m0g1e Skrevet 16. mai 2007 Del Skrevet 16. mai 2007 (endret) Begynner fra scratch siden jeg opplever en rekke nye infiseringer i tillegg til at jeg er usikker på om jeg har kjørt renseprosedyrene i riktig rekkefølge. Følger "langversjon" guiden fra denne tråden: https://www.diskusjon.no/index.php?showtopic=691246 Skal ha fått utslag av en "Win32/Spy.VBStat.J trojan" på en SAS scan i Normal oppstartmodus for XP. I sikkehetsmodusen som jeg kjørte SAS i sist her, fant den ikke denne Trojanen(SpyTool av noe slag). Jeg har fått advarsler i NOD32 i tillegg til den i SAS. SAS logg: Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/16/2007 at 02:11 AM Application Version : 3.7.1018 Core Rules Database Version : 3228 Trace Rules Database Version: 1239 Scan type : Complete Scan Total Scan Time : 00:21:06 Memory items scanned : 150 Memory threats detected : 1 Registry items scanned : 4536 Registry threats detected : 15 File items scanned : 49010 File threats detected : 3 Trojan.WinFixer I:\WINDOWS\SYSTEM32\SSQRS.DLL I:\WINDOWS\SYSTEM32\SSQRS.DLL HKLM\Software\Classes\CLSID\{2F9561B5-361E-4714-8780-4B1E1477C820} HKCR\CLSID\{2F9561B5-361E-4714-8780-4B1E1477C820} HKCR\CLSID\{2F9561B5-361E-4714-8780-4B1E1477C820}\InprocServer32 HKCR\CLSID\{2F9561B5-361E-4714-8780-4B1E1477C820}\InprocServer32#ThreadingModel I:\WINDOWS\SYSTEM32\MLJJH.DLL HKLM\Software\Classes\CLSID\{76DD0AAB-4C11-46A7-9F88-43554C59F63D} HKCR\CLSID\{76DD0AAB-4C11-46A7-9F88-43554C59F63D} HKCR\CLSID\{76DD0AAB-4C11-46A7-9F88-43554C59F63D}\InprocServer32 HKCR\CLSID\{76DD0AAB-4C11-46A7-9F88-43554C59F63D}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76DD0AAB-4C11-46A7-9F88-43554C59F63D} Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\ssqrs Adware.Vundo Variant HKLM\Software\Classes\CLSID\{2FF3B561-72C8-4D51-9FD7-64A75A6DFC9D} HKCR\CLSID\{2FF3B561-72C8-4D51-9FD7-64A75A6DFC9D} HKCR\CLSID\{2FF3B561-72C8-4D51-9FD7-64A75A6DFC9D}\InprocServer32 HKCR\CLSID\{2FF3B561-72C8-4D51-9FD7-64A75A6DFC9D}\InprocServer32#ThreadingModel I:\WINDOWS\SYSTEM32\GEEDB.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FF3B561-72C8-4D51-9FD7-64A75A6DFC9D} HJT logg: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 02:24:36, on 16.05.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: I:\WINDOWS\System32\smss.exe I:\WINDOWS\system32\winlogon.exe I:\WINDOWS\system32\services.exe I:\WINDOWS\system32\lsass.exe I:\WINDOWS\system32\svchost.exe I:\WINDOWS\System32\svchost.exe I:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Eset\nod32krn.exe I:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe I:\WINDOWS\system32\svchost.exe I:\WINDOWS\Explorer.EXE I:\WINDOWS\system32\RUNDLL32.EXE F:\Programfiler\DAEMON Tools\daemon.exe I:\Programfiler\Sound Volume Hotkeys\SoundVolumeHotkeys.exe C:\Programfiler\Eset\nod32kui.exe I:\WINDOWS\system32\ctfmon.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\Downloads\Random Loads\yz_dck0083\YzDock.exe I:\Documents and Settings\Magnus\Skrivebord\HiJackThis_v2.exe C:\Programfiler\Opera 9\Opera.exe I:\WINDOWS\system32\notepad.exe I:\WINDOWS\system32\rundll32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {76DD0AAB-4C11-46A7-9F88-43554C59F63D} - I:\WINDOWS\system32\ssqrs.dll (file missing) O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\hggdcaa.dll O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - I:\WINDOWS\system32\hpsgyhlv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools] "F:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [soundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] I:\Programfiler\Sound Volume Hotkeys\SoundVolumeHotkeys.exe -a O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "I:\WINDOWS\system32\udwbiilu.dll",realset O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Shortcut to YzDock.exe.lnk = D:\Downloads\Random Loads\yz_dck0083\YzDock.exe O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://c:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Programfiler\Messenger\msmsgs.exe O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O10 - Unknown file in Winsock LSP: i:\windows\system32\nwprovau.dll O15 - Trusted Zone: http://*.update.microsoft.com O15 - Trusted Zone: http://download.windowsupdate.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: hggdcaa - I:\WINDOWS\SYSTEM32\hggdcaa.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - I:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - I:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - I:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Programfiler\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe -- End of file - 5824 bytes Edit: En VundoFix kjørt tidligere ikveld. Er usikker på om den har klart å infisere PC-en på nytt. Mulig vi bør holde denne utenom. Klikk for å se/fjerne innholdet nedenfor VundoFix V6.3.23 Checking Java version... Sun Java not detected Scan started at 23:29:15 15.05.2007 Listing files found while scanning.... I:\WINDOWS\system32\bdeeg.bak1 I:\WINDOWS\system32\bdeeg.ini I:\WINDOWS\system32\bpwldiwq.dll I:\WINDOWS\system32\geedb.dll I:\WINDOWS\system32\qwidlwpb.ini I:\WINDOWS\system32\udwbiilu.dll I:\WINDOWS\system32\uliibwdu.ini Beginning removal... Attempting to delete I:\WINDOWS\system32\bdeeg.bak1 I:\WINDOWS\system32\bdeeg.bak1 Has been deleted! Attempting to delete I:\WINDOWS\system32\bdeeg.ini I:\WINDOWS\system32\bdeeg.ini Has been deleted! Attempting to delete I:\WINDOWS\system32\bpwldiwq.dll I:\WINDOWS\system32\bpwldiwq.dll Has been deleted! Attempting to delete I:\WINDOWS\system32\geedb.dll I:\WINDOWS\system32\geedb.dll Could not be deleted. Attempting to delete I:\WINDOWS\system32\qwidlwpb.ini I:\WINDOWS\system32\qwidlwpb.ini Has been deleted! Attempting to delete I:\WINDOWS\system32\udwbiilu.dll I:\WINDOWS\system32\udwbiilu.dll Has been deleted! Attempting to delete I:\WINDOWS\system32\uliibwdu.ini I:\WINDOWS\system32\uliibwdu.ini Has been deleted! Performing Repairs to the registry. Done! Beginning removal... Attempting to delete I:\WINDOWS\system32\geedb.dll I:\WINDOWS\system32\geedb.dll Has been deleted! Performing Repairs to the registry. Done! Fra tidligere idag fikk jeg ikke fjernet denne med HJT: I:\WINDOWS\system32\hggdcaa.dll Må for øvrig nevne at Windows Update ikke fungerer grunnet infiseringen tror jeg. Endret 16. mai 2007 av nollie Lenke til kommentar
m0g1e Skrevet 16. mai 2007 Forfatter Del Skrevet 16. mai 2007 Tror jeg har fått ordnet ting etter noen SAS scans fulgt av Avenger på to /system32/*.dll filer. SAS finner iallfall ikke mer nå. Fjernet også noen register verdier for filene med HJT. Her er filene jeg fjernet: Trojan.WinFixer I:\WINDOWS\SYSTEM32\JKKJI.DLL I:\WINDOWS\SYSTEM32\hggdcaa.dll Rester fjernet eventuelt SAS seg av. Som sagt registerfiler fjernet via HJT for disse filene. WinFixer begge to mener jeg. Takk for hjelpen. Skulle gjerne lært meg hvordan man identifiserer slik skadelig programvare.. Regner vel med det ligger stort sett en del erfaring bak det i analyse osv for å bli flink .. Lenke til kommentar
norbat Skrevet 16. mai 2007 Del Skrevet 16. mai 2007 Post gjerne en ny HJT-logg, så kan vi se om det må gjøres noen flere grep Lenke til kommentar
m0g1e Skrevet 22. mai 2007 Forfatter Del Skrevet 22. mai 2007 (endret) Du kan jo banne på at jeg aldri blir helt ren... Har hatt litt desperat surfing siste dagene pga et skoleprosjekt, som har medført besøkmav noen "skumle" sider i all farten.. SAS fant noe første scan i normal kjøring av XP: Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 05/22/2007 at 04:46 PM Application Version : 3.7.1018 Core Rules Database Version : 3228 Trace Rules Database Version: 1239 Scan type : Complete Scan Total Scan Time : 00:24:23 Memory items scanned : 401 Memory threats detected : 1 Registry items scanned : 4537 Registry threats detected : 6 File items scanned : 51984 File threats detected : 2 Trojan.WinFixer I:\WINDOWS\SYSTEM32\VTSTR.DLL I:\WINDOWS\SYSTEM32\VTSTR.DLL HKLM\Software\Classes\CLSID\{A5AE4D74-62DE-46F8-80BB-8F32E302AA90} HKCR\CLSID\{A5AE4D74-62DE-46F8-80BB-8F32E302AA90} HKCR\CLSID\{A5AE4D74-62DE-46F8-80BB-8F32E302AA90}\InprocServer32 HKCR\CLSID\{A5AE4D74-62DE-46F8-80BB-8F32E302AA90}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5AE4D74-62DE-46F8-80BB-8F32E302AA90} Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\vtstr Trojan.Downloader-SpyTool I:\DOCUMENTS AND SETTINGS\MAGNUS\LOKALE INNSTILLINGER\TEMP\BTDWCFTI.DLL I neste scan finner den ikke noen ting, verken i safe eller normal mode. Popper så opp en Trojan.Downloader-SpyTool fra NOD32 under scan. HJT-loggen er derimot ganske tvilsom på mange steder: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 18:17:26, on 22.05.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: I:\WINDOWS\System32\smss.exe I:\WINDOWS\system32\winlogon.exe I:\WINDOWS\system32\services.exe I:\WINDOWS\system32\lsass.exe I:\WINDOWS\system32\svchost.exe I:\WINDOWS\System32\svchost.exe I:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Eset\nod32krn.exe I:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe I:\WINDOWS\system32\svchost.exe I:\WINDOWS\system32\wuauclt.exe I:\WINDOWS\Explorer.EXE I:\WINDOWS\system32\RUNDLL32.EXE F:\Programfiler\DAEMON Tools\daemon.exe I:\Programfiler\Sound Volume Hotkeys\SoundVolumeHotkeys.exe C:\Programfiler\Eset\nod32kui.exe I:\WINDOWS\System32\exec2.exe I:\WINDOWS\system32\ctfmon.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\Downloads\Random Loads\yz_dck0083\YzDock.exe C:\Programfiler\foobar2000\foobar2000.exe C:\Programfiler\Opera 9\Opera.exe I:\Documents and Settings\Magnus\Skrivebord\HiJackThis_v2.exe I:\WINDOWS\system32\rundll32.exe I:\WINDOWS\system32\notepad.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - I:\WINDOWS\system32\qdiabusv.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\gebbyax.dll O2 - BHO: (no name) - {A5AE4D74-62DE-46F8-80BB-8F32E302AA90} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools] "F:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [soundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] I:\Programfiler\Sound Volume Hotkeys\SoundVolumeHotkeys.exe -a O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [Windows Update] I:\WINDOWS\System32\exec2.exe O4 - HKLM\..\Run: [setup] rundll32.exe "I:\WINDOWS\system32\qshtwjsl.dll",realset O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Shortcut to YzDock.exe.lnk = D:\Downloads\Random Loads\yz_dck0083\YzDock.exe O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://c:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Programfiler\Messenger\msmsgs.exe O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O10 - Unknown file in Winsock LSP: i:\windows\system32\nwprovau.dll O15 - Trusted Zone: http://*.update.microsoft.com O15 - Trusted Zone: http://download.windowsupdate.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: gebbyax - I:\WINDOWS\SYSTEM32\gebbyax.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - I:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - I:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - I:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Programfiler\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe -- End of file - 5954 bytes Ser en god del suspekte ting her også: (prøver å forstå, og evt lære litt bare O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - I:\WINDOWS\system32\qdiabusv.dll O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\gebbyax.dll O2 - BHO: (no name) - {A5AE4D74-62DE-46F8-80BB-8F32E302AA90} - (no file) O2 - BHO: (no name) - {B458B4A7-EF53-4EC6-9CB6-262EEBD7B958} - I:\WINDOWS\system32\mljgd.dll O4 - HKLM\..\Run: [Windows Update] I:\WINDOWS\System32\exec2.exe O4 - HKLM\..\Run: [setup] rundll32.exe "I:\WINDOWS\system32\qshtwjsl.dll",realset O20 - Winlogon Notify: gebbyax - I:\WINDOWS\SYSTEM32\gebbyax.dll O20 - Winlogon Notify: mljgd - I:\WINDOWS\system32\mljgd.dll NOD32 har igjen gitt en "Trojan.Downloader-SpyTool"-advarsel lignende den jeg har opplevd før her. Windows Update fungerer ikke, og IE har stilt seg tilbake fra 7.0 til 6 Tillegg: Hva er det som avgjør om jeg bør bruke avenger eller andre verktøy? ID fra SAS f.eks? Regner med de forskjellige filene forandrer seg forskjellig etter hva type infisering det er. Endret 22. mai 2007 av nollie Lenke til kommentar
norbat Skrevet 22. mai 2007 Del Skrevet 22. mai 2007 (endret) Kjør HJT, sett merke framfor følgende linjer og klikk 'Fix checked': O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - I:\WINDOWS\system32\qdiabusv.dll O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\gebbyax.dll O2 - BHO: (no name) - {A5AE4D74-62DE-46F8-80BB-8F32E302AA90} - (no file) O4 - HKLM\..\Run: [Windows Update] I:\WINDOWS\System32\exec2.exe O4 - HKLM\..\Run: [setup] rundll32.exe "I:\WINDOWS\system32\qshtwjsl.dll",realset O20 - Winlogon Notify: gebbyax - I:\WINDOWS\SYSTEM32\gebbyax.dll Hent Avenger og pakk det ut. Start programmet, sett prikk i "Input Script Manually" og klikk på lupen. I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under: Files to delete: I:\WINDOWS\System32\exec2.exe I:\WINDOWS\system32\qdiabusv.dll I:\WINDOWS\system32\gebbyax.dll I:\WINDOWS\system32\qshtwjsl.dll Klikk på Trafikklyset. Restart pc'n. Etter restart vil det komme en loggfil som forteller hva som har skjedd. Den poster du senere Hent Combofix og legg det på skrivebordet: Klikk: Start -> Kjør Kopier det som står under og lim det inn i 'kjør-vinduet': "%userprofile%\Skrivebord\ComboFix.exe" /v qdiabusv gebbyax qshtwjsl Klikk OK, og følg anvisningen. Ikke klikk på vinduet mens programmet kjører. Når programmet er ferdig åpnes en loggfil: combofix.txt Den loggfilen skal du poste senere. Hent Rootchk og legg det på skrivebordet. Kjør programmet. Det vil lage en loggfil. Post følgende logger: Avenger, Combofix, Rootchk + ny HJT-logg (Legg loggene i skjul-tagg) Endret 22. mai 2007 av norbat Lenke til kommentar
m0g1e Skrevet 24. mai 2007 Forfatter Del Skrevet 24. mai 2007 (endret) aiai... Gikk med fysisk bråk fra maskina denne gangen gitt.. Fullfører HJT for å så kjøre Avenger, copy&paste linjene, restarter PC, ved loginscreen for brukeren min skjer følgende: Floppydriven skriker etter diskett og ber meg sette inn diskett konstant uansett om jeg velger å trykke "Avbryt" for å se om jeg kommer lengre. Velger til slutt å putte en skrivebeskyttet (fysisk stilt) inn i floppy, for å kunne skrive inn passordet for brukeren min. Kommer meg så inn på skrivebordet før den skriker etter mere floppy. Trykker avbryt enda en gang. Ser noen cmd-vinduer komme opp (tydeligvis fra avenger) ang som prøver å lagre loggen, men jeg får istedet opp en blank notepad med spm om å lagre denne loggen? PCn prøver visst å lese av floppyn ennå siden LED lyser på den ennå, men får ikke feilmelding... Tør foreløbig ikke gå lengre... What's next? (sitter for øverig på en annen PC og skriver dette) Endret 24. mai 2007 av nollie Lenke til kommentar
m0g1e Skrevet 24. mai 2007 Forfatter Del Skrevet 24. mai 2007 Dum som jeg er kaster jeg meg likevel på CombiFix. Det prøver å restarte, men maskinen låser seg i xp så jeg bruker PWR istedet... Får nå en fin oppstart med en logg fra CF: ComboFix: Klikk for å se/fjerne innholdet nedenfor "Magnus" - 2007-05-24 19:10:33 Service Pack 2 ComboFix 07-05.24.7.V - Running from: "I:\Documents and Settings\Magnus\Skrivebord\" Command switches used :: "/v qdiabusv gebbyax qshtwjsl" (((((((((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) I:\WINDOWS\system32\qdiabusv.dll I:\WINDOWS\system32\hpsgyhlv.dll I:\WINDOWS\system32\resfrfmv.dll I:\WINDOWS\system32\xijpiscv.dll I:\WINDOWS\system32\jkkihec.dll I:\WINDOWS\system32\urqnkjh.dll I:\WINDOWS\system32\dgjlm.bak1 I:\WINDOWS\system32\dgjlm.bak2 I:\WINDOWS\system32\dgjlm.ini I:\WINDOWS\system32\vcsipjix.ini I:\WINDOWS\system32\cfhkj.bak1 I:\WINDOWS\system32\cfhkj.ini2 I:\WINDOWS\system32\cfhkj.tmp I:\WINDOWS\system32\dgjlm.bak1 I:\WINDOWS\system32\dgjlm.bak2 I:\WINDOWS\system32\dgjlm.ini I:\WINDOWS\system32\ijkkj.bak1 I:\WINDOWS\system32\ijkkj.ini I:\WINDOWS\system32\ijkkj.ini2 I:\WINDOWS\system32\ijkkj.tmp I:\WINDOWS\system32\rtstv.bak1 I:\WINDOWS\system32\rtstv.ini2 I:\WINDOWS\system32\rtstv.tmp I:\WINDOWS\system32\srqss.bak1 I:\WINDOWS\system32\srqss.ini I:\WINDOWS\system32\srqss.ini2 I:\WINDOWS\system32\srqss.tmp I:\WINDOWS\system32\stutv.bak1 I:\WINDOWS\system32\stutv.ini2 I:\WINDOWS\system32\stutv.tmp I:\WINDOWS\system32\ttstv.bak1 I:\WINDOWS\system32\ttstv.bak2 I:\WINDOWS\system32\ttstv.ini I:\WINDOWS\system32\cfhkj.bak1 I:\WINDOWS\system32\cfhkj.ini2 I:\WINDOWS\system32\cfhkj.tmp I:\WINDOWS\system32\ijkkj.bak1 I:\WINDOWS\system32\ijkkj.ini I:\WINDOWS\system32\ijkkj.ini2 I:\WINDOWS\system32\ijkkj.tmp I:\WINDOWS\system32\rtstv.bak1 I:\WINDOWS\system32\rtstv.ini2 I:\WINDOWS\system32\rtstv.tmp I:\WINDOWS\system32\srqss.bak1 I:\WINDOWS\system32\srqss.ini I:\WINDOWS\system32\srqss.ini2 I:\WINDOWS\system32\srqss.tmp I:\WINDOWS\system32\stutv.bak1 I:\WINDOWS\system32\stutv.ini2 I:\WINDOWS\system32\stutv.tmp I:\WINDOWS\system32\gebbyax.dll I:\WINDOWS\system32\mljgd.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 )))))))))))))))))))))))))))))))))) 2007-05-24 16:52 <DIR> d-------- I:\avenger 2007-05-22 19:11 <DIR> dr-h----- I:\DOCUME~1\Magnus\Siste 2007-05-15 23:29 <DIR> d-------- I:\VundoFix Backups 2007-05-15 12:47 <DIR> d-------- I:\DOCUME~1\Magnus\PROGRA~1\SUPERAntiSpyware.com 2007-05-15 09:09 <DIR> d-------- I:\Programfiler\DebugMode 2007-05-11 15:42 <DIR> d-------- I:\DOCUME~1\Magnus\PROGRA~1\gtk-2.0 2007-05-11 00:08 <DIR> d-------- I:\DOCUME~1\Magnus\PROGRA~1\.purple 2007-05-08 20:11 765,952 --------- I:\WINDOWS\system32\msvcp71d.dll 2007-05-08 20:11 544,768 --------- I:\WINDOWS\system32\msvcr71d.dll 2007-05-08 20:11 33,340 --a------ I:\WINDOWS\system32\dbmsqlgc.dll 2007-05-08 20:11 306,688 --a------ I:\WINDOWS\IsUninst.exe 2007-05-08 20:11 24,576 --a------ I:\WINDOWS\system32\dbmsgnet.dll 2007-05-08 20:11 <DIR> d-------- I:\Programfiler\Microsoft SQL Server 2007-05-08 20:09 <DIR> d-------- I:\WINDOWS\system32\URTTemp 2007-05-08 20:06 93 --a------ I:\AUTOEXEC.BAT 2007-05-08 20:06 89,088 --a------ I:\WINDOWS\system32\atl71.dll 2007-05-08 20:06 84,992 --a------ I:\WINDOWS\system32\ATL70.DLL 2007-05-08 19:41 171,008 --a------ I:\WINDOWS\system32\drivers\MarvinBus.sys 2007-05-08 19:41 <DIR> d-------- I:\Programfiler\DivX 2007-05-08 19:40 974,848 --a------ I:\WINDOWS\system32\MFC70.DLL 2007-05-08 19:40 964,608 --a------ I:\WINDOWS\system32\MFC70U.DLL 2007-05-08 19:40 65,536 --a------ I:\WINDOWS\system32\MFC71DEU.DLL 2007-05-08 19:40 61,440 --a------ I:\WINDOWS\system32\MFC71ITA.DLL 2007-05-08 19:40 61,440 --a------ I:\WINDOWS\system32\MFC71FRA.DLL 2007-05-08 19:40 61,440 --a------ I:\WINDOWS\system32\MFC71ESP.DLL 2007-05-08 19:40 57,344 --a------ I:\WINDOWS\system32\MFC71ENU.DLL 2007-05-08 19:40 54,784 --a------ I:\WINDOWS\system32\MSVCI70.DLL 2007-05-08 19:40 499,712 --a------ I:\WINDOWS\system32\MSVCP71.DLL 2007-05-08 19:40 49,152 --a------ I:\WINDOWS\system32\MFC71KOR.DLL 2007-05-08 19:40 49,152 --a------ I:\WINDOWS\system32\MFC71JPN.DLL 2007-05-08 19:40 487,424 --a------ I:\WINDOWS\system32\MSVCP70.DLL 2007-05-08 19:40 45,056 --a------ I:\WINDOWS\system32\MFC71CHT.DLL 2007-05-08 19:40 40,960 --a------ I:\WINDOWS\system32\MFC71CHS.DLL 2007-05-08 19:40 348,160 --a------ I:\WINDOWS\system32\MSVCR71.DLL 2007-05-08 19:40 344,064 --a------ I:\WINDOWS\system32\MSVCR70.DLL 2007-05-08 19:40 1,060,864 --a------ I:\WINDOWS\system32\MFC71.DLL 2007-05-08 19:40 1,047,552 --a------ I:\WINDOWS\system32\MFC71u.DLL 2007-05-08 19:39 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\PROGRA~1\Pinnacle Studio 2007-05-08 19:36 14,165 --a------ I:\WINDOWS\system32\drivers\Pclepci.sys 2007-05-08 19:36 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\PROGRA~1\Pinnacle 2007-05-08 15:04 <DIR> d-------- I:\Programfiler\SUPERAntiSpyware 2007-05-08 15:04 <DIR> d-------- I:\DOCUME~1\ALLUSE~1\PROGRA~1\SUPERAntiSpyware.com 2007-05-07 14:49 <DIR> d-------- I:\DOCUME~1\Magnus\PROGRA~1\Lavasoft 2007-05-07 14:47 <DIR> d-------- I:\Programfiler\Lavasoft 2007-05-07 14:46 <DIR> d-------- I:\Programfiler\Fellesfiler\Wise Installation Wizard 2007-05-07 00:59 <DIR> d-------- I:\WINDOWS\pss 2007-05-06 23:37 <DIR> d-------- I:\Programfiler\Enigma Software Group 2007-05-06 23:28 512,096 --a------ I:\WINDOWS\system32\drivers\amon.sys 2007-05-06 23:28 298,104 --a------ I:\WINDOWS\system32\imon.dll 2007-05-06 23:28 15,424 --a------ I:\WINDOWS\system32\drivers\nod32drv.sys 2007-05-03 17:00 85,376 --a------ I:\WINDOWS\system32\drivers\NABTSFEC.sys 2007-05-03 17:00 53,760 --a------ I:\WINDOWS\system32\vfwwdm32.dll 2007-05-03 17:00 51,328 --a------ I:\WINDOWS\system32\drivers\msdv.sys 2007-05-03 17:00 5,504 --a------ I:\WINDOWS\system32\drivers\MSTEE.sys 2007-05-03 17:00 48,128 --a------ I:\WINDOWS\system32\drivers\61883.sys 2007-05-03 17:00 38,912 --a------ I:\WINDOWS\system32\drivers\avc.sys 2007-05-03 17:00 19,328 --a------ I:\WINDOWS\system32\drivers\WSTCODEC.SYS 2007-05-03 17:00 17,024 --a------ I:\WINDOWS\system32\drivers\CCDECODE.sys 2007-05-03 17:00 15,360 --a------ I:\WINDOWS\system32\drivers\StreamIP.sys 2007-05-03 17:00 11,136 --a------ I:\WINDOWS\system32\drivers\SLIP.sys 2007-05-03 17:00 10,880 --a------ I:\WINDOWS\system32\drivers\NdisIP.sys 2007-05-02 22:08 <DIR> d-------- I:\DOCUME~1\Magnus\PROGRA~1\LimeWire 2007-05-02 22:08 <DIR> d-------- I:\DOCUME~1\Magnus\Incomplete 2007-05-02 22:07 4,225,744 --a------ I:\WINDOWS\system32\exec1.exe 2007-05-02 22:07 1,316,864 --a------ I:\WINDOWS\system32\exec2.exe 2007-05-01 03:01 24,816 --a------ I:\WINDOWS\system32\mdimon.dll 2007-04-30 19:22 178,408 --a------ I:\WINDOWS\system32\muweb.dll 2007-04-30 19:22 127,720 --a------ I:\WINDOWS\system32\mucltui.dll 2007-04-27 20:27 <DIR> d----c--- I:\WINDOWS\system32\DRVSTORE 2007-04-27 20:27 <DIR> d-------- I:\Programfiler\Windows Live Toolbar 2007-04-27 20:27 <DIR> d-------- I:\DOCUME~1\Magnus\Contacts 2007-04-27 17:51 68,888 --a------ I:\WINDOWS\system32\xinput1_3.dll 2007-04-27 17:51 62,744 --a------ I:\WINDOWS\system32\xinput1_2.dll 2007-04-27 17:51 255,848 --a------ I:\WINDOWS\system32\xactengine2_6.dll 2007-04-27 17:51 251,672 --a------ I:\WINDOWS\system32\xactengine2_5.dll 2007-04-27 17:51 237,848 --a------ I:\WINDOWS\system32\xactengine2_4.dll 2007-04-27 17:51 236,824 --a------ I:\WINDOWS\system32\xactengine2_3.dll 2007-04-27 17:51 2,414,360 --a------ I:\WINDOWS\system32\d3dx9_31.dll 2007-04-27 17:51 2,297,552 --a------ I:\WINDOWS\system32\d3dx9_26.dll 2007-04-27 17:51 15,128 --a------ I:\WINDOWS\system32\x3daudio1_1.dll 2007-04-25 18:05 <DIR> d-------- I:\WINDOWS\system32\nb-no 2007-04-25 18:04 <DIR> d-------- I:\WINDOWS\network diagnostic (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-24 14:54:11 53,750 ----a-w I:\WINDOWS\system32\perfc014.dat 2007-05-24 14:54:11 336,482 ----a-w I:\WINDOWS\system32\perfh014.dat 2007-05-24 14:48:33 -------- d-----w I:\DOCUME~1\Magnus\PROGRA~1\.purple 2007-05-15 11:01:16 -------- d-----w I:\DOCUME~1\Magnus\PROGRA~1\uTorrent 2007-05-08 20:59:57 -------- d-----w I:\Programfiler\Codec Pack - All In 1 2007-05-08 20:44:54 -------- d--h--w I:\Programfiler\InstallShield Installation Information 2007-05-08 13:16:52 -------- d-----w I:\DOCUME~1\Magnus\PROGRA~1\SolidDocuments 2007-04-18 16:15:14 2,854,400 ----a-w I:\WINDOWS\system32\msi.dll 2007-04-17 17:05:41 -------- d-----w I:\DOCUME~1\Magnus\PROGRA~1\dvdcss 2007-04-13 12:01:45 -------- d-----w I:\Programfiler\Sound Volume Hotkeys 2007-04-12 16:13:40 -------- d-----w I:\Programfiler\Age of Empires II 2007-04-12 16:12:49 -------- d-----w I:\Programfiler\BPFTP Server 2007-04-07 00:14:42 -------- d-----w I:\DOCUME~1\Magnus\PROGRA~1\vlc 2007-04-06 18:50:52 -------- d-----w I:\DOCUME~1\Magnus\PROGRA~1\Command & Conquer 3 Tiberium Wars 2007-04-06 15:07:21 98,304 ----a-w I:\WINDOWS\system32CmdLineExt.dll 2007-04-06 15:07:21 -------- d--h--r I:\DOCUME~1\Magnus\PROGRA~1\SecuROM 2007-04-01 12:39:11 -------- d-----w I:\DOCUME~1\Magnus\PROGRA~1\Opera 2007-03-20 12:37:44 223,128 ----a-w I:\WINDOWS\system32\drivers\dtscsi.sys 2007-03-20 12:35:47 96,256 ----a-w I:\WINDOWS\system32\drivers\sptd9037.sys 2007-03-20 12:35:47 642,560 ----a-w I:\WINDOWS\system32\drivers\sptd.sys 2007-03-17 13:45:38 292,864 ----a-w I:\WINDOWS\system32\winsrv.dll 2007-03-15 10:23:16 497,496 ----a-w I:\WINDOWS\system32\XceedZip.dll 2007-03-15 10:19:58 526,184 ----a-w I:\WINDOWS\system32\XceedCry.dll 2007-03-08 15:39:11 577,536 ----a-w I:\WINDOWS\system32\user32.dll 2007-03-08 15:39:11 40,960 ----a-w I:\WINDOWS\system32\mf3216.dll 2007-03-08 15:39:11 281,600 ----a-w I:\WINDOWS\system32\gdi32.dll 2007-03-08 15:38:06 1,843,584 ----a-w I:\WINDOWS\system32\win32k.sys 2007-03-06 14:44:49 -------- d-----w I:\Programfiler\CyberLink 2007-03-06 14:43:26 -------- d-----w I:\Programfiler\Fellesfiler\InstallShield 2007-02-15 18:17:34 737,280 ----a-w I:\WINDOWS\iun6002.exe 2007-02-05 20:19:38 185,344 ----a-w I:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=c:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 01:47] {259F616C-A300-44F5-B04A-ED001A26C85C}=C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll [2006-11-02 15:09] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="I:\WINDOWS\system32\NvCpl.dll" [2006-03-09 16:29] "nwiz"="nwiz.exe" [2006-03-09 16:29 I:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="I:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 16:29] "DAEMON Tools"="F:\Programfiler\DAEMON Tools\daemon.exe" [2005-12-10 16:57] "SoundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}"="I:\Programfiler\Sound Volume Hotkeys\SoundVolumeHotkeys.exe" [2005-08-27 04:45] "nod32kui"="C:\Programfiler\Eset\nod32kui.exe" [2007-05-06 23:27] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="I:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-01 09:29] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\I:^Documents and Settings^Magnus^Start-meny^Programmer^Oppstart^Adobe Gamma.lnk] path=I:\Documents and Settings\Magnus\Start-meny\Programmer\Oppstart\Adobe Gamma.lnk backup=I:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "I:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck] I:\WINDOWS\system32\\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "I:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update] I:\Programfiler\Fellesfiler\System\btorrent16.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab6e0b5c-a70b-11db-ac51-806d6172696f}] AutoRun\command- K:\setup.exe ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070524-162911-502 O20 - Winlogon Notify: gebbyax - I:\WINDOWS\SYSTEM32\gebbyax.dll Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebbyax] "Asynchronous"=dword:00000001 "DllName"="gebbyax.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" backup-20070524-162911-879 O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\gebbyax.dll backup-20070524-162911-399 O2 - BHO: (no name) - {A5AE4D74-62DE-46F8-80BB-8F32E302AA90} - (no file) backup-20070524-162911-303 O4 - HKLM\..\Run: [setup] rundll32.exe "I:\WINDOWS\system32\qshtwjsl.dll",realset backup-20070524-162911-213 O4 - HKLM\..\Run: [Windows Update] I:\WINDOWS\System32\exec2.exe backup-20070524-162911-933 O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - I:\WINDOWS\system32\qdiabusv.dll backup-20070516-124726-708 O20 - Winlogon Notify: hggdcaa - hggdcaa.dll (file missing) Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggdcaa] "Asynchronous"=dword:00000001 "DllName"="hggdcaa.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" backup-20070516-124726-928 O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\hggdcaa.dll (file missing) backup-20070516-124726-385 O2 - BHO: (no name) - {4729A8DB-3716-44E4-A741-BFD22F5CCF43} - (no file) backup-20070516-122737-110 O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - I:\WINDOWS\system32\hpsgyhlv.dll backup-20070516-122737-807 O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "I:\WINDOWS\system32\udwbiilu.dll",realset backup-20070516-122737-357 O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\hggdcaa.dll backup-20070516-122737-523 O2 - BHO: (no name) - {76DD0AAB-4C11-46A7-9F88-43554C59F63D} - I:\WINDOWS\system32\ssqrs.dll (file missing) backup-20070516-122737-435 O2 - BHO: (no name) - {5DE9D738-6CE6-4DDF-8A65-B25491866C1C} - I:\WINDOWS\system32\jkkji.dll backup-20070515-181833-893 O20 - Winlogon Notify: hggdcaa - I:\WINDOWS\SYSTEM32\hggdcaa.dll Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggdcaa] "Asynchronous"=dword:00000001 "DllName"="hggdcaa.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" backup-20070515-181833-663 O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) ?????????????????????? backup-20070515-181833-674 O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - I:\WINDOWS\system32\cmxckbpt.dll backup-20070515-181833-894 O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\hggdcaa.dll backup-20070515-181833-446 O2 - BHO: (no name) - {312D1898-5C1D-418F-8643-A54581CA1564} - (no file) backup-20070515-143119-983 O20 - Winlogon Notify: hggdcaa - I:\WINDOWS\SYSTEM32\hggdcaa.dll Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggdcaa] "Asynchronous"=dword:00000001 "DllName"="hggdcaa.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" backup-20070515-143119-754 O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\hggdcaa.dll backup-20070515-141923-667 O20 - Winlogon Notify: hggdcaa - I:\WINDOWS\SYSTEM32\hggdcaa.dll Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggdcaa] "Asynchronous"=dword:00000001 "DllName"="hggdcaa.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" backup-20070515-141923-678 O2 - BHO: (no name) - {EECE8B29-3049-45BA-9586-FE47DAF3336E} - (no file) backup-20070515-141923-853 O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon backup-20070515-141923-573 O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\hggdcaa.dll backup-20070515-141923-457 O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE backup-20070515-133524-278 O20 - Winlogon Notify: hggdcaa - I:\WINDOWS\SYSTEM32\hggdcaa.dll Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggdcaa] "Asynchronous"=dword:00000001 "DllName"="hggdcaa.dll" "Impersonate"=dword:00000000 "Logon"="Logon" "Logoff"="Logoff" backup-20070515-133524-415 O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) ?????????????????????? backup-20070515-133524-870 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) ???????????????4??????????????????????????????????=?? backup-20070515-133524-858 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) ???????????????4??????????????????????????????????=?? backup-20070515-133524-142 O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - I:\WINDOWS\system32\iraxdwjo.dll backup-20070515-133524-831 O4 - HKLM\..\Run: [Windows Update] I:\Programfiler\Fellesfiler\System\btorrent16.exe backup-20070515-133524-654 O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "I:\WINDOWS\system32\bpwldiwq.dll",realset backup-20070515-133524-871 O2 - BHO: (no name) - {7E751FEF-C65C-47C5-9901-83F0E044511F} - I:\WINDOWS\system32\hggdcaa.dll backup-20070515-133524-236 O2 - BHO: (no name) - {3C1ABC32-BDEF-421F-82F3-D032CEE33097} - (no file) ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-24 19:16:51 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-24 19:17:08 - machine was rebooted I:\ComboFix-quarantined-files.txt ... 2007-05-24 19:17 --- E O F --- RootLog: Klikk for å se/fjerne innholdet nedenfor ********************************* ROOTCHK-(21-05-07)-LOG, by ejvindh24.05.2007 19:21:02,43 The rootkits that are detected by this tool were not found. ********************************* ROOTCHK-LOG-end catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-24 19:21:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 HJT Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 19:21:46, on 24.05.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: I:\WINDOWS\System32\smss.exe I:\WINDOWS\system32\winlogon.exe I:\WINDOWS\system32\services.exe I:\WINDOWS\system32\lsass.exe I:\WINDOWS\system32\svchost.exe I:\WINDOWS\System32\svchost.exe I:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Eset\nod32krn.exe I:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe I:\WINDOWS\system32\svchost.exe I:\WINDOWS\Explorer.EXE I:\WINDOWS\system32\RUNDLL32.EXE F:\Programfiler\DAEMON Tools\daemon.exe I:\Programfiler\Sound Volume Hotkeys\SoundVolumeHotkeys.exe C:\Programfiler\Eset\nod32kui.exe I:\WINDOWS\system32\ctfmon.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\Downloads\Random Loads\yz_dck0083\YzDock.exe I:\WINDOWS\system32\wuauclt.exe I:\WINDOWS\system32\notepad.exe C:\Programfiler\Opera 9\Opera.exe I:\WINDOWS\NOTEPAD.EXE I:\Documents and Settings\Magnus\Skrivebord\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools] "F:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [soundVolumeHotkeys.{9547D1C7-4F18-4104-8674-046DCD12BDF9}] I:\Programfiler\Sound Volume Hotkeys\SoundVolumeHotkeys.exe -a O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Shortcut to YzDock.exe.lnk = D:\Downloads\Random Loads\yz_dck0083\YzDock.exe O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://c:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Programfiler\Messenger\msmsgs.exe O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU) O10 - Unknown file in Winsock LSP: i:\windows\system32\nwprovau.dll O15 - Trusted Zone: http://*.update.microsoft.com O15 - Trusted Zone: http://download.windowsupdate.com O15 - Trusted Zone: http://*.windowsupdate.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - I:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - I:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - I:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Programfiler\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Programfiler\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe -- End of file - 5354 bytes Lenke til kommentar
norbat Skrevet 24. mai 2007 Del Skrevet 24. mai 2007 Den siste HJT-loggen ser fin ut. Hvordan kjører pc'n? Lenke til kommentar
m0g1e Skrevet 24. mai 2007 Forfatter Del Skrevet 24. mai 2007 Godt foreløbig men ble litt skeptisk til en stygge oppstarten grunnet avenger... Takk så langt! Sikkert ikke siste gangen jeg spør Lenke til kommentar
norbat Skrevet 24. mai 2007 Del Skrevet 24. mai 2007 Hent CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'. Kjør også noen runder med 'Saker' til det ikke finner flere feil. Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av .....", restart pc, fjern merket igjen for å aktivere funksjonen. Sjekk følgende fil på Jotti: I:\Programfiler\Fellesfiler\System\btorrent16.exe (Du må mulig slå på "Vis skjulte filer og mapper" for å kunne finne filen (hvis den eksisterer)). Hvis det viser seg at den er infisert, sletter du den. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå