chase Skrevet 14. august 2007 Del Skrevet 14. august 2007 (endret) Hei Jeg har et problem med PC-cillin. I begynnelsen må man godkjenne tilkoblingen til diverse programmer. Dette er helt greit, men det er en som kommer opp hele tiden. Det kommer 20 stk om gangen, så må jeg trykke den vekk, så kommer det gjerne flere. Tilkoblingen jeg må godkjenne er til WINLOGON.EXE. Kan noen fortelle meg hva jeg skal gjøre med dette, ellers fungerer PC-cillin veldig bra, så det er litt irriterende. Petter Endret 14. august 2007 av chase Lenke til kommentar
norbat Skrevet 14. august 2007 Del Skrevet 14. august 2007 Du kan poste en hjt-logg som mulig kan fortelle litt mer hva dette evt. kan være. Last ned Hijackthis. Legg det i en egen mappe på skrivebordet. Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster. Lenke til kommentar
chase Skrevet 14. august 2007 Forfatter Del Skrevet 14. august 2007 Logfile of HijackThis v1.99.1 Scan saved at 21:46:49, on 14.08.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\WINLOGON.EXE C:\WINDOWS\SYSTEM32\SERVICES.EXE C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SYSTEM32\SPOOLSV.EXE C:\WINDOWS\EXPLORER.EXE C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe C:\PROGRAM FILES\STEAM\STEAM.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRAM FILES\ORB NETWORKS\ORB\BIN\ORBTRAY.EXE C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Remotec\Multimedia Master 100\MultiMedia Master 100.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE C:\PROGRAM FILES\ORB NETWORKS\ORB\BIN\ORB.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE C:\WINDOWS\system32\wscntfy.exe C:\PROGRAM FILES\MESSENGERDISCOVERY\MESSENGERDISCOVERY LIVE.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE C:\Program Files\MSN Messenger\usnsvc.exe C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\Documents and Settings\Petter\Desktop\Snarveier\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - C:\WINDOWS\system32\nweipeg.dll (file missing) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {F338A662-26A3-4210-91AA-C6E002F60D01} - C:\WINDOWS\system32\DirectX\arsrdv.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKLM\..\RunServices: [systemTools] C:\WINDOWS\system32\kernels1118.exe O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Aepb] "C:\PROGRA~1\COMMON~1\SEMBLY~1\javaw.exe" -vt yazr O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Startup: MultiMedia Master 100.lnk = C:\Program Files\Remotec\Multimedia Master 100\MultiMedia Master 100.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A74FDA9F-C0A1-42E5-BA06-9A2A4438DBCD}: NameServer = 10.0.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{C6813CC7-D057-4795-BFB4-2E9FF6A936AB}: NameServer = 192.168.0.1 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: arsrdv - C:\WINDOWS\system32\DirectX\arsrdv.dll (file missing) O20 - Winlogon Notify: uuvarpdu - C:\WINDOWS\SYSTEM32\uuvarpdu.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - c:\windows\svchost.exe" /service (file missing) O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe Fjernet noen, men får ikke fjernet: O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) Petter Lenke til kommentar
norbat Skrevet 14. august 2007 Del Skrevet 14. august 2007 (endret) Klikk Start->Kjør Skriv: cmd Skriv: sc stop MsaSvc [Klikk: Enter] Skriv: sc delete MsaSvc [Klikk: Enter] Skriv: sc stop r_server [Klikk: Enter] Skriv: sc delete r_server [Klikk: Enter] Skriv: Exit Hent Combofix og legg det på skrivebordet: Klikk: Start -> Kjør Kopier det som står under i fet, og lim det inn i 'kjør-vinduet': "%userprofile%\Skrivebord\ComboFix.exe" /v uuvarpdu Klikk OK, og følg anvisningen. Ikke klikk på vinduet mens programmet kjører. Når programmet er ferdig åpnes en loggfil: combofix.txt. Den poster du senere. Last ned SAS, installer, oppdater og kjør en full (Complete) scan. Post combofix-loggen, SAS-loggen (preferences->statistics/logs) og ny HJT-logg. Endret 14. august 2007 av norbat Lenke til kommentar
chase Skrevet 15. august 2007 Forfatter Del Skrevet 15. august 2007 Ok, her er de tre loggene. SAS: Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Loghttp://www.superantispyware.com Generated 08/15/2007 at 02:21 PM Application Version : 3.9.1008 Core Rules Database Version : 3165 Trace Rules Database Version: 1176 Scan type : Complete Scan Total Scan Time : 00:28:31 Memory items scanned : 521 Memory threats detected : 0 Registry items scanned : 5381 Registry threats detected : 0 File items scanned : 31402 File threats detected : 7 Adware.Tracking Cookie C:\DOCUME~1\Petter\LOCALS~1\Temp\Cookies\petter@tradedoubler[1].txt C:\DOCUME~1\Petter\LOCALS~1\Temp\Cookies\petter@atdmt[1].txt C:\DOCUME~1\Petter\LOCALS~1\Temp\Cookies\petter@cgi-bin[1].txt C:\DOCUME~1\Petter\LOCALS~1\Temp\Cookies\petter@advertising[2].txt C:\DOCUME~1\Petter\LOCALS~1\Temp\Cookies\petter@doubleclick[1].txt C:\DOCUME~1\Petter\LOCALS~1\Temp\Cookies\[email protected][1].txt C:\Documents and Settings\Petter\Local Settings\Temp\Cookies\petter@advertising[2].txt Combofix: Klikk for å se/fjerne innholdet nedenfor ComboFix 07-08-14.4 - "Petter" 2007-08-15 3:59:49.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.358 [GMT 2:00] Rootkit driver pe386 is present. ... attempting disinfection pe386 ...... driver unloaded successfully. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Petter\APPLIC~1.\macromedia\Flash Player\#SharedObjects\L5RLPSW6\www.broadcaster.com C:\DOCUME~1\Petter\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\DOCUME~1\Petter\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\DOCUME~1\Petter\MYDOCU~1.\ystem3~1 C:\Program Files\Common Files\{C8F4D~1 C:\Program Files\Common Files\sembly~1 C:\Program Files\Common Files\sembly~1\SEMBLY~1\ctxad-461.0000 C:\WINDOWS\system32\components ((((((((((((((((((((((((( Files Created from 2007-07-15 to 2007-08-15 ))))))))))))))))))))))))))))))) 2007-08-15 03:54 51,200 --a------ C:\WINDOWS\nircmd.exe 2007-08-08 16:54 <DIR> d-------- C:\Program Files\Trend Micro 2007-08-07 13:03 <DIR> d-------- C:\DOCUME~1\Petter\APPLIC~1\InterVideo 2007-08-07 12:59 <DIR> d-------- C:\Program Files\Google 2007-08-07 12:58 <DIR> d-------- C:\Program Files\InterVideo Information Service 2007-08-07 12:58 <DIR> d-------- C:\Program Files\Common Files\Ulead 2007-08-07 12:58 <DIR> d-------- C:\Program Files\Common Files\InterVideo 2007-08-07 12:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield 2007-08-07 12:57 <DIR> d-------- C:\Program Files\InterVideo 2007-07-22 01:08 <DIR> d-------- C:\Program Files\Orb Networks 2007-07-22 01:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\OrbNetworks 2007-07-21 23:56 <DIR> d-------- C:\WINDOWS\system32\Release Unicode 2007-07-21 23:53 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll 2007-07-21 23:50 <DIR> d-------- C:\WINDOWS\system32\Release 2007-07-21 23:49 3,764,557 --a------ C:\WINDOWS\system32\ffdshow-rev1357-20070717_xxl.exe 2007-07-21 23:07 <DIR> d-------- C:\Program Files\TVersity (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-08-15 03:58 --------- d-------- C:\Program Files\Steam 2007-08-13 23:27 --------- d-------- C:\DOCUME~1\Petter\APPLIC~1\uTorrent 2007-08-12 19:41 --------- d-------- C:\DOCUME~1\Petter\APPLIC~1\dvdcss 2007-08-11 16:22 --------- d-------- C:\DOCUME~1\Petter\APPLIC~1\LimeWire 2007-08-11 13:06 --------- d-------- C:\Program Files\iolo 2007-08-11 13:06 --------- d-------- C:\Program Files\fulDC 2007-08-11 13:04 --------- d-------- C:\DOCUME~1\Petter\APPLIC~1\Lavasoft 2007-08-07 13:00 --------- d-------- C:\Program Files\QuickTime 2007-08-07 12:58 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-07 12:57 --------- d-------- C:\Program Files\Common Files\InstallShield 2007-08-04 22:31 --------- d-------- C:\Program Files\MessengerDiscovery 2007-07-27 17:17 --------- d-------- C:\Program Files\SUPERAntiSpyware 2007-07-21 22:45 --------- d-------- C:\Program Files\Messenger 2007-07-21 22:45 --------- d-------- C:\Program Files\LimeWire 2007-07-21 22:45 --------- d-------- C:\Program Files\DivX 2007-07-21 22:45 --------- d-------- C:\Program Files\Combined Community Codec Pack 2007-07-10 20:24 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-06-16 15:27 --------- d-------- C:\Program Files\Windows Media Connect 2 2007-06-16 15:25 1187 --a------ C:\WINDOWS\wmplayer.reg 2006-09-25 17:56 263310830 --a--c--- C:\Program Files\Adobe.rar ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F338A662-26A3-4210-91AA-C6E002F60D01}] C:\WINDOWS\system32\DirectX\arsrdv.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-12-15 06:01] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 17:34] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57] "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2005-11-16 23:23] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\steam\steam.exe" [2007-06-28 08:51] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54] "Aepb"="C:\PROGRA~1\COMMON~1\SEMBLY~1\javaw.exe" [] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-27 13:41] "Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-06-09 03:28] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05] C:\Documents and Settings\Petter\Start Menu\Programs\Startup\ MultiMedia Master 100.lnk - C:\Program Files\Remotec\Multimedia Master 100\MultiMedia Master 100.exe [2006-10-20 18:32:03] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-04-30 10:51 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arsrdv] C:\WINDOWS\system32\DirectX\arsrdv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uuvarpdu] uuvarpdu.dll 2006-12-22 19:40 183316 C:\WINDOWS\system32\uuvarpdu.dll S3 agony;agony;\??\C:\WINDOWS\system32\agony.sys S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE27bus.sys S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE27mdm.sys [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{256dc5e0e-7c46-11d3-b5bf-0000f8695621}] C:\WINDOWS\system32\winsecurityxp\rk.exe -r -p mswinup.exe -p rk.exe -f winsecurityxp -v MSWindowsUpdate -tcp 22277 -udp 22277 -v %SystemDir%winsecurityxpmswinup.exe Contents of the 'Scheduled Tasks' folder 2007-08-15 02:00:00 C:\WINDOWS\Tasks\B1446F4B9477E6CB.job ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-08-15 04:01:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pe386] "ImagePath"="" Completion time: 2007-08-15 4:01:52 C:\ComboFix-quarantined-files.txt ... 2007-08-15 04:01 --- E O F --- HJT: Klikk for å se/fjerne innholdet nedenfor Logfile of HijackThis v1.99.1Scan saved at 14:29:42, on 15.08.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\WINLOGON.EXE C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SYSTEM32\SPOOLSV.EXE C:\WINDOWS\EXPLORER.EXE C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe C:\PROGRAM FILES\STEAM\STEAM.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRAM FILES\ORB NETWORKS\ORB\BIN\ORBTRAY.EXE C:\Program Files\Remotec\Multimedia Master 100\MultiMedia Master 100.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe C:\PROGRAM FILES\ORB NETWORKS\ORB\BIN\ORB.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Petter\Desktop\Snarveier\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {F338A662-26A3-4210-91AA-C6E002F60D01} - C:\WINDOWS\system32\DirectX\arsrdv.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Aepb] "C:\PROGRA~1\COMMON~1\SEMBLY~1\javaw.exe" -vt yazr O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background O4 - Startup: MultiMedia Master 100.lnk = C:\Program Files\Remotec\Multimedia Master 100\MultiMedia Master 100.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A74FDA9F-C0A1-42E5-BA06-9A2A4438DBCD}: NameServer = 10.0.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{C6813CC7-D057-4795-BFB4-2E9FF6A936AB}: NameServer = 192.168.0.1 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: arsrdv - C:\WINDOWS\system32\DirectX\arsrdv.dll (file missing) O20 - Winlogon Notify: uuvarpdu - C:\WINDOWS\SYSTEM32\uuvarpdu.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe Sånn, se om dere ser noe jeg ikke ser Petter Lenke til kommentar
norbat Skrevet 15. august 2007 Del Skrevet 15. august 2007 Kjør HJT, velg "Do a system scan only", sett merke framfor følgende linjer og klikk 'Fix checked': O2 - BHO: (no name) - {F338A662-26A3-4210-91AA-C6E002F60D01} - C:\WINDOWS\system32\DirectX\arsrdv.dll (file missing) O4 - HKCU\..\Run: [Aepb] "C:\PROGRA~1\COMMON~1\SEMBLY~1\javaw.exe" -vt yazr O20 - Winlogon Notify: arsrdv - C:\WINDOWS\system32\DirectX\arsrdv.dll (file missing) O20 - Winlogon Notify: uuvarpdu - C:\WINDOWS\SYSTEM32\uuvarpdu.dll Hent Avenger og pakk det ut. Start programmet, sett prikk i "Input Script Manually" og klikk på lupen. I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under: Files to delete: C:\WINDOWS\SYSTEM32\uuvarpdu.dll C:\PROGRA~1\COMMON~1\SEMBLY~1\javaw.exe Registry values to delete: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|"Aepb" Registry keys to delete: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uuvarpdu Klikk på Trafikklyset. Restart pc'n. Etter restart vil det komme en loggfil som forteller hva som har skjedd. Den poster du sammen med ny HJT-logg. MultiMedia Master 100.exe, er det et program du kjenner til? Lenke til kommentar
chase Skrevet 15. august 2007 Forfatter Del Skrevet 15. august 2007 Multimediamaster er safe. Det hører til en fjernkontroll Jeg får ikke pakket ut Avenger, den er skadet får jeg opp en melding om. Kan altså ikke pakke den ut. Petter Lenke til kommentar
chase Skrevet 16. august 2007 Forfatter Del Skrevet 16. august 2007 Får fortsatt opp popupen om WINLOGON.EXE. Får ikke brukt avenger, filen er skadet visstnok. kan ikke laste det ned andre steder heller.. Jeg er veldig takknemlig for all hjelp Petter Lenke til kommentar
norbat Skrevet 16. august 2007 Del Skrevet 16. august 2007 (endret) Se om du får slettet filene manuelt. C:\WINDOWS\SYSTEM32\uuvarpdu.dll C:\PROGRA~1\COMMON~1\SEMBLY~1\javaw.exe Mulig du må sørge for at du kan se skjulte filer og mapper (kontrollpanel->mappealt.->vis->"vis skjulte filer og mapper") for å finne filene. Last deretter ned Vundofix, start programmet og klikk "Scan for Vundo"-knappen. Når programmet er kjørt ferdig, klikker du på knappen "Remove vundo". Loggen fra Vundofix finnes vanligvis på C:\vundofix.txt. Den poster du om den finner noe. Post ny HJT-logg Endret 16. august 2007 av norbat Lenke til kommentar
chase Skrevet 16. august 2007 Forfatter Del Skrevet 16. august 2007 (endret) Her Fant ingen Vundo: Klikk for å se/fjerne innholdet nedenfor VundoFix V6.5.7 Checking Java version... Java version is 1.5.0.3 Old versions of java are exploitable and should be removed. Java version is 1.5.0.6 Old versions of java are exploitable and should be removed. Scan started at 21:00:58 16.08.2007 Listing files found while scanning.... No infected files were found. Beginning removal... HJT: Klikk for å se/fjerne innholdet nedenfor Logfile of HijackThis v1.99.1Scan saved at 21:04:33, on 16.08.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SYSTEM32\SPOOLSV.EXE C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe C:\PROGRAM FILES\STEAM\STEAM.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\PROGRAM FILES\ORB NETWORKS\ORB\BIN\ORBTRAY.EXE C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Remotec\Multimedia Master 100\MultiMedia Master 100.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TMPROXY.EXE C:\PROGRAM FILES\ORB NETWORKS\ORB\BIN\ORB.EXE C:\PROGRA~1\TRENDM~1\INTERN~1\TMPFW.EXE C:\WINDOWS\system32\wscntfy.exe C:\PROGRAM FILES\MESSENGERDISCOVERY\MESSENGERDISCOVERY LIVE.EXE C:\Program Files\MSN Messenger\usnsvc.exe C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\Documents and Settings\Petter\Desktop\New Folder (5)\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background O4 - Startup: MultiMedia Master 100.lnk = C:\Program Files\Remotec\Multimedia Master 100\MultiMedia Master 100.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by118fd.bay118.hotmail.msn.com/resources/MsnPUpld.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A74FDA9F-C0A1-42E5-BA06-9A2A4438DBCD}: NameServer = 10.0.0.1 O17 - HKLM\System\CCS\Services\Tcpip\..\{C6813CC7-D057-4795-BFB4-2E9FF6A936AB}: NameServer = 192.168.0.1 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe EDIT: Fikk slettet de filene men fant ikke Javaw.exe der som du hadde skrevet. søkte etter den, og slettet den.. Petter Endret 16. august 2007 av chase Lenke til kommentar
norbat Skrevet 16. august 2007 Del Skrevet 16. august 2007 Og hvordan går det med popups? Lenke til kommentar
chase Skrevet 16. august 2007 Forfatter Del Skrevet 16. august 2007 Hehe, glemt å nevne det ja, virker faktisk som om de har forsvunnet. Etter at jeg slettet de to filene har ikke popupen kommet. Måtte vente og se om det kom flere, men ingen sålangt. Tusen takk norbat! Veldig hjelpsom Petter Lenke til kommentar
norbat Skrevet 16. august 2007 Del Skrevet 16. august 2007 Hvis du har litt kontroll på regedit, kunne du ha sjekket om de to oppføringene som er nevnt, fortsatt ligger i registeret: 1. [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Slett oppføringen: "Aepb"="C:\PROGRA~1\COMMON~1\SEMBLY~1\javaw.exe" 2. HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uuvarpdu Etter dette bør du nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....", restart pc, fjern merket igjen for å aktivere funksjonen. Lenke til kommentar
chase Skrevet 16. august 2007 Forfatter Del Skrevet 16. august 2007 har ikke så mye peiling på register... Men jeg kan jo gjøre det gjenopprettings av/på. Petter Lenke til kommentar
norbat Skrevet 16. august 2007 Del Skrevet 16. august 2007 (endret) Ang. registret Åpne notisblokk og skriv/kopier følgende: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Aepb"=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\uuvarpdu] Lagre fila som registerfix.reg (Klikk lagre som, sett filnavn lik registerfix.reg, filtype setter du alle filer) og legg den på skrivebordet. Dobbeltklikk på fila og si ja til å legge til infon i registeret. Endret 16. august 2007 av norbat Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå