Cloud Skrevet 10. september 2007 Del Skrevet 10. september 2007 (endret) Den ene maskinen på jobben har blitt utsatt for noen heftige virus/spyware angrep. Har blitt såpass ille at det kun er mulig å bruke maskinen i sikkerhetsmodus, for i vanlig modus restarter den i løpet av 1 minutt eller 2. Fra før ligger det Trend Micro Office scan på maskinen. Har også lagt inn ad-aware, AVG anti-spyware og AVG anti-rootkit. Ad-aware og AVG spyware finner stort sett alltid noe nytt hver gang det kjøres. Trend Micro finner også en hel haug med virus, men har aldri tid til å gjøre noe med dem før maskinen restarter. Får heller ikke instalert AVG anti-virus i sikkerhetsmodus, og ikke tid til å instalere den i normal modus. Prøvd å kjøre standard inst. i BIOS, og starte windows med "sist fungerende konfigurasjon", men hjelper lite. Når maskinen startes opp i normal modus popper det automatisk opp en internett side som viser til div virus som ligger på maskinen og hvordan de fjærnes. (Pay 49,95$ to fix this problem) Hovedproblemet mitt er vel stort sett det at jeg ikke har mulighet til å inst. noen nye programmer fordi pc'en restarter. Lastet ned "hijackThis", men forsto minimalt av hva som kom opp, så legger den ut her: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:49:55, on 10.09.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Opera\Opera.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0414/bl8.asp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.xxl.no R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SENTRA~1\LOKALE~1\Temp\se.dll/spage.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - C:\Programfiler\Security Tools\iesplg.dll O2 - BHO: (no name) - {47B83D78-F986-4E96-9769-2C55EF14DA0B} - C:\WINDOWS\system32\__c00D5BA8.dat (file missing) O2 - BHO: (no name) - {4D3E8260-DA6C-4406-A5D8-9BF65307AD84} - C:\WINDOWS\system32\pnbf.dll (file missing) O3 - Toolbar: Protection Bar - {F06E2ABE-3A50-4079-BE25-FC100D9EAA25} - C:\Programfiler\Security Tools\iesbpl.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [iexplore.exe] C:\Programfiler\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [security iGuard] C:\Programfiler\Security iGuard\Security iGuard.exe O4 - HKLM\..\Run: [] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKLM\..\Policies\Explorer\Run: [winlogon.exe] msole32.exe O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Programfiler\Security Tools\imsmain.exe O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Programfiler\Security Tools\iesmn.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: DrAntispy.lnk = C:\Programfiler\DrAntispy\DrAntispy.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.xxl.no O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189424003843 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\Software\..\Telephony: DomainName = xxl.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = xxl.no O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0043900.dat O22 - SharedTaskScheduler: apdu - {903902a8-0691-460e-8351-24df3d425e9c} - C:\WINDOWS\system32\gkymhk.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe O24 - Desktop Component 0: (no name) - http://photo-origin.tickle.com/image/87/9/...RL609407104.jpg -- End of file - 6343 bytes EDIT: Får heller ikke oppdatert windows, antageligvis pga at jeg må opperere i sikkerhetsmodus. Endret 10. september 2007 av Cloud Lenke til kommentar
norbat Skrevet 10. september 2007 Del Skrevet 10. september 2007 Hent Smitfraudfix, legg det på skrivebordet Fra sikkermodus: Kjør Smitfraudfix, velg valg 2. Deretter fra normal tilstand: Hent Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Du må ikke klikke på vinduet mens programmet kjører. Post loggfilen fra combofix (c:\combofix.txt), Smitfraudfix (C:rapport.txt) + ny htj-logg. Lenke til kommentar
Cloud Skrevet 10. september 2007 Forfatter Del Skrevet 10. september 2007 Takker for svar. Skal prøve dette imorgen når jeg er tilbake på jobb. Men ikke mulig å kjøre Combofix ifra sikkermodus? Vil muligens ha problem med å få kjørt det fra normal modus. Lenke til kommentar
Cloud Skrevet 11. september 2007 Forfatter Del Skrevet 11. september 2007 (endret) Smitfraudfix resultat: Klikk for å se/fjerne innholdet nedenfor SmitFraudFix v2.222 Scan done at 8:11:53,53, 11.09.2007 Run from C:\Documents and Settings\Administrator.XXL\Skrivebord\SmitfraudFix OS: Microsoft Windows XP [Versjon 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{903902a8-0691-460e-8351-24df3d425e9c}"="apdu" [HKEY_CLASSES_ROOT\CLSID\{903902a8-0691-460e-8351-24df3d425e9c}\InProcServer32] @="C:\WINDOWS\system32\gkymhk.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{903902a8-0691-460e-8351-24df3d425e9c}\InProcServer32] @="C:\WINDOWS\system32\gkymhk.dll" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\Programfiler\Security Tools\ Deleted C:\Programfiler\VirusProtectPro 3.7\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Broadcom NetXtreme Gigabit Ethernet - Miniport for pakkeplanlegger DNS Server Search Order: 10.1.1.11 DNS Server Search Order: 10.1.1.12 DNS Server Search Order: 193.212.1.10 DNS Server Search Order: 193.212.1.11 HKLM\SYSTEM\CCS\Services\Tcpip\..\{B28CE11A-8A0F-44C6-95C4-903A9D25BFB5}: DhcpNameServer=10.1.1.11 10.1.1.12 193.212.1.10 193.212.1.11 HKLM\SYSTEM\CS1\Services\Tcpip\..\{B28CE11A-8A0F-44C6-95C4-903A9D25BFB5}: DhcpNameServer=10.1.1.11 10.1.1.12 193.212.1.10 193.212.1.11 HKLM\SYSTEM\CS2\Services\Tcpip\..\{B28CE11A-8A0F-44C6-95C4-903A9D25BFB5}: DhcpNameServer=10.1.1.11 10.1.1.12 193.212.1.10 193.212.1.11 HKLM\SYSTEM\CS3\Services\Tcpip\..\{B28CE11A-8A0F-44C6-95C4-903A9D25BFB5}: DhcpNameServer=10.1.1.11 10.1.1.12 193.212.1.10 193.212.1.11 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.11 10.1.1.12 193.212.1.10 193.212.1.11 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.11 10.1.1.12 193.212.1.10 193.212.1.11 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.11 10.1.1.12 193.212.1.10 193.212.1.11 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.11 10.1.1.12 193.212.1.10 193.212.1.11 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{903902a8-0691-460e-8351-24df3d425e9c}"="apdu" [HKEY_CLASSES_ROOT\CLSID\{903902a8-0691-460e-8351-24df3d425e9c}\InProcServer32] @="C:\WINDOWS\system32\gkymhk.dll" [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{903902a8-0691-460e-8351-24df3d425e9c}\InProcServer32] @="C:\WINDOWS\system32\gkymhk.dll" »»»»»»»»»»»»»»»»»»»»»»»» End Skal prøve å kjøre Combofix i normal mode nå, update kommer. Her er en log av "hijackthis" i normal mode. Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 08:31:27, on 11.09.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\Messenger\msmsgs.exe C:\WINDOWS\TEMP\NHC87C.EXE C:\WINDOWS\system32\dumprep.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\userinit.exe C:\Programfiler\Opera\Opera.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\dwwin.exe C:\Programfiler\Trend Micro\OfficeScan Client\TSC.EXE C:\ComboFix\dumphive.cfexe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - C:\Programfiler\Security Tools\iesplg.dll (file missing) O2 - BHO: (no name) - {47B83D78-F986-4E96-9769-2C55EF14DA0B} - C:\WINDOWS\system32\__c00D5BA8.dat (file missing) O2 - BHO: (no name) - {4D3E8260-DA6C-4406-A5D8-9BF65307AD84} - C:\WINDOWS\system32\pnbf.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [iexplore.exe] C:\Programfiler\Internet Explorer\iexplore.exe O4 - HKLM\..\Run: [security iGuard] C:\Programfiler\Security iGuard\Security iGuard.exe O4 - HKLM\..\Run: [] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: DrAntispy.lnk = C:\Programfiler\DrAntispy\DrAntispy.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.xxl.no O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189424003843 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\Software\..\Telephony: DomainName = xxl.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = xxl.no O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0043900.dat O22 - SharedTaskScheduler: apdu - {903902a8-0691-460e-8351-24df3d425e9c} - C:\WINDOWS\system32\gkymhk.dll (file missing) O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe -- Rekker rett å slett ikke å kjøre Combofix i normal mode, pc'en restarter for fort. Får beskjed om dumping av fysisk minne. EDIT2: Også kjørt "BetDefender online scan", og fikk følgende resultat: Klikk for å se/fjerne innholdet nedenfor C:\Documents and Settings\sentrallager\Lokale innstillinger\Temporary Internet Files\Content.IE5\I1OB29A9\wbk72.tmp Infected with: Generic.XPL.HelpX.A3B471DC C:\Documents and Settings\sentrallager\Lokale innstillinger\Temporary Internet Files\Content.IE5\I1OB29A9\wbk72.tmp Disinfection failed C:\Documents and Settings\sentrallager\Lokale innstillinger\Temporary Internet Files\Content.IE5\I1OB29A9\wbk72.tmp Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>GetAccess.class Infected with: Trojan.Exploit.Byteverify.O C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>GetAccess.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>GetAccess.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>InsecureClassLoader.class Infected with: Java.Trojan.Exploit.Bytverify C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>InsecureClassLoader.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>InsecureClassLoader.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>Dummy.class Infected with: Trojan.Java.Classloader.Dummy.A C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>Dummy.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>Dummy.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>Installer.class Infected with: Java.Trojan.OpenConnection.F C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>Installer.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4)=>Installer.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2340c7a9-3c192dd6.zip Update failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>GetAccess.class Infected with: Trojan.Exploit.Byteverify.O C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>GetAccess.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>GetAccess.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>InsecureClassLoader.class Infected with: Java.Trojan.Exploit.Bytverify C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>InsecureClassLoader.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>InsecureClassLoader.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>Dummy.class Infected with: Trojan.Java.Classloader.Dummy.A C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>Dummy.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>Dummy.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>Installer.class Infected with: Java.Trojan.OpenConnection.F C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>Installer.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4)=>Installer.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jr-5d856666-6bdc9333.zip Update failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>GetAccess.class Infected with: Trojan.Exploit.Byteverify.O C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>GetAccess.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>GetAccess.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>InsecureClassLoader.class Infected with: Java.Trojan.Exploit.Bytverify C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>InsecureClassLoader.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>InsecureClassLoader.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>Dummy.class Infected with: Trojan.Java.Classloader.Dummy.A C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>Dummy.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>Dummy.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>Installer.class Infected with: Java.Trojan.OpenConnection.F C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>Installer.class Disinfection failed C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4)=>Installer.class Deleted C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip=>(Quarantine-4) Updated C:\Documents and Settings\sentrallager\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\goatse.jar-6cede0d3-4a897f14.zip Update failed C:\Programfiler\DrAntispy\Uninstall.exe Infected with: GenPack:Trojan.Downloader.Agent.BKW C:\Programfiler\DrAntispy\Uninstall.exe Disinfection failed C:\Programfiler\DrAntispy\Uninstall.exe Deleted C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>GetAccess.class Infected with: Trojan.Exploit.Byteverify.O C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>GetAccess.class Disinfection failed C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>GetAccess.class Deleted C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4) Updated C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>InsecureClassLoader.class Infected with: Java.Trojan.Exploit.Bytverify C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>InsecureClassLoader.class Disinfection failed C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>InsecureClassLoader.class Deleted C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4) Updated C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>Dummy.class Infected with: Trojan.Java.Classloader.Dummy.A C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>Dummy.class Disinfection failed C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>Dummy.class Deleted C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4) Updated C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>Installer.class Infected with: Java.Trojan.OpenConnection.F C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>Installer.class Disinfection failed C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4)=>Installer.class Deleted C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0=>(Quarantine-4) Updated C:\Programfiler\Trend Micro\OfficeScan Client\Backup\classload.jar-6bfe7dce-369cbe5f.RB0 Update failed C:\Programfiler\Trend Micro\OfficeScan Client\Backup\index1[1].RB0=>(Quarantine-4) Infected with: JS.Dword.dropper C:\Programfiler\Trend Micro\OfficeScan Client\Backup\index1[1].RB0=>(Quarantine-4) Disinfection failed C:\Programfiler\Trend Micro\OfficeScan Client\Backup\index1[1].RB0=>(Quarantine-4) Deleted C:\System Volume Information\_restore{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP875\A0138336.exe Infected with: GenPack:Trojan.Downloader.Agent.BKW C:\System Volume Information\_restore{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP875\A0138336.exe Disinfection failed C:\System Volume Information\_restore{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP875\A0138336.exe Deleted C:\WINDOWS\system32\TmEncryptTemp.000=>(Quarantine-4) Infected with: Trojan.Juan.X C:\WINDOWS\system32\TmEncryptTemp.000=>(Quarantine-4) Disinfection failed C:\WINDOWS\system32\TmEncryptTemp.000=>(Quarantine-4) Deleted C:\WINDOWS\system32\TmEncryptTemp.001=>(Quarantine-4) Infected with: Trojan.Juan.X C:\WINDOWS\system32\TmEncryptTemp.001=>(Quarantine-4) Disinfection failed C:\WINDOWS\system32\TmEncryptTemp.001=>(Quarantine-4) Deleted C:\WINDOWS\system32\TmEncryptTemp.002=>(Quarantine-4) Infected with: Trojan.Juan.X C:\WINDOWS\system32\TmEncryptTemp.002=>(Quarantine-4) Disinfection failed C:\WINDOWS\system32\TmEncryptTemp.002=>(Quarantine-4) Deleted C:\WINDOWS\system32\TmEncryptTemp.003=>(Quarantine-4) Infected with: Trojan.Juan.X C:\WINDOWS\system32\TmEncryptTemp.003=>(Quarantine-4) Disinfection failed C:\WINDOWS\system32\TmEncryptTemp.003=>(Quarantine-4) Deleted C:\WINDOWS\system32\TmEncryptTemp.004=>(Quarantine-4) Infected with: Trojan.Juan.X C:\WINDOWS\system32\TmEncryptTemp.004=>(Quarantine-4) Disinfection failed C:\WINDOWS\system32\TmEncryptTemp.004=>(Quarantine-4) Deleted C:\WINDOWS\system32\__c0043900.dat Infected with: Trojan.Juan.X C:\WINDOWS\system32\__c0043900.dat Disinfection failed C:\WINDOWS\system32\__c0043900.dat Delete failed Endret 11. september 2007 av Cloud Lenke til kommentar
norbat Skrevet 11. september 2007 Del Skrevet 11. september 2007 Last ned SDFix.exe. Pakk ut programmet. Last ned SAS, installer og oppdater. Restart i sikker modus (tapp f8 under oppstart) Kjør RunThis.bat i SDfix-mappa. Det lages en rapport (Report.txt) Kjør en full scan med SAS. Restart i normal modus Post en HJT-logg sammen med loggen fra SDfix og SAS (Preferences->statistics/logs) Lenke til kommentar
Cloud Skrevet 17. september 2007 Forfatter Del Skrevet 17. september 2007 Ser ut som at vi har fått bort det meste av spyware/virus nå. SDFix report: Klikk for å se/fjerne innholdet nedenfor SDFix: Version 1.104 Run by administrator on 2007-09-17 at 08:43 Microsoft Windows XP [Versjon 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: C:\Documents and Settings\jabr\Programdata\Microsoft\Word\~WRL0002.tmp C:\Documents and Settings\jabr\Programdata\Microsoft\Word\~WRL0005.tmp C:\Documents and Settings\jabr\Programdata\Microsoft\Word\~WRL3553.tmp C:\Documents and Settings\jabr\Programdata\Microsoft\Word\~WRL3716.tmp C:\Documents and Settings\jabr\Skrivebord\~WRL0319.tmp C:\WINDOWS\SoftwareDistribution\Download\05ec0823e38bb92fdfe5f063f340b07e\BIT17.tmp C:\WINDOWS\SoftwareDistribution\Download\127e8bfdf62114a3fabdf418002f81b9\BITD.tmp C:\WINDOWS\SoftwareDistribution\Download\154faba06776a63fea2306f804294244\BITD.tmp C:\WINDOWS\SoftwareDistribution\Download\276fabe41e5b29927b1fb83043241f8e\BIT3.tmp C:\WINDOWS\SoftwareDistribution\Download\344ca4a1def06adf51a2335cfce90a76\BIT1B.tmp C:\WINDOWS\SoftwareDistribution\Download\39b46ac91144004a672fc64994c88b38\BIT7.tmp C:\WINDOWS\SoftwareDistribution\Download\428ab80c541a558e83f00124efa4691f\BIT7.tmp C:\WINDOWS\SoftwareDistribution\Download\4946a9cf4d5f3518ed9da9ecc19f3e63\BIT8.tmp C:\WINDOWS\SoftwareDistribution\Download\5fd60867c09f85cbc8c167da9da7a9a7\BIT1.tmp C:\WINDOWS\SoftwareDistribution\Download\755653bd432c26cd13f28ea7a894385f\download\BIT5.tmp C:\WINDOWS\SoftwareDistribution\Download\75e3600fa6ea034904803c2107a9e1b4\BITC.tmp C:\WINDOWS\SoftwareDistribution\Download\768ef6ad3e862824974f58e89aeec689\download\BIT6.tmp C:\WINDOWS\SoftwareDistribution\Download\8f0e875ba986bf84b835be84c2def864\BIT12.tmp C:\WINDOWS\SoftwareDistribution\Download\949062b819a5141c1582af50436344fe\BIT9.tmp C:\WINDOWS\SoftwareDistribution\Download\ce0c9716cc0dccfa38522e972a7b1b22\BITA.tmp C:\WINDOWS\SoftwareDistribution\Download\df09af961be15aa459dfbcd90cb08328\BIT8.tmp C:\WINDOWS\SoftwareDistribution\Download\fc1c46106247e5afec6a092059fd1863\BIT2.tmp Finished! SAS report 1: Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Loghttp://www.superantispyware.com Generated 09/17/2007 at 10:58 AM Application Version : 3.9.1008 Core Rules Database Version : 3307 Trace Rules Database Version: 1313 Scan type : Quick Scan Total Scan Time : 00:12:34 Memory items scanned : 352 Memory threats detected : 0 Registry items scanned : 835 Registry threats detected : 20 File items scanned : 15008 File threats detected : 244 Trojan.Media-Codec/V3 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C3C4699-B285-475F-BE47-0B26088CE876} HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876} HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876}#xxx HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876}\InprocServer32 HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876}\InprocServer32#ThreadingModel C:\PROGRAMFILER\SECURITY TOOLS\IESPLG.DLL Adware.Tracking Cookie C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@superstats[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@tradedoubler[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@partypoker[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@madeinsport[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@a[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@worldsexguide[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@admarketplace[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@pacificpoker[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@yourmedia[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@888[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@72712653[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@cassava[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@cgi-bin[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@globalstat[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@interclick[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@doubleclick[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@cpvfeed[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@serving-sys[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@belnk[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@advertising[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@mediaplex[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@madeinsport[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@new-pcp[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@_counter[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@xiti[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@drivecleaner[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@1069507076[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@sexyasiancams[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@teensfest[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@maximedia[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@atwola[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@cgi-bin[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@st[6].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@ad[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@screensavers[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@burstnet[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@1072648140[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@206792[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@toplist[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@hitbox[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@1070033361[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@cgi-bin[3].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@178[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@main[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@out[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@ratemyfaceadult[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@morepornstars[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@statsgold[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@gostats[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@smileycentral[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@jpteen[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@sexyandfunny[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@mrporncash[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][3].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@stats[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@tokyoporn[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@topporn[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@zedo[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@bangkoksexy[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@1070767430[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\geni\Cookies\[email protected][1].txt C:\Documents and Settings\geni\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][3].txt C:\Documents and Settings\jabr\Cookies\[email protected][4].txt C:\Documents and Settings\jabr\Cookies\[email protected][5].txt C:\Documents and Settings\jabr\Cookies\[email protected][6].txt C:\Documents and Settings\jabr\Cookies\[email protected][7].txt C:\Documents and Settings\jabr\Cookies\[email protected][8].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][3].txt C:\Documents and Settings\jabr\Cookies\[email protected][4].txt C:\Documents and Settings\jabr\Cookies\[email protected][5].txt C:\Documents and Settings\jabr\Cookies\[email protected][6].txt C:\Documents and Settings\jabr\Cookies\[email protected][7].txt C:\Documents and Settings\jabr\Cookies\[email protected][8].txt C:\Documents and Settings\jabr\Cookies\[email protected][9].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][3].txt C:\Documents and Settings\jabr\Cookies\[email protected][5].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][3].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][3].txt C:\Documents and Settings\jabr\Cookies\jabr@adultpoints[2].txt C:\Documents and Settings\jabr\Cookies\jabr@adultrevenueservice[1].txt C:\Documents and Settings\jabr\Cookies\jabr@adultrevenueservice[2].txt C:\Documents and Settings\jabr\Cookies\jabr@adx[1].txt C:\Documents and Settings\jabr\Cookies\jabr@adx[2].txt C:\Documents and Settings\jabr\Cookies\jabr@amsterdamlivexxx[2].txt C:\Documents and Settings\jabr\Cookies\jabr@atwola[1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\jabr@counter[1].txt C:\Documents and Settings\jabr\Cookies\jabr@counter[2].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\jabr@hotbar[2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][3].txt C:\Documents and Settings\jabr\Cookies\[email protected][4].txt C:\Documents and Settings\jabr\Cookies\[email protected][5].txt C:\Documents and Settings\jabr\Cookies\[email protected][6].txt C:\Documents and Settings\jabr\Cookies\[email protected][7].txt C:\Documents and Settings\jabr\Cookies\[email protected][9].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][3].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\jabr@sex[1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][3].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\jabr@superstats[1].txt C:\Documents and Settings\jabr\Cookies\jabr@superstats[2].txt C:\Documents and Settings\jabr\Cookies\jabr@superstats[4].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\jabr@toplist[1].txt C:\Documents and Settings\jabr\Cookies\jabr@toplist[2].txt C:\Documents and Settings\jabr\Cookies\jabr@toplist[3].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\jabr@track[1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][2].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\[email protected][1].txt C:\Documents and Settings\jabr\Cookies\jabr@xiti[1].txt C:\Documents and Settings\jabr\Cookies\jabr@xiti[3].txt C:\Documents and Settings\jabr\Cookies\jabr@xxxdatabase[2].txt Malware.VirusRanger HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0} HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\hlwqlvhcUPRe HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\ilnvuef HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\InprocServer32 HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\IxycqhZpgpe HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\jhadpmYPte HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\mfvBRvkvNy HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\nPFtxvjcqFu HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\ProgID HKCR\CLSID\{14869272-E04B-66DC-80DD-58BAB2570CF0}\ubijit HKCR\Interface\{139C109E-08C6-4B60-9142-860B8CD5D000} HKCR\Interface\{139C109E-08C6-4B60-9142-860B8CD5D000}\ProxyStubClsid HKCR\Interface\{139C109E-08C6-4B60-9142-860B8CD5D000}\ProxyStubClsid32 HKCR\Interface\{139C109E-08C6-4B60-9142-860B8CD5D000}\TypeLib HKCR\Interface\{139C109E-08C6-4B60-9142-860B8CD5D000}\TypeLib#Version C:\Programfiler\VirusRanger\result.lst C:\Programfiler\VirusRanger\sdebug.log C:\Programfiler\VirusRanger\updater.plb C:\Programfiler\VirusRanger SAS report 2: Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Loghttp://www.superantispyware.com Generated 09/17/2007 at 12:49 PM Application Version : 3.9.1008 Core Rules Database Version : 3307 Trace Rules Database Version: 1313 Scan type : Quick Scan Total Scan Time : 00:12:28 Memory items scanned : 369 Memory threats detected : 0 Registry items scanned : 838 Registry threats detected : 0 File items scanned : 15206 File threats detected : 5 Adware.Tracking Cookie C:\Documents and Settings\Administrator.XXL\Cookies\administrator@tradedoubler[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@doubleclick[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt ComboFix report: Klikk for å se/fjerne innholdet nedenfor ComboFix 07-09-10.4 - "administrator" 2007-09-17 8:13:00.5 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.102 [GMT 2:00] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\DOCUME~1\jabr\PROGRA~1\Hotbar C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\email-t1-bg.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\hotbar_promo.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\images.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\layout.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\linkpathlegal.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\progress.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\treexml.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\dynamic\1.sdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\dynamic\1387587.sdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\dynamic\566217.sdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\dynamic\ASPL.dat C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\dynamic\domains.txt C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\dynamic\ustat\2fca.dat C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\ads.cdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\bubbles.cdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\bubbles_Bubbles.bbl C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\bubbles2.cdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\bubbles2_Bubbles2.bbl C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\business_promo.htm C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\buttondir.txt C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\components.cdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_1000.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_2000.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_3000.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bar.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar1.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar10.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar11.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar12.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar13.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar14.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar2.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar3.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar4.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar5.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar6.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar7.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar8.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_bbar9.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_logos.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_other.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\d_icons_buttons_x.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\default.cdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\Default_categorize.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\Default_favorites.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\Default_hotbarcom.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\Default_hsskin.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\Default_premium.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\Default_searchgo.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\Default_weather.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\Default_yellowpages.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\email-t1-bg.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\hotbar_promo.htm C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\hotbarcom.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\icons2.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\keywords_idx.idx C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\keywords_sdf.sdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\layout.cdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\linkpathlegal.txt C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\progress.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\s_icons_buttons.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\samplegroups2.txt C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\t2_bg.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\theweb.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\top7.cdf C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\Top7_theweb.mnu C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\1\tsd_bg.res C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\ads.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\bubbles.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\bubbles2.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\business_promo.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\buttondir.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_1000.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_2000.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_3000.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bar.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar1.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar10.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar11.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar12.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar13.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar14.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar2.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar3.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar4.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar5.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar6.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar7.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar8.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar9.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_logos.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_other.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_x.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\default.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\email-t1-bg.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\hotbar_promo.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\icons2.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\keywords_idx.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\keywords_sdf.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\layout.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\linkpathlegal.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\progress.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\s_icons_buttons.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\samplegroups2.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\t2_bg.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\top7.xip C:\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\tsd_bg.xip C:\Programfiler\drantispy C:\WINDOWS\system32\__c0043900.dat C:\WINDOWS\system32\drivers\runtime2.sys ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_NDNET1 -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\NDnet1 -------\Runtime ((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 ))))))))))))))))))))))))))))))) . 2007-09-11 08:31 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-09-11 08:12 4,058 --a------ C:\WINDOWS\system32\tmp.reg 2007-09-11 08:11 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-09-11 08:11 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-09-11 08:11 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-09-11 08:11 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-09-10 15:00 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-09-10 13:49 <DIR> d-------- C:\DOCUME~1\ADMINI~1.XXL\.housecall6.6 2007-09-10 13:34 43,352 --a------ C:\WINDOWS\system32\wups2.dll 2007-09-07 13:46 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-09-07 13:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-09-07 12:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1.XXL\PROGRA~1\Opera 2007-09-07 12:46 <DIR> d-------- C:\Programfiler\Opera 2007-09-07 11:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1.XXL\PROGRA~1\mIRC 2007-09-07 11:16 <DIR> d-------- C:\Programfiler\VirusRanger 2007-09-07 10:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1.XXL\PROGRA~1\Help 2007-09-06 16:47 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\PROGRA~1\TEMP . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-09-10 14:23 --------- d-------- C:\Programfiler\Trend Micro 2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll 2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll 2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe 2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll 2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll 2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll 2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C3C4699-B285-475F-BE47-0B26088CE876}] C:\Programfiler\Security Tools\iesplg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D3E8260-DA6C-4406-A5D8-9BF65307AD84}] C:\WINDOWS\system32\pnbf.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 17:52] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 17:48] "Smapp"="C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 10:08] "SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-13 13:08] "SetRefresh"="C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 10:00] "HP Software Update"="C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 14:02] "Security iGuard"="C:\Programfiler\Security iGuard\Security iGuard.exe" [] "OfficeScanNT Monitor"="C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-04-19 00:52] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2006-06-30 10:24] "!AVG Anti-Spyware"="C:\Programfiler\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-08-03 20:15] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\system32\__c0043900.dat R2 ntrtscan;OfficeScanNT RealTime Scan;C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe R2 tmlisten;OfficeScanNT Listener;C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe R2 TmPreFilter;Trend Micro PreFilter;\??\C:\Programfiler\Trend Micro\OfficeScan Client\TmPreFlt.sys . ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-09-17 08:26:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-09-17 8:28:28 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-09-17 08:28 . --- E O F --- ComboFix Quarantined: Klikk for å se/fjerne innholdet nedenfor 2001-02-27 12:55 384 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\progress.xip.vir2001-02-27 12:55 384 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\progress.xip.vir2001-06-19 12:31 83461 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_2000.xip.vir2001-06-26 15:13 61507 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_1000.xip.vir2001-10-16 12:08 840 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\tsd_bg.xip.vir2001-12-25 16:29 39 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\linkpathlegal.xip.vir2001-12-27 14:58 25926 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_3000.xip.vir2002-05-12 14:28 170 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\linkpathlegal.xip.vir2002-05-27 16:31 256 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\business_promo.xip.vir2002-06-10 14:13 269 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\business_promo.xip.vir2002-06-18 18:50 320 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\bubbles.xip.vir2002-07-08 15:16 20944 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\keywords_idx.xip.vir2002-07-08 15:16 34474 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\keywords_sdf.xip.vir2002-07-29 14:54 7873 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\icons2.xip.vir2002-10-24 14:55 51 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bar.xip.vir2002-10-24 14:56 51 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_logos.xip.vir2002-10-24 14:56 51 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_other.xip.vir2002-11-28 11:25 255 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\hotbar_promo.xip.vir2002-12-01 16:57 257 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\hotbar_promo.xip.vir2003-01-22 16:08 898 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\s_icons_buttons.xip.vir2003-05-04 10:41 1401 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\t2_bg.xip.vir2003-05-05 12:40 18119 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\top7.xip.vir2003-05-15 22:49 32404 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_x.xip.vir2003-05-21 23:45 79846 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar1.xip.vir2003-05-28 00:10 70469 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar12.xip.vir2003-05-29 00:51 79402 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar9.xip.vir2003-05-29 22:42 30165 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar14.xip.vir2003-06-09 13:01 449 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\email-def.xip.vir2003-06-10 01:04 106262 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar3.xip.vir2003-06-11 09:26 23856 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\email-t1-bg.xip.vir2003-06-11 09:26 23856 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\email-t1-bg.xip.vir2003-06-12 00:27 87693 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar6.xip.vir2003-06-12 00:58 32172 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar2.xip.vir2003-06-17 15:20 21089 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\images.xip.vir2003-06-18 18:46 76216 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar4.xip.vir2003-06-19 23:53 48645 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar13.xip.vir2003-06-23 22:07 52779 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar5.xip.vir2003-06-24 12:54 57076 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\code.xip.vir2003-06-24 13:59 383 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\samplegroups2.xip.vir2003-06-24 15:29 7165 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\HostOL\static\DownLoad\treexml.xip.vir2003-06-24 23:32 34992 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1\Hotbar\v3.0\Hotbar\static\DownLoad\d_icons_buttons_bbar7.xip.vir2003-06-25 09:25 847 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\jabr\PROGRA~1 Lenke til kommentar
Cloud Skrevet 17. september 2007 Forfatter Del Skrevet 17. september 2007 Hijackthis log: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:19, on 2007-09-17 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\TEMP\VK5978.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\Trend Micro\OfficeScan Client\Pop3Trap.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntupd.exe C:\Programfiler\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe C:\Programfiler\Messenger\msmsgs.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Opera\Opera.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.no R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4D3E8260-DA6C-4406-A5D8-9BF65307AD84} - C:\WINDOWS\system32\pnbf.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [security iGuard] C:\Programfiler\Security iGuard\Security iGuard.exe O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: DrAntispy.lnk = C:\Programfiler\DrAntispy\DrAntispy.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.xxl.no O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189424003843 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\Software\..\Telephony: DomainName = xxl.no O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0043900.dat O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe -- End of file - 6087 bytes Lenke til kommentar
norbat Skrevet 17. september 2007 Del Skrevet 17. september 2007 (endret) Avinstaller fra legg til/fjern programmer: Security iGuard Kjør HJT, velg "Do a system scan only", sett merke framfor følgende linjer og klikk 'Fix checked': O2 - BHO: (no name) - {4D3E8260-DA6C-4406-A5D8-9BF65307AD84} - C:\WINDOWS\system32\pnbf.dll (file missing) O4 - HKLM\..\Run: [security iGuard] C:\Programfiler\Security iGuard\Security iGuard.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0043900.dat Klikk: Start->Kjør Skriv: cmd Fra ledetekst, skriv: sc stop SymWSC [klikk Enter] Skriv: sc delete SymWSC [klikk Enter] Lukk vinduet Restart Post ny HJT-logg Endret 17. september 2007 av norbat Lenke til kommentar
Cloud Skrevet 21. september 2007 Forfatter Del Skrevet 21. september 2007 Hijack log: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:59, on 2007-09-21 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\TEMP\UVB73D.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe C:\Programfiler\QuickTime\qttask.exe C:\Programfiler\Trend Micro\OfficeScan Client\Pop3Trap.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntupd.exe C:\Programfiler\Opera\Opera.exe C:\Programfiler\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe C:\Programfiler\Messenger\msmsgs.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.no R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: DrAntispy.lnk = C:\Programfiler\DrAntispy\DrAntispy.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.xxl.no O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189424003843 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\Software\..\Telephony: DomainName = xxl.no O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe -- End of file - 5733 bytes Lenke til kommentar
norbat Skrevet 21. september 2007 Del Skrevet 21. september 2007 (endret) Foruten denne fila C:\WINDOWS\TEMP\UVB73D.EXE, som jeg ikke vet hva er, gjør du? - så ser loggen din fin ut. Nevnte fil ligger i temp-mappa til windows og kan i utg. pkt. trygt fjernes, men du kan sjekke fila og se om det er noe grums: Gå til nettstedet http://virusscan.jotti.org/. Øverst på siden kan du laste opp fila for en sjekk. Hva sier rapporten? Ellers vil temp-mapper bli tømt om du f.eks. kjører diskopprydding (tilbehør->systemverktøy->diskopprydding) eller CCleaner (Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'.) Endret 21. september 2007 av norbat Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå