LuXe Skrevet 3. juni 2007 Del Skrevet 3. juni 2007 (endret) Tror jeg har litt problemer med noen trojanere. Prøver å fjerne dem, men er ikke sikker på om de er borte. Legger ved HJT logfil Logfile of HijackThis v1.99.1 Scan saved at 19:45:42, on 03.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Programfiler\Grisoft\AVG Free\avgcc.exe C:\Programfiler\Grisoft\AVG Free\avgwb.dat C:\WINDOWS\winhlp32.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sManager] smanager.7.exe O4 - HKLM\..\Run: [ipqpwngj.exe] C:\Documents and Settings\All Users\Programdata\ipqpwngj.exe O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\faxaviwl.dll",realset O4 - HKLM\..\RunOnce: [Regcledtkrn] C:\WINDOWS\system32\Regsvr32.exe /s "C:\Programfiler\CyberLink\PowerDirector\cledtkrn.dll" O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Programfiler\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Awre] "C:\DOCUME~1\PETERK~1\PROGRA~1\SSTEM~1\alg.exe" -vt yazb O4 - HKCU\..\Run: [Qlffj] "C:\Documents and Settings\Peter Kongsvik\Mine dokumenter\?dobe\spool32.exe" O8 - Extra context menu item: &MSN Search - res://C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll/search.htm O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/229?4dde03ce85104e3bb83b32813cb83cb O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/230?4dde03ce85104e3bb83b32813cb83cb O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8DB8E775-305B-4402-BFB7-67090DB28F66}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mimer.no O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mimer.no O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing) Endret 21. juni 2007 av LuXe Lenke til kommentar
norbat Skrevet 3. juni 2007 Del Skrevet 3. juni 2007 Last ned SDFix.exe. Pakk ut programmet. Last ned SAS, installer og oppdater. Restart i sikker modus (tapp f8 under oppstart) Kjør RunThis.bat i SDfix-mappa. Det lages en rapport (Report.txt) Kjør en full scan med SAS. Restart i normal modus Post en ny HJT-logg sammen med loggen fra SDfix og SAS (Preferences->statistics/logs) Lenke til kommentar
LuXe Skrevet 3. juni 2007 Forfatter Del Skrevet 3. juni 2007 Ok, her er loggene; SDFix: Version 1.85 Run by Peter Kongsvik - 03.06.2007 - 20:15:57.18 Microsoft Windows XP [Versjon 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: ntio256 ImagePath: \??\C:\WINDOWS\system32\ntio256.sys ntio256 - Deleted Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\WINDOWS\system32\max1d1641.exe - Deleted C:\WINDOWS\system32\ntio256.sys - Deleted C:\WINDOWS\system32\winsys.exe - Deleted C:\WINDOWS\wr.txt - Deleted Removing Temp Files... ADS Check: Checking if ADS is attached to system32 Folder C:\WINDOWS\system32 No streams found. Checking if ADS is attached to svchost.exe C:\WINDOWS\system32\svchost.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programfiler\\EA Games\\MOHAA\\MOHAA.exe"="C:\\Programfiler\\EA Games\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault" "C:\\Programfiler\\EA Games\\Battlefield 2\\Bf2_w32ded.exe"="C:\\Programfiler\\EA Games\\Battlefield 2\\Bf2_w32ded.exe:*:Enabled:Bf2_w32ded" "C:\\Programfiler\\EA Games\\Battlefield 2\\BF2VoipServer_w32ded.exe"="C:\\Programfiler\\EA Games\\Battlefield 2\\BF2VoipServer_w32ded.exe:*:Enabled:BF2VoipServer_w32ded" "C:\\Programfiler\\GameSpy Arcade\\Aphex.exe"="C:\\Programfiler\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade" "C:\\Programfiler\\BitTorrent\\bittorrent.exe"="C:\\Programfiler\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent" "C:\\Programfiler\\EA Games\\Battlefield 2\\BF2.exe"="C:\\Programfiler\\EA Games\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2" "C:\\Programfiler\\uTorrent\\utorrent.exe"="C:\\Programfiler\\uTorrent\\utorrent.exe:*:Enabled:æTorrent" "C:\\Programfiler\\MSN Messenger\\msncall.exe"="C:\\Programfiler\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Programfiler\\Grisoft\\AVG Free\\avginet.exe"="C:\\Programfiler\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe" "C:\\Programfiler\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Programfiler\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\\Programfiler\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Programfiler\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe" "C:\\Programfiler\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Programfiler\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe" "C:\\Programfiler\\LimeWire\\LimeWire.exe"="C:\\Programfiler\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Programfiler\\Steam\\SteamApps\\ar_pharazon\\counter-strike\\hl.exe"="C:\\Programfiler\\Steam\\SteamApps\\ar_pharazon\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher" "C:\\Documents and Settings\\All Users\\Dokumenter\\Wc3 on espen (Espen)\\War3.exe"="C:\\Documents and Settings\\All Users\\Dokumenter\\Wc3 on espen (Espen)\\War3.exe:*:Enabled:Warcraft III" "C:\\Documents and Settings\\All Users\\Dokumenter\\Counter-Strike\\Counter-Strike\\cstrike.exe"="C:\\Documents and Settings\\All Users\\Dokumenter\\Counter-Strike\\Counter-Strike\\cstrike.exe:*:Enabled:CounterStrike Launcher" "C:\\Soldat\\Soldat.exe"="C:\\Soldat\\Soldat.exe:*:Enabled:Soldat" "C:\\Programfiler\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe"="C:\\Programfiler\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe:*:Enabled:Blizzard Downloader" "C:\\Programfiler\\Messenger\\msmsgs.exe"="C:\\Programfiler\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Programfiler\\Skype\\Phone\\Skype.exe"="C:\\Programfiler\\Skype\\Phone\\Skype.exe:*:Enabled:Skype" "C:\\Programfiler\\Fellesfiler\\AOL\\Loader\\aolload.exe"="C:\\Programfiler\\Fellesfiler\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programfiler\\MSN Messenger\\msncall.exe"="C:\\Programfiler\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"="C:\\Programfiler\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Programfiler\\MSN Messenger\\livecall.exe"="C:\\Programfiler\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Checking For Files with Hidden Attributes: C:\Documents and Settings\Peter Kongsvik\AndrMask\filmes p† adorocinema.cidadeinternet.com.br\Desktop.ini C:\Documents and Settings\Peter Kongsvik\Lokale innstillinger\Programdata\Microsoft\Messenger\[email protected]\Sharing Folders\[email protected]\HABBO RAID\Thumbs.db C:\Programfiler\eRightSoft\SUPER\_Setup.dll C:\Programfiler\eRightSoft\SUPER\mencoder\14_43260.dll C:\Programfiler\eRightSoft\SUPER\mencoder\28_83260.dll C:\Programfiler\eRightSoft\SUPER\mencoder\atrc3260.dll C:\Programfiler\eRightSoft\SUPER\mencoder\cook3260.dll C:\Programfiler\eRightSoft\SUPER\mencoder\dnet3260.dll C:\Programfiler\eRightSoft\SUPER\mencoder\drv23260.dll C:\Programfiler\eRightSoft\SUPER\mencoder\drv33260.dll C:\Programfiler\eRightSoft\SUPER\mencoder\drv43260.dll C:\Programfiler\eRightSoft\SUPER\mencoder\ivvideo.dll C:\Programfiler\eRightSoft\SUPER\mencoder\qtmlClient.dll C:\Programfiler\eRightSoft\SUPER\mencoder\raac.dll C:\Programfiler\eRightSoft\SUPER\mencoder\sipr3260.dll C:\Programfiler\VID_0E8F&PID_0012\Masspread\DualVibration\GAJoyFF.dll C:\Programfiler\VID_0E8F&PID_0012\Masspread\DualVibration\GAJoyPS.dll C:\WINDOWS\system32\avisynth.dll C:\WINDOWS\system32\AVSredirect.dll C:\WINDOWS\system32\cygwin1.dll C:\WINDOWS\system32\cygz.dll C:\WINDOWS\system32\i420vfw.dll C:\WINDOWS\system32\Smab.dll C:\WINDOWS\system32\yv12vfw.dll C:\Programfiler\eRightSoft\SUPER\Setup.exe C:\Programfiler\Home Plan Software\Easy Image Convertor\uninstall_imgconv.exe C:\Programfiler\Smart Projects\IsoBuster\Help\AHlp.exe C:\WINDOWS\meta4.exe C:\WINDOWS\MOTA113.exe C:\WINDOWS\x2.64.exe C:\WINDOWS\system32\x.264.exe C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp Finished Logfile of HijackThis v1.99.1 Scan saved at 21:45:03, on 03.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\QuickTime\qttask.exe C:\Documents and Settings\All Users\Programdata\ipqpwngj.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Programfiler\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ipqpwngj.exe] C:\Documents and Settings\All Users\Programdata\ipqpwngj.exe O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\faxaviwl.dll",realset O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Programfiler\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [Awre] "C:\DOCUME~1\PETERK~1\PROGRA~1\SSTEM~1\alg.exe" -vt yazb O4 - HKCU\..\Run: [Qlffj] "C:\Documents and Settings\Peter Kongsvik\Mine dokumenter\?dobe\spool32.exe" O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: &MSN Search - res://C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll/search.htm O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/229?4dde03ce85104e3bb83b32813cb83cb O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/230?4dde03ce85104e3bb83b32813cb83cb O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8DB8E775-305B-4402-BFB7-67090DB28F66}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mimer.no O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mimer.no O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing) Jeg vet ikke hvor jeg finner SAS loggen. Har lett overalt her Lenke til kommentar
norbat Skrevet 3. juni 2007 Del Skrevet 3. juni 2007 Sørg for at du kan se skjulte filer og mapper (Kontrollpanel->mappealt.->vis->"vis skjulte filer og mapper") Gå til nettstedet http://virusscan.jotti.org/ Sjekk følgende fil: C:\Documents and Settings\All Users\Programdata\ipqpwngj.exe Hvis det blir funnet noe, fjerner du også dette fra HJT-loggen (Se under) (Det kan hende at nettstedet er 'opptatt', så du må kanskje smøre deg med tålmodighet) kJør HJT, velg "Do a system scan only" og sett merke framfor følgende linjer: O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\faxaviwl.dll",realset O4 - HKCU\..\Run: [Awre] "C:\DOCUME~1\PETERK~1\PROGRA~1\SSTEM~1\alg.exe" -vt yazb O4 - HKCU\..\Run: [Qlffj] "C:\Documents and Settings\Peter Kongsvik\Mine dokumenter\?dobe\spool32.exe" Restart i sikker modus (tapp F8 under oppstart, velg sikker modus) Bruk utforsker til å finne og slette, hvis de finnes (i fet): C:\WINDOWS\system32\faxaviwl.dll C:\DOCUME~1\PETERK~1\PROGRA~1\SSTEM~1\ C:\Documents and Settings\Peter Kongsvik\Mine dokumenter\?dobe\ (Og evt. fila du sjekket på jotti) Restart i normal tilstand Post en ny HJT-logg (SAS loggen finner du ved å høyreklikke på 'billen' i systemfeltet, velg Control center, arkfanen Statistics/logs) Lenke til kommentar
LuXe Skrevet 3. juni 2007 Forfatter Del Skrevet 3. juni 2007 SAS logg; SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 06/03/2007 at 09:23 PM Application Version : 3.8.1002 Core Rules Database Version : 3248 Trace Rules Database Version: 1259 Scan type : Complete Scan Total Scan Time : 00:55:21 Memory items scanned : 167 Memory threats detected : 1 Registry items scanned : 5762 Registry threats detected : 55 File items scanned : 40408 File threats detected : 17 Adware.Vundo Variant C:\WINDOWS\SYSTEM32\MLJGH.DLL C:\WINDOWS\SYSTEM32\MLJGH.DLL HKLM\Software\Classes\CLSID\{B1843C0D-7415-4DD4-A619-6A1EDB32B96A} HKCR\CLSID\{B1843C0D-7415-4DD4-A619-6A1EDB32B96A} HKCR\CLSID\{B1843C0D-7415-4DD4-A619-6A1EDB32B96A}\InprocServer32 HKCR\CLSID\{B1843C0D-7415-4DD4-A619-6A1EDB32B96A}\InprocServer32#ThreadingModel HKLM\Software\Classes\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C} HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C} HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32 HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C}\InprocServer32#ThreadingModel C:\WINDOWS\SYSTEM32\FBLBBCRS.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1843C0D-7415-4DD4-A619-6A1EDB32B96A} HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD3447D4-CA39-4377-8084-30E86331D74C} Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mljgh HKCR\CLSID\{CD3447D4-CA39-4377-8084-30E86331D74C} Unclassified.Oreans32 HKLM\System\ControlSet002\Services\oreans32 C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS HKLM\System\ControlSet004\Services\oreans32 HKLM\System\CurrentControlSet\Services\oreans32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0 HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance Trojan.Vundo HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mljgh HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mljgh#Asynchronous HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mljgh#DllName HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mljgh#Impersonate HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mljgh#Startup HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mljgh#Logoff Adware.ClickSpring/Outer Info Network HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon C:\Programfiler\Outerinfo\Terms.rtf C:\Programfiler\Outerinfo Adware.ClickSpring C:\DOCUMENTS AND SETTINGS\PETER KONGSVIK\MINE DOKUMENTER\DOBE~1\SPOOL32.EXE Adware.Aurora-Installer C:\PROGRAMFILER\CYBERLINK\POWERDIRECTOR\PDAURORA.DLL Adware.ClickSpring/Yazzle C:\PROGRAMFILER\FELLESFILER\YAZZLE1162OINUNINSTALLER.EXE C:\RECYCLER\S-1-5-21-842925246-1993962763-725345543-1003\DC1\UNINSTALL.LNK C:\WINDOWS\PREFETCH\YAZZLE1162OINADMIN.EXE-02D607D0.PF Dialer.Dial/Gen Variant C:\SDFIX\BACKUPS\MAX1D1641.EXE Trojan.Downloader-PoofPoof/Rootkit C:\SDFIX\BACKUPS\NTIO256.SYS Trojan.Unknown Origin C:\WINDOWS\SMANAGER.7.EXE~ C:\WINDOWS\SYSTEM32\WNSINTISV32.EXE Trojan.Downloader-SpyTool C:\WINDOWS\SYSTEM32\IFIOPFDV.DLL Trace.Known Threat Sources C:\Documents and Settings\Peter Kongsvik\Lokale innstillinger\Temporary Internet Files\Content.IE5\CNQBI9EP\campaigns7[1].encrypted C:\Documents and Settings\Peter Kongsvik\Lokale innstillinger\Temporary Internet Files\Content.IE5\6HAV03WL\client_settings_3[1].bin Logfile of HijackThis v1.99.1 Scan saved at 22:33:45, on 03.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ipqpwngj.exe] C:\Documents and Settings\All Users\Programdata\ipqpwngj.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Aim6] "C:\Programfiler\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: &MSN Search - res://C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll/search.htm O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/229?4dde03ce85104e3bb83b32813cb83cb O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/230?4dde03ce85104e3bb83b32813cb83cb O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8DB8E775-305B-4402-BFB7-67090DB28F66}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mimer.no O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mimer.no O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing) Må forresten si at jeg setter STOR pris på Hjelpen Norbat, Tusen takk Lenke til kommentar
LuXe Skrevet 4. juni 2007 Forfatter Del Skrevet 4. juni 2007 (endret) Grei, visste ikke hvordan jeg fant filen i HJT og vet ikke helt og kan ikke bruke Killbox skikkelig tror jeg. (Den viste en slags melding etter det skulle komme reboot om at den var slettet) så jeg fant den i startup prosessene i tuneup utilities og fjernet den. Her er nyeste HJT logg; Logfile of HijackThis v1.99.1 Scan saved at 15:20:52, on 04.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O8 - Extra context menu item: &MSN Search - res://C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll/search.htm O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/229?4dde03ce85104e3bb83b32813cb83cb O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/230?4dde03ce85104e3bb83b32813cb83cb O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8DB8E775-305B-4402-BFB7-67090DB28F66}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mimer.no O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mimer.no O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing) Må forresten rette en STOR takk mot Norbat som har hjulpet meg her, mesterlig gjort ! Må forresten tillate meg å spørre; Hvor har du fått slik kunnskap fra, og hvordan analyserer du alle loggene? Endret 4. juni 2007 av LuXe Lenke til kommentar
norbat Skrevet 4. juni 2007 Del Skrevet 4. juni 2007 HJT-loggen ser fin ut Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....", restart pc, fjern merket igjen for å aktivere funksjonen. Surf trygt! Lenke til kommentar
LuXe Skrevet 4. juni 2007 Forfatter Del Skrevet 4. juni 2007 Vel, da er stort sett alt trygt ja. Har nok lært meg en saftig lekse her, (var sløv og åpnet selvutpakkende trojanere) og selv om jeg prøvde selv i begynnelsen fikk jeg det ikke til. Men må spørre Norbat, hvordan du har blitt så kunnskapsfull i dette området, og hvordan du analyserer HJT logger? Takker hjertelig Lenke til kommentar
norbat Skrevet 4. juni 2007 Del Skrevet 4. juni 2007 (endret) Etter 1 år med div. timer med HJT-logger, så bør man få litt oversikt Har fortsatt masse å lære, noe som gjør dette fortsatt morsomt. En grei start hvis man ønsker å lære seg dette med HJT-logger er å lese på div. forum som driver med denne form for support (Oftest engelskspråklige. Finnes også noen gode danske ex. www.spywarefri.dk. Og så har vi selvfølgelig dette forumet ). En ting er å se om det er noe i loggen som ikke bør være der (finnes noen nettsider som kan sjekke dette automatisk, men de er ikke helt til å stole på), en annen ting er å bruke et verktøy som kan fjerne det. Men, øvelse gjør mester, lyder jungelordet. Endret 4. juni 2007 av norbat Lenke til kommentar
LuXe Skrevet 21. juni 2007 Forfatter Del Skrevet 21. juni 2007 (endret) Hei Norbat, noe må fprtsatt vre galt. Jeg får meldinger som skrur av PCn min og av og til går internett kjempetregt. Jeg får en melding av "services.exe" slås av og da slås PCn av etter 30 sek. Av og til blir internett umulig. Jeg holder meg til å bumpe denne tråden, da det er samme problem. Jeg inkluderer en Hijack-this loggfil. Edit; Det kommer og plutselig opp popups med Celldorado etc. i iExplorer selv om jeg bruker FF. Logfile of HijackThis v1.99.1 Scan saved at 11:17:18, on 21.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\j6201834.exe C:\WINDOWS\system32\skvxwvtf.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\ufxvhudj.dll",realset O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O8 - Extra context menu item: &MSN Search - res://C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll/search.htm O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/229?4dde03ce85104e3bb83b32813cb83cb O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/230?4dde03ce85104e3bb83b32813cb83cb O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8DB8E775-305B-4402-BFB7-67090DB28F66}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mimer.no O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mimer.no O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j6201834.exe O23 - Service: DomainService - - C:\WINDOWS\system32\skvxwvtf.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing) Endret 21. juni 2007 av LuXe Lenke til kommentar
killerboy85 Skrevet 21. juni 2007 Del Skrevet 21. juni 2007 Virker som du har fått MSblaster-virus, kjør antivirus program som sørger for å slette MS-blaster fra maskinen din. Lenke til kommentar
norbat Skrevet 21. juni 2007 Del Skrevet 21. juni 2007 (endret) Klikk: Start->Kjør Skriv: services.msc Finn og stopp følgende tjenester om de kjører Høyreklikk på tjenestene og velg egenskaper. Under oppstartstype velger du 'Deaktivert' dns cache reader (DNSCacheReader) DomainService - - Kjør HJT, sett merke framfor følgende linjer og klikk 'Fix checked': O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\ufxvhudj.dll",realset O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j6201834.exe O23 - Service: DomainService - - C:\WINDOWS\system32\skvxwvtf.exe Hent Avenger og pakk det ut. Start programmet, sett prikk i "Input Script Manually" og klikk på lupen. I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under: Files to delete: C:\WINDOWS\system32\ufxvhudj.dll C:\WINDOWS\system32\j6201834.exe C:\WINDOWS\system32\skvxwvtf.exe Klikk på Trafikklyset. Restart pc'n. Etter restart vil det komme en loggfil som forteller hva som har skjedd. Post den senere Last ned Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Du må ikke klikke på vinduet mens programmet kjører. Post loggfilen fra combofix (vanligvis c:\combofix.txt), Avenger + ny HJT-logg Endret 21. juni 2007 av norbat Lenke til kommentar
LuXe Skrevet 21. juni 2007 Forfatter Del Skrevet 21. juni 2007 Ok. Her er de, men jeg fant ikke de der linjene jeg skulle fikse i HJT i det hele tatt. (Jeg deaktiverte de to prosessene i services.msc sikkert) Jeg fikk og en ekstra fil fra combofix om quarantined files. Poster og den. ComboFix 07-06-21.3 - C:\Documents and Settings\Peter Kongsvik\Skrivebord\ComboFix.exe "Peter Kongsvik" - 2007-06-21 12:25:47 - Service Pack 2 NTFS (((((((((((((((((((((((((((((((((((((((((((( V Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\biuxslqu.dll C:\WINDOWS\system32\bqnhkaqn.dll C:\WINDOWS\system32\bxtlqwjw.dll C:\WINDOWS\system32\fentvdyi.dll C:\WINDOWS\system32\haonvrgi.dll C:\WINDOWS\system32\hgdpuftr.dll C:\WINDOWS\system32\jjttyyps.dll C:\WINDOWS\system32\kqnrjlrw.dll C:\WINDOWS\system32\lmhoxtup.dll C:\WINDOWS\system32\uvndekft.dll C:\WINDOWS\system32\yoglobvr.dll C:\WINDOWS\system32\pmnlmll.dll C:\WINDOWS\system32\wjwqltxb.ini C:\WINDOWS\system32\iydvtnef.ini C:\WINDOWS\system32\dcbeg.bak1 C:\WINDOWS\system32\dcbeg.bak2 C:\WINDOWS\system32\dcbeg.ini C:\WINDOWS\system32\dcbeg.ini2 C:\WINDOWS\system32\dcbeg.tmp C:\WINDOWS\system32\spyyttjj.ini C:\WINDOWS\system32\wrljrnqk.ini C:\WINDOWS\system32\dcbeg.bak1 C:\WINDOWS\system32\dcbeg.bak2 C:\WINDOWS\system32\dcbeg.ini C:\WINDOWS\system32\dcbeg.ini2 C:\WINDOWS\system32\dcbeg.tmp C:\WINDOWS\system32\hgjlm.bak1 C:\WINDOWS\system32\hgjlm.ini C:\WINDOWS\system32\dcbeg.bak1 C:\WINDOWS\system32\dcbeg.bak2 C:\WINDOWS\system32\dcbeg.ini C:\WINDOWS\system32\dcbeg.ini2 C:\WINDOWS\system32\dcbeg.tmp C:\WINDOWS\system32\gebcd.dll C:\WINDOWS\system32\jkkkige.dll * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\PETERK~1\MINEDO~1.\dobe~1 C:\WINDOWS\installer\7d9e8.msi C:\WINDOWS\system32\win.exe C:\WINDOWS\system32\xpdx.sys ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\xpdx ((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 ))))))))))))))))))))))))))))))) 2007-06-21 12:25 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-21 12:20 122,900 --a------ C:\WINDOWS\system32\nbkkxnul.exe 2007-06-21 12:03 122,900 --a------ C:\WINDOWS\system32\avhjndqu.exe 2007-06-21 11:31 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com 2007-06-21 11:13 122,900 --a------ C:\WINDOWS\system32\tbhbcrji.exe 2007-06-21 11:06 122,900 --a------ C:\WINDOWS\system32\hhjdhhmy.exe 2007-06-20 20:05 122,900 --a------ C:\WINDOWS\system32\dmanlksh.exe 2007-06-20 17:05 122,900 --a------ C:\WINDOWS\system32\uhnlsbpu.exe 2007-06-20 10:52 122,900 --a------ C:\WINDOWS\system32\eyigmydy.exe 2007-06-19 12:22 49,152 --a------ C:\WINDOWS\win.exe 2007-06-15 21:36 98,304 --a------ C:\WINDOWS\system32\viscomtran.dll 2007-06-15 21:36 94,208 --a------ C:\WINDOWS\system32\viscomaudiodata.dll 2007-06-15 21:36 90,112 --a------ C:\WINDOWS\system32\viscomframe.dll 2007-06-15 21:36 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll 2007-06-15 21:36 598,016 --a------ C:\WINDOWS\system32\viscomqtde.dll 2007-06-15 21:36 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll 2007-06-15 21:36 147,456 --a------ C:\WINDOWS\system32\viscomqtenc.dll 2007-06-15 21:36 110,592 --a------ C:\WINDOWS\system32\viscomaudioencoder.dll 2007-06-15 21:35 <DIR> d-------- C:\Programfiler\Kate's Video Toolkit 2007-06-15 21:23 1 --a------ C:\WINDOWS\pvc11.dll 2007-06-15 21:23 <DIR> d-------- C:\Programfiler\AML Products 2007-06-15 21:11 5 --a------ C:\WINDOWS\system32\SySvideocutter.dat 2007-06-15 21:10 991,232 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll 2007-06-15 21:10 90,112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll 2007-06-15 21:10 793,536 --a------ C:\WINDOWS\system32\wmpcdcs8.exe 2007-06-15 21:10 626,688 --a------ C:\WINDOWS\system32\NCTImageFile.dll 2007-06-15 21:10 356,352 --a------ C:\WINDOWS\system32\NCTVideoDxPlayer.dll 2007-06-15 21:10 294,912 --a------ C:\WINDOWS\system32\NCTAVIFile.dll 2007-06-15 21:10 282,624 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll 2007-06-15 21:10 262,144 --a------ C:\WINDOWS\system32\lame_enc.dll 2007-06-15 21:10 2,658,304 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll 2007-06-15 21:10 2,260,992 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll 2007-06-15 21:10 196,608 --a------ C:\WINDOWS\system32\NCTWMVFile.dll 2007-06-15 21:10 139,264 --a------ C:\WINDOWS\system32\NCTVideoFile.dll 2007-06-15 21:10 1,810,432 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll 2007-06-15 21:10 1,245,184 --a------ C:\WINDOWS\system32\NCTRMFile.dll 2007-06-15 21:10 <DIR> d-------- C:\WINDOWS\system32\RMBin 2007-06-15 21:10 <DIR> d-------- C:\Programfiler\Crystalsoftware 2007-06-15 13:27 <DIR> d-------- C:\Programfiler\Orb Networks 2007-06-15 13:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\OrbNetworks 2007-06-11 17:16 13,844 --a------ C:\WINDOWS\system32\ssltnrbn.exe 2007-06-08 18:03 0 -ra------ C:\logwmemory.bin 2007-06-08 17:35 <DIR> d-------- C:\Programfiler\Teamspeak2_RC2 2007-06-06 21:38 55,316 --a------ C:\WINDOWS\system32\thychsuq.dll 2007-06-05 21:41 <DIR> d-------- C:\DOCUME~1\LOCALS~1\PROGRA~1\CyberLink 2007-06-05 21:37 14,868 --a------ C:\WINDOWS\system32\jmuopglm.exe 2007-06-04 21:36 2,580 --a------ C:\WINDOWS\system32\yhptprwh.exe 2007-06-04 16:42 <DIR> d-------- C:\DOCUME~1\PETERK~1\PROGRA~1\CyberLink 2007-06-04 15:04 <DIR> d-------- C:\!KillBox 2007-06-03 21:41 2,580 --a------ C:\WINDOWS\system32\pkpedpeh.exe 2007-06-03 20:00 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2007-06-03 20:00 <DIR> d-------- C:\DOCUME~1\PETERK~1\PROGRA~1\SUPERAntiSpyware.com 2007-06-03 20:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SUPERAntiSpyware.com 2007-06-03 19:55 12,300,483 --------- C:\AVG7QT.DAT 2007-06-03 18:58 2,580 --a------ C:\WINDOWS\system32\bjnurhxo.exe 2007-06-03 18:48 60,928 --a------ C:\WINDOWS\system32\cjp.dll 2007-06-03 18:37 <DIR> d-------- C:\Programfiler\SmartSound Software 2007-06-03 18:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SmartSound Software Inc 2007-06-03 18:35 <DIR> d-------- C:\Programfiler\QuickTime 2007-06-02 23:16 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys 2007-06-02 19:50 <DIR> d-------- C:\Programfiler\MagicISO 2007-05-31 08:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe 2007-05-31 08:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-05-31 08:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-05-31 08:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-05-31 08:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll 2007-05-28 14:37 <DIR> d-------- C:\Programfiler\HyCam2 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-21 09:31:21 4,196 ----a-w C:\WINDOWS\mozver.dat 2007-06-19 13:07:57 -------- d-----w C:\DOCUME~1\PETERK~1\PROGRA~1\uTorrent 2007-06-08 15:35:51 -------- d-----w C:\DOCUME~1\PETERK~1\PROGRA~1\teamspeak2 2007-06-04 15:24:11 -------- d-----w C:\Programfiler\DivX 2007-06-03 17:59:27 -------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard 2007-06-03 16:41:15 -------- d--h--w C:\Programfiler\InstallShield Installation Information 2007-06-03 16:41:15 -------- d-----w C:\Programfiler\CyberLink 2007-06-01 17:01:06 -------- d-----w C:\Programfiler\World of Warcraft 2007-05-18 16:02:39 -------- d-----w C:\Programfiler\LimeWire 2007-05-16 15:19:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-13 17:19:38 -------- d-----w C:\Programfiler\9Dragons 2007-05-13 10:24:29 -------- d-----w C:\Programfiler\Folding@Home 2007-05-04 21:13:42 -------- d-----w C:\Programfiler\FDRLab 2007-05-04 21:12:08 -------- d-----w C:\Programfiler\FreeUndelete 2007-05-04 21:08:02 -------- d-----w C:\Programfiler\SoftLogica 2007-05-04 21:02:30 -------- d-----w C:\Programfiler\DiskInternals 2007-05-04 20:51:50 -------- d-----w C:\Programfiler\WinUndelete 2007-05-02 13:00:38 -------- d-----w C:\DOCUME~1\PETERK~1\PROGRA~1\Viewpoint 2007-04-25 14:23:31 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-04-23 00:15:25 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys 2007-04-23 00:15:24 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe 2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe 2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe 2007-04-18 16:15:14 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-03-25 12:48:14 60,326 ----a-w C:\WINDOWS\system32\perfc014.dat 2007-03-25 12:48:14 384,784 ----a-w C:\WINDOWS\system32\perfh014.dat 2005-05-13 15:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe 2005-10-24 09:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe 2005-10-13 19:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe 2005-10-07 17:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll 2005-07-14 10:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll 2005-06-26 13:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-21 20:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll 2004-01-24 22:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll 2006-04-27 08:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll 2005-02-28 11:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe 2004-01-24 22:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll [2005-07-07 16:21] {E57A1D42-81AA-DD2D-8A0B-88ADD2E624C7}=C:\WINDOWS\system32\cjp.dll [2007-05-21 15:59] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Steam"="c:\programfiler\steam\steam.exe" -silent "Aim6"="C:\Programfiler\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp "Orb"="C:\Programfiler\Orb Networks\Orb\bin\OrbTray.exe" /background "SUPERAntiSpyware"=C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" -atboottime "Sony Ericsson PC Suite"="C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions "AVG7_CC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" "Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" -hide "WinampAgent"=C:\Programfiler\Winamp\winampa.exe "hpfsched"=C:\WINDOWS\hpfsched.exe "NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit "SoundMan"=SOUNDMAN.EXE "nwiz"=nwiz.exe /install "GPLv3"=rundll32.exe "C:\WINDOWS\system32\bxtlqwjw.dll",realset HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- D:\install.EXE id= ver=1.0.0.0 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] AutoRun\command- E:\AutoRunMorrowind.exe install\command- E:\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] AutoRun\command- F:\AutoRun\Demo.exe Contents of the 'Scheduled Tasks' folder 2007-06-15 15:16:08 C:\WINDOWS\tasks\1-Click Maintenance.job 2007-05-26 23:32:00 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-21 12:33:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-21 12:34:50 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-21 12:34 --- E O F --- 2005-05-11 16:35 2333184 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Installer\7d9e8.msi.vir 2006-04-29 20:53 49152 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\win.exe.vir 2007-06-03 18:47 33302 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkkige.dll.vir 2007-06-03 18:47 33302 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnlmll.dll.vir 2007-06-03 18:52 688392 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hgjlm.bak1.vir 2007-06-03 21:25 706559 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hgjlm.ini.vir 2007-06-03 21:35 263220 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gebcd.dll.vir 2007-06-03 21:35 688392 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dcbeg.bak1.vir 2007-06-03 21:38 50740 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\biuxslqu.dll.vir 2007-06-06 20:44 67860 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\xpdx.sys.vir 2007-06-07 21:38 58420 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bqnhkaqn.dll.vir 2007-06-10 17:15 125460 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\lmhoxtup.dll.vir 2007-06-11 17:46 919653 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dcbeg.tmp.vir 2007-06-11 20:16 939243 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dcbeg.ini.vir 2007-06-14 13:56 62516 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\uvndekft.dll.vir 2007-06-17 18:17 58420 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hgdpuftr.dll.vir 2007-06-17 18:23 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jjttyyps.dll.vir 2007-06-18 09:31 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\bxtlqwjw.dll.vir 2007-06-18 09:32 2119174 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\spyyttjj.ini.vir 2007-06-18 09:39 355 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wjwqltxb.ini.vir 2007-06-20 11:01 125460 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\haonvrgi.dll.vir 2007-06-21 12:06 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fentvdyi.dll.vir 2007-06-21 12:20 907543 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\iydvtnef.ini.vir 2007-06-21 12:20 925979 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dcbeg.bak2.vir 2007-06-21 12:23 124436 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\kqnrjlrw.dll.vir 2007-06-21 12:25 890332 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wrljrnqk.ini.vir 2007-06-21 12:26 62516 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\yoglobvr.dll.vir 2007-06-21 12:30 200 --a------ C:\Qoobox\Quarantine\Registry_backups\services_xpdx.reg.cf 2007-06-21 12:30 399 --a------ C:\Qoobox\Quarantine\catchme.log 2007-06-21 12:30 66310 --a------ C:\Qoobox\Quarantine\catchme2007-06-21_123327.20.zip 2007-06-21 12:30 920621 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dcbeg.ini2.vir S›kebane Volumserienummeret er 94FF-5604 C:\QOOBOX \---Quarantine | catchme.log | catchme2007-06-21_123327.20.zip | +---C | \---WINDOWS | +---Installer | | 7d9e8.msi.vir | | | \---system32 | biuxslqu.dll.vir | bqnhkaqn.dll.vir | bxtlqwjw.dll.vir | dcbeg.bak1.vir | dcbeg.bak2.vir | dcbeg.ini.vir | dcbeg.ini2.vir | dcbeg.tmp.vir | fentvdyi.dll.vir | gebcd.dll.vir | haonvrgi.dll.vir | hgdpuftr.dll.vir | hgjlm.bak1.vir | hgjlm.ini.vir | iydvtnef.ini.vir | jjttyyps.dll.vir | jkkkige.dll.vir | kqnrjlrw.dll.vir | lmhoxtup.dll.vir | pmnlmll.dll.vir | spyyttjj.ini.vir | uvndekft.dll.vir | win.exe.vir | wjwqltxb.ini.vir | wrljrnqk.ini.vir | xpdx.sys.vir | yoglobvr.dll.vir | \---Registry_backups services_xpdx.reg.cf Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\lmpdaxtw ******************* Script file located at: \??\C:\Documents and Settings\ilbdolwu.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\ufxvhudj.dll deleted successfully. File C:\WINDOWS\system32\j6201834.exe deleted successfully. File C:\WINDOWS\system32\skvxwvtf.exe deleted successfully. Completed script processing. ******************* Finished! Terminate. Logfile of HijackThis v1.99.1 Scan saved at 12:39:42, on 21.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {B1843C0D-7415-4DD4-A619-6A1EDB32B96A} - (no file) O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O2 - BHO: (no name) - {E57A1D42-81AA-DD2D-8A0B-88ADD2E624C7} - C:\WINDOWS\system32\cjp.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O8 - Extra context menu item: &MSN Search - res://C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll/search.htm O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/229?4dde03ce85104e3bb83b32813cb83cb O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/230?4dde03ce85104e3bb83b32813cb83cb O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8DB8E775-305B-4402-BFB7-67090DB28F66}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mimer.no O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mimer.no O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing) Lenke til kommentar
LuXe Skrevet 21. juni 2007 Forfatter Del Skrevet 21. juni 2007 Så må noe mer gjøres? Er alt greit? Lenke til kommentar
norbat Skrevet 21. juni 2007 Del Skrevet 21. juni 2007 Kjør HJT, sett merke framfor følgende linje og klikk 'Fix checked': O2 - BHO: (no name) - {B1843C0D-7415-4DD4-A619-6A1EDB32B96A} - (no file) O2 - BHO: (no name) - {E57A1D42-81AA-DD2D-8A0B-88ADD2E624C7} - C:\WINDOWS\system32\cjp.dll Hent deretter DrWeb Restart i Sikker modus (tapp F8 under oppstart) Kjør drweb-cureit.exe (si ja til å kjøre en express scan) Når dette er ferdig klikker du på Option -> Change settings. Under fanearket Scan, fjerner du haken ved Heuristic analysis. Under fanearket Actions, skal alle punkt under Malware settes til Rename. Velg partisjon du vil scanne og klikk deretter på den grønne pilen for å starte scanningen. Velg "yes to all" når det finner noe for første gang. Når scanningen er ferdig, gå til "file" – Trykk på- "Save Report list". En fil med navn "drweb.csv" vil da ligge på skrivebordet. Kjør så Combofix igjen og post loggen sammen med en ny HJT-logg. Lenke til kommentar
LuXe Skrevet 21. juni 2007 Forfatter Del Skrevet 21. juni 2007 Ok, sorry for at dette tok tid, men DrWeb brukte nesten 3 timer på å scanne hele PCn. Uansett, her er loggene; ComboFix 07-06-21.3 - C:\Documents and Settings\Peter Kongsvik\Skrivebord\ComboFix.exe "Peter Kongsvik" - 2007-06-21 20:01:12 - Service Pack 2 NTFS [sAFE MODE] ((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 ))))))))))))))))))))))))))))))) 2007-06-21 16:52 <DIR> d-------- C:\DOCUME~1\PETERK~1\DoctorWeb 2007-06-21 13:22 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-06-21 13:20 <DIR> d-------- C:\DOCUME~1\PETERK~1\.housecall6.6 2007-06-21 12:25 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-21 11:31 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com 2007-06-19 12:22 49,152 --a------ C:\WINDOWS\win.exe 2007-06-15 21:36 98,304 --a------ C:\WINDOWS\system32\viscomtran.dll 2007-06-15 21:36 94,208 --a------ C:\WINDOWS\system32\viscomaudiodata.dll 2007-06-15 21:36 90,112 --a------ C:\WINDOWS\system32\viscomframe.dll 2007-06-15 21:36 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll 2007-06-15 21:36 598,016 --a------ C:\WINDOWS\system32\viscomqtde.dll 2007-06-15 21:36 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll 2007-06-15 21:36 147,456 --a------ C:\WINDOWS\system32\viscomqtenc.dll 2007-06-15 21:36 110,592 --a------ C:\WINDOWS\system32\viscomaudioencoder.dll 2007-06-15 21:35 <DIR> d-------- C:\Programfiler\Kate's Video Toolkit 2007-06-15 21:23 1 --a------ C:\WINDOWS\pvc11.dll 2007-06-15 21:23 <DIR> d-------- C:\Programfiler\AML Products 2007-06-15 21:11 5 --a------ C:\WINDOWS\system32\SySvideocutter.dat 2007-06-15 21:10 991,232 --a------ C:\WINDOWS\system32\NCTVideoCoreM.dll 2007-06-15 21:10 90,112 --a------ C:\WINDOWS\system32\NCTAudioFormatSettings3.dll 2007-06-15 21:10 793,536 --a------ C:\WINDOWS\system32\wmpcdcs8.exe 2007-06-15 21:10 626,688 --a------ C:\WINDOWS\system32\NCTImageFile.dll 2007-06-15 21:10 356,352 --a------ C:\WINDOWS\system32\NCTVideoDxPlayer.dll 2007-06-15 21:10 294,912 --a------ C:\WINDOWS\system32\NCTAVIFile.dll 2007-06-15 21:10 282,624 --a------ C:\WINDOWS\system32\NCTQuickTimeFile.dll 2007-06-15 21:10 262,144 --a------ C:\WINDOWS\system32\lame_enc.dll 2007-06-15 21:10 2,658,304 --a------ C:\WINDOWS\system32\NCTAudioCompress3.dll 2007-06-15 21:10 2,260,992 --a------ C:\WINDOWS\system32\NCTVideoCompress.dll 2007-06-15 21:10 196,608 --a------ C:\WINDOWS\system32\NCTWMVFile.dll 2007-06-15 21:10 139,264 --a------ C:\WINDOWS\system32\NCTVideoFile.dll 2007-06-15 21:10 1,810,432 --a------ C:\WINDOWS\system32\NCTAudioCompress2.dll 2007-06-15 21:10 1,245,184 --a------ C:\WINDOWS\system32\NCTRMFile.dll 2007-06-15 21:10 <DIR> d-------- C:\WINDOWS\system32\RMBin 2007-06-15 21:10 <DIR> d-------- C:\Programfiler\Crystalsoftware 2007-06-15 13:27 <DIR> d-------- C:\Programfiler\Orb Networks 2007-06-15 13:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\OrbNetworks 2007-06-11 17:16 13,844 --a------ C:\WINDOWS\system32\ssltnrbn.exe 2007-06-08 18:03 0 -ra------ C:\logwmemory.bin 2007-06-08 17:35 <DIR> d-------- C:\Programfiler\Teamspeak2_RC2 2007-06-05 21:41 <DIR> d-------- C:\DOCUME~1\LOCALS~1\PROGRA~1\CyberLink 2007-06-04 21:36 2,580 --a------ C:\WINDOWS\system32\yhptprwh.exe 2007-06-04 16:42 <DIR> d-------- C:\DOCUME~1\PETERK~1\PROGRA~1\CyberLink 2007-06-04 15:04 <DIR> d-------- C:\!KillBox 2007-06-03 21:41 2,580 --a------ C:\WINDOWS\system32\pkpedpeh.exe 2007-06-03 20:00 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2007-06-03 20:00 <DIR> d-------- C:\DOCUME~1\PETERK~1\PROGRA~1\SUPERAntiSpyware.com 2007-06-03 20:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SUPERAntiSpyware.com 2007-06-03 19:55 12,300,483 --------- C:\AVG7QT.DAT 2007-06-03 18:58 2,580 --a------ C:\WINDOWS\system32\bjnurhxo.exe 2007-06-03 18:37 <DIR> d-------- C:\Programfiler\SmartSound Software 2007-06-03 18:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\PROGRA~1\SmartSound Software Inc 2007-06-03 18:35 <DIR> d-------- C:\Programfiler\QuickTime 2007-06-02 23:16 14,604 --a------ C:\WINDOWS\system32\drivers\pfc.sys 2007-06-02 19:50 <DIR> d-------- C:\Programfiler\MagicISO 2007-05-31 08:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe 2007-05-31 08:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-05-31 08:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-05-31 08:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-05-31 08:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll 2007-05-28 14:37 <DIR> d-------- C:\Programfiler\HyCam2 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-21 09:31:21 4,196 ----a-w C:\WINDOWS\mozver.dat 2007-06-19 13:07:57 -------- d-----w C:\DOCUME~1\PETERK~1\PROGRA~1\uTorrent 2007-06-08 15:35:51 -------- d-----w C:\DOCUME~1\PETERK~1\PROGRA~1\teamspeak2 2007-06-04 15:24:11 -------- d-----w C:\Programfiler\DivX 2007-06-03 17:59:27 -------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard 2007-06-03 16:41:15 -------- d--h--w C:\Programfiler\InstallShield Installation Information 2007-06-03 16:41:15 -------- d-----w C:\Programfiler\CyberLink 2007-06-01 17:01:06 -------- d-----w C:\Programfiler\World of Warcraft 2007-05-18 16:02:39 -------- d-----w C:\Programfiler\LimeWire 2007-05-16 15:19:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-05-13 17:19:38 -------- d-----w C:\Programfiler\9Dragons 2007-05-13 10:24:29 -------- d-----w C:\Programfiler\Folding@Home 2007-05-04 21:13:42 -------- d-----w C:\Programfiler\FDRLab 2007-05-04 21:12:08 -------- d-----w C:\Programfiler\FreeUndelete 2007-05-04 21:08:02 -------- d-----w C:\Programfiler\SoftLogica 2007-05-04 21:02:30 -------- d-----w C:\Programfiler\DiskInternals 2007-05-04 20:51:50 -------- d-----w C:\Programfiler\WinUndelete 2007-05-02 13:00:38 -------- d-----w C:\DOCUME~1\PETERK~1\PROGRA~1\Viewpoint 2007-04-25 14:23:31 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-04-23 00:15:25 36,624 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys 2007-04-23 00:15:24 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe 2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe 2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe 2007-04-18 16:15:14 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-03-25 12:48:14 60,326 ----a-w C:\WINDOWS\system32\perfc014.dat 2007-03-25 12:48:14 384,784 ----a-w C:\WINDOWS\system32\perfh014.dat 2005-05-13 15:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe 2005-10-24 09:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe 2005-10-13 19:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe 2005-10-07 17:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll 2005-07-14 10:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll 2005-06-26 13:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-21 20:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll 2004-01-24 22:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll 2006-04-27 08:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll 2005-02-28 11:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe 2004-01-24 22:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll [2005-07-07 16:21] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Steam"="c:\programfiler\steam\steam.exe" -silent "Aim6"="C:\Programfiler\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp "Orb"="C:\Programfiler\Orb Networks\Orb\bin\OrbTray.exe" /background "SUPERAntiSpyware"=C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" -atboottime "Sony Ericsson PC Suite"="C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions "AVG7_CC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" "Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" -hide "WinampAgent"=C:\Programfiler\Winamp\winampa.exe "hpfsched"=C:\WINDOWS\hpfsched.exe "NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit "SoundMan"=SOUNDMAN.EXE "nwiz"=nwiz.exe /install "GPLv3"=rundll32.exe "C:\WINDOWS\system32\bxtlqwjw.dll",realset HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- D:\install.EXE id= ver=1.0.0.0 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] AutoRun\command- E:\AutoRunMorrowind.exe install\command- E:\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F] AutoRun\command- F:\AutoRun\Demo.exe Contents of the 'Scheduled Tasks' folder 2007-06-15 15:16:08 C:\WINDOWS\tasks\1-Click Maintenance.job 2007-05-26 23:32:00 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-21 20:05:23 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-21 20:06:09 C:\ComboFix-quarantined-files.txt ... 2007-06-21 20:05 C:\ComboFix2.txt ... 2007-06-21 12:34 --- E O F --- Logfile of HijackThis v1.99.1 Scan saved at 20:11:39, on 21.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O8 - Extra context menu item: &MSN Search - res://C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll/search.htm O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/229?4dde03ce85104e3bb83b32813cb83cb O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/230?4dde03ce85104e3bb83b32813cb83cb O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8DB8E775-305B-4402-BFB7-67090DB28F66}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mimer.no O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mimer.no O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing) Lenke til kommentar
norbat Skrevet 21. juni 2007 Del Skrevet 21. juni 2007 (endret) Gjør følgende for å forsikre om at nevnte fil er fjernet: Last ned Killbox Start Killbox Velg å 'Delete on reboot' Følgende skal settes inn: C:\WINDOWS\win.exe Restart Hvordan kjører pc'n? Edit: killbox-link oppdatert. Endret 21. juni 2007 av norbat Lenke til kommentar
LuXe Skrevet 21. juni 2007 Forfatter Del Skrevet 21. juni 2007 PCen kjører perfekt nå. Ikke noe problemer. Ingen popups eller FF slowdowns. Poster enda en Hijackthis logfil for å være helt sikker at jeg gjorde alt rett. Logfile of HijackThis v1.99.1 Scan saved at 21:13:14, on 21.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamereactor.no R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O8 - Extra context menu item: &MSN Search - res://C:\Programfiler\MSN Toolbar Suite\TB\02.05.0000.1105\nb-no\msntb.dll/search.htm O8 - Extra context menu item: Åpne i ny bakgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/229?4dde03ce85104e3bb83b32813cb83cb O8 - Extra context menu item: Åpne i ny forgrunnsflik - res://C:\Programfiler\MSN Toolbar Suite\TAB\02.05.0000.1105\nb-no\msntabres.dll/230?4dde03ce85104e3bb83b32813cb83cb O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{8DB8E775-305B-4402-BFB7-67090DB28F66}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mimer.no O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mimer.no O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing) Lenke til kommentar
norbat Skrevet 21. juni 2007 Del Skrevet 21. juni 2007 (endret) Denne kan du fixe med HJT: O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....", restart pc, fjern merket igjen for å aktivere funksjonen. Hadde du gjort noe i mellomtiden som kan forklare hvorfor du ble infisert igjen? Kan ikke helt spore disse infeksjonene fra forrige runde, så noe må ha blitt lastet ned på en eller annen måte. Endret 21. juni 2007 av norbat Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå