 av norbat Lenke til kommentar
Haddock Skrevet 23. mai 2007 Forfatter Del Skrevet 23. mai 2007 Hmm.. finner bare ikke de "key949" filene eller qonlkl.dll fila plutselig... Dette er loggen jeg får opp nå : Logfile of HijackThis v1.99.1 Scan saved at 20:55:04, on 23.05.2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\FELLES~1\Stardock\SDMCP.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\CTSvcCDA.EXE C:\Programfiler\ewido\security suite\ewidoctrl.exe C:\Norman\Bin\Zanda.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Norman\bin\ZLH.EXE C:\Programfiler\QuickTime\qttask.exe C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Norman\Nvc\bin\nvcoas.exe C:\Norman\Nvc\BIN\nipsvc.exe C:\Norman\bin\NJEEVES.EXE C:\Programfiler\Internet Explorer\iexplore.exe C:\WINDOWS\System32\dwwin.exe C:\Documents and Settings\Malossi Hyper Racing\Skrivebord\Ny mappe\Test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {A24B57F8-505D-4fc5-9960-740E304D1ABA} - C:\WINDOWS\System32\tmp1.tmp.dll O2 - BHO: (no name) - {b88af703-0c92-4186-bcbc-a3d8ed889ee8} - C:\WINDOWS\system32\cmmprf.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\efdede.dll",realset O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by143fd.bay143.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179771324316 O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://campuscentercam.its.wesleyan.edu/activex/AMC.cab O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.28.44.184/activex/AMC.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - AppInit_DLLs: c:\windows\system32\pmnonmm.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: cmmprf - C:\WINDOWS\SYSTEM32\cmmprf.dll O20 - Winlogon Notify: key949 - key949.dll (file missing) O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\FELLES~1\Stardock\mcpstub.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe Lenke til kommentar
norbat Skrevet 23. mai 2007 Del Skrevet 23. mai 2007 Grunnen til at du ikke finner enkelte filer er fordi infeksjonen bytter navn på filene sine. Jeg savner loggen fra Avenger og en tilbakemelding på om AVG anti-rootkit fant noe. Vi går videre... Hent Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Du må ikke klikke på vinduet mens programmet kjører. Post loggfilen fra combofix (vanligvis c:\combofix.txt) og følg deretter veiledningne under: Hent DrWeb. Legg det på skrivebordet. Restart i sikker modus (tapp f8 under oppstart) Kjør drweb-cureit.exe (si ja til å kjøre en express scan) Når dette er ferdig klikker du på Option -> Change settings. Under fanearket Scan, fjerner du haken ved Heuristic analysis. Under fanearket Actions, skal alle punkt under Malware settes til Rename. Velg partisjon du vil scanne og klikk deretter på den grønne pilen for å starte scanningen. Velg "yes to all" når det finner noe for første gang. Post en ny HJT-logg. Lenke til kommentar
Haddock Skrevet 23. mai 2007 Forfatter Del Skrevet 23. mai 2007 Rota litt her nå ja, her er loggen for avenger Setter i gang med det siste du skrev straks. AVG kjører nå Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\ujxhbrpt ******************* Script file located at: \??\C:\WINDOWS\System32\xqkpwnbf.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Registry key HKLM\SYSTEM\CurrentControlSet\Services\winmgmt58ed-376 not found! Deletion of registry key HKLM\SYSTEM\CurrentControlSet\Services\winmgmt58ed-376 failed! Could not process line: HKLM\SYSTEM\CurrentControlSet\Services\winmgmt58ed-376 Status: 0xc0000034 File C:\WINDOWS\System32\tmp74.tmp.dll deleted successfully. File C:\WINDOWS\system32\key949.dll not found! Deletion of file C:\WINDOWS\system32\key949.dll failed! Could not process line: C:\WINDOWS\system32\key949.dll Status: 0xc0000034 File C:\WINDOWS\qonlkl.dll deleted successfully. File c:\windows\system32\pmnonmm.dll deleted successfully. File C:\WINDOWS\system32\windev-58ed-376.sys deleted successfully. File C:\WINDOWS\system32\windev-peers.ini deleted successfully. Completed script processing. ******************* Finished! Terminate. Lenke til kommentar
Haddock Skrevet 23. mai 2007 Forfatter Del Skrevet 23. mai 2007 Omsider ferdig med AVG nå, her er loggen hvis du trenger den Klikk for å se/fjerne innholdet nedenfor AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 01:18:19 24.05.2007 + Scan result: HKLM\SOFTWARE\AntivirusGold -> Adware.AntiVirusGolden : Cleaned. C:\SDFix\backups\backups.zip/backups/tmp79.tmp.exe -> Adware.Virtumonde : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127902.exe -> Adware.Virtumonde : Cleaned. C:\Programfiler\BitLord\Downloads\Speed Up My PC 3.0\Setup.exe -> Backdoor.Delf.awa : Cleaned. C:\Programfiler\Java\j2re1.4.2_04\bin\jusched.exe -> Downloader.Agent.awf : Cleaned. C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe -> Downloader.Agent.awf : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127886.exe -> Downloader.Agent.awf : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP970\A0143515.EXE -> Downloader.Agent.awf : Cleaned. C:\WINDOWS\system32\lsasss.exe1170711772 -> Downloader.Agent.awf : Cleaned. C:\hp\KBD\KBD.EXE -> Downloader.Agent.awf : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Lokale innstillinger\Temp\tmp2.tmp.exe -> Downloader.Agent.bjk : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Lokale innstillinger\Temp\tmp90.tmp.exe -> Downloader.Agent.bjk : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Lokale innstillinger\Temporary Internet Files\Content.IE5\MOYQZOQY\lientnstaller15_02[1] -> Downloader.Agent.bjk : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Lokale innstillinger\Temporary Internet Files\Content.IE5\W9Y7OLAN\rellatsnitneilc22_05[1] -> Downloader.Agent.bjk : Cleaned. C:\SDFix\backups\backups.zip/backups/tmp2.tmp.exe -> Downloader.Agent.bjk : Cleaned. C:\SDFix\backups\backups.zip/backups/tmp4.tmp.exe -> Downloader.Agent.bjk : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127899.exe -> Downloader.Agent.bjk : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127901.exe -> Downloader.Agent.bjk : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP943\A0121772.exe -> Downloader.Agent.es : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP947\A0121870.exe -> Downloader.Agent.es : Cleaned. C:\WINDOWS\system32\clcl7.exe -> Downloader.Agent.es : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127878.dll -> Downloader.ConHook : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127888.dll -> Downloader.ConHook : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Skrivebord\Ny mappe\backups\backup-20070520-205301-498.dll -> Downloader.ConHook.bf : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Skrivebord\Ny mappe\backups\backup-20070521-200237-855.dll -> Downloader.ConHook.bf : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP965\A0138614.dll -> Downloader.ConHook.bf : Cleaned. C:\avenger\backup-23.05.2007-23.52.11.61.zip/avenger/key949.dll -> Downloader.ConHook.bf : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127876.sys -> Dropper.Agent.bbv : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127885.sys -> Dropper.Agent.bbv : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Skrivebord\Ny mappe\backups\backup-20070429-161516-517.dll -> Logger.BZub.if : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Lokale innstillinger\Temporary Internet Files\Content.IE5\JDAYQ0R2\installdrivecleanerstart_no[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.m : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Lokale innstillinger\Temporary Internet Files\Content.IE5\W9Y7OLAN\WinAntiVirusPro2006FreeInstall_no[1].cab/UWA6PH_0001_N91M2107NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned. C:\SDFix\backups\backups.zip/backups/ndis.sys -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127868.sys -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127895.sys -> Not-A-Virus.SpamTool.Win32.Agent.u : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127873.exe -> Proxy.Wopla.ag : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127882.exe -> Proxy.Wopla.ag : Cleaned. C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\SXEZ8L2V\cent[1].exe -> Rootkit.Agent.fe : Cleaned. C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\WP2V8LEB\cent[1].exe -> Rootkit.Agent.fe : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP954\A0128993.sys -> Rootkit.Agent.fe : Cleaned. C:\WINDOWS\system32\cent.exe -> Rootkit.Agent.fe : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@2o7[2].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][1].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@adtech[2].txt -> TrackingCookie.Adtech : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@advertising[2].txt -> TrackingCookie.Advertising : Cleaned. C:\Documents and Settings\silje\Cookies\silje@adviva[2].txt -> TrackingCookie.Adviva : Cleaned. C:\Documents and Settings\silje\Cookies\silje@bfast[2].txt -> TrackingCookie.Bfast : Cleaned. C:\Documents and Settings\silje\Cookies\silje@connextra[1].txt -> TrackingCookie.Connextra : Cleaned. C:\Documents and Settings\silje\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned. C:\Documents and Settings\silje\Cookies\[email protected][2].txt -> TrackingCookie.Gemius : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][1].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][1].txt -> TrackingCookie.Hitslink : Cleaned. C:\Documents and Settings\silje\Cookies\[email protected][1].txt -> TrackingCookie.Information : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned. C:\Documents and Settings\silje\Cookies\[email protected][1].txt -> TrackingCookie.Netflame : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned. C:\Documents and Settings\Gjest\Cookies\gjest@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned. C:\Documents and Settings\silje\Cookies\silje@statistik-gallup[1].txt -> TrackingCookie.Statistik-gallup : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][1].txt -> TrackingCookie.Tracking101 : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper racing@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][2].txt -> TrackingCookie.Webtrends : Cleaned. C:\Documents and Settings\Malossi Hyper Racing\Cookies\malossi hyper [email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP941\A0121704.dll -> Trojan.Agent.agv : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP946\A0121846.dll -> Trojan.Agent.agv : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP957\A0129092.dll -> Trojan.Agent.agv : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP961\A0132283.dll -> Trojan.Agent.agv : Cleaned. C:\WINDOWS\ddbxus.dll -> Trojan.Agent.agv : Cleaned. C:\WINDOWS\tuspqn.dll -> Trojan.Agent.agv : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127874.exe -> Trojan.Agent.kq : Cleaned. C:\System Volume Information\_restore{95C68616-CEF2-40EE-9C3F-52651BF082A5}\RP950\A0127884.exe -> Trojan.Agent.kq : Cleaned. C:\SDFix\backups\backups.zip/backups/tmp1BF.tmp.exe -> Trojan.BHO.g : Cleaned. Lenke til kommentar
norbat Skrevet 24. mai 2007 Del Skrevet 24. mai 2007 Fint Og nå følger du bare det siste som er nevnt: Kjør Combofix, legg ut loggen. Kjør DrWeb fra sikker modus. Post en ny HJT-logg til slutt, så ser vi hva som evt. er igjen av rusk og rask. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå