RamGuy Skrevet 6. november 2007 Del Skrevet 6. november 2007 Jeg har et form for virus eller noe. Sinnssykt irriterende, det kom da jeg logget inn på it's-learning. Det dukket opp to ikoner på skrivebordet "Life Safety Center" og "Online Security Guide". NOD32 popper opp med drøssevis av advarsler, men det bare kommer tilbake hele tiden. Jeg klarer ikke å slette det selv, selv ikke i Safe Mode, for hele PC-en klikker i safe mode nå. Er det noen måte jeg kan bli kvitt dette skittet på, uten en full formatering av min bærbare-PC? Er det trygt å koble den til min stasjonære for å ta backup av diverse filer? Eller ender jeg da fort opp med virus på min stasjonære også? Har lastet opp et bilde av alt skvipet som konstant popper opp når jeg bruker PC-en nå. Lenke til kommentar
norbat Skrevet 6. november 2007 Del Skrevet 6. november 2007 Du skal slippe å formatere Hent Smitfraudfix, legg det på skrivebordet Restart i sikker modus (tapp F8 under oppstart, velg sikker modus) Kjør Smitfraudfix, velg valg 2. Fra normal modus: Last ned SAS, installer, oppdater og kjør en full (Complete) scan. Post følgende logger: Smitfraudfix: C:\rapport.txt SAS: preferences->statistics/logs HJT-logg -> Last ned Hijackthis. Legg det i en egen mappe på skrivebordet. Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster. Lenke til kommentar
RamGuy Skrevet 6. november 2007 Forfatter Del Skrevet 6. november 2007 (endret) Den første fikk jeg ikke kjørt, siden PC-en ikke funker i Safe Mode av en eller annen merkelig grunn. SAS Pro scanner nå Her er HiJackThis loggen: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:30:03, on 06.11.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe D:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe D:\Program Files\Synaptics\SynTP\SynTPEnh.exe D:\WINDOWS\system32\igfxtray.exe D:\WINDOWS\system32\hkcmd.exe D:\WINDOWS\system32\igfxsrvc.exe D:\WINDOWS\system32\igfxpers.exe D:\Program Files\Analog Devices\Core\smax4pnp.exe D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe D:\WINDOWS\System32\drivers\PhiBtn.exe D:\WINDOWS\System32\drivers\Tray900.exe D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\WINDOWS\system32\agrsmsvc.exe D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe D:\WINDOWS\system32\yfakeswr.exe D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe D:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe D:\WINDOWS\system32\inetsrv\inetinfo.exe D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Internet Explorer\IEXPLORE.EXE \?\D:\WINDOWS\system32\WBEM\WMIADAP.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O1 - Hosts: 102.54.94.97 rhino.acme.com # source server O1 - Hosts: 38.25.63.10 x.acme.com # x client host O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\SYSTEM32\NRWBFAQZ.DLL O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [soundMAX] D:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [iAAnotif] "D:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [synTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [igfxTray] D:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [soundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe O4 - HKLM\..\Run: [imekrmig7.0] "D:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" O4 - HKLM\..\Run: [iMSCMig] D:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload O4 - HKLM\..\Run: [CJIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [iMJPMIG9.0] D:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32 O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Last ned alle med FlashGet - D:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Last ned med FlashGet - D:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - D:\WINDOWS\system32\agrsmsvc.exe O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: DomainService - - D:\WINDOWS\system32\yfakeswr.exe O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - D:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SWIHPWMI - Sierra Wireless Inc. - D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe -- End of file - 8585 bytes Endret 6. november 2007 av RamGuy Lenke til kommentar
norbat Skrevet 6. november 2007 Del Skrevet 6. november 2007 Ok, Når SAS er ferdigkjørt (og etter en restart), gjør du følgende: Hent Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Du må ikke klikke på vinduet mens programmet kjører. Post loggfilen fra combofix ( c:\combofix.txt) sammen med loggen fra SAS + ny hjt-logg. Lenke til kommentar
RamGuy Skrevet 7. november 2007 Forfatter Del Skrevet 7. november 2007 Jeg prøvde å kjøre en full SAS Pro scan, men når den ikke klarte å bli ferdig på 9timer så gav jeg opp. Så jeg kjørte heller en QuickScan, etter den var fullført restartet jeg PC-en. For så å kjøre Combofix og når den var ferdig en HiJackThis scan til.. Her er loggene: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 11/07/2007 at 09:16 AM Application Version : 3.9.1008 Core Rules Database Version : 3339 Trace Rules Database Version: 1340 Scan type : Quick Scan Total Scan Time : 00:18:21 Memory items scanned : 513 Memory threats detected : 2 Registry items scanned : 792 Registry threats detected : 22 File items scanned : 21332 File threats detected : 15 Trojan.WinFixer D:\WINDOWS\SYSTEM32\MLJJH.DLL D:\WINDOWS\SYSTEM32\MLJJH.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D351382-1607-42C8-9CE3-42FDAF3F10AD} HKCR\CLSID\{1D351382-1607-42C8-9CE3-42FDAF3F10AD} HKCR\CLSID\{1D351382-1607-42C8-9CE3-42FDAF3F10AD}\InprocServer32 HKCR\CLSID\{1D351382-1607-42C8-9CE3-42FDAF3F10AD}\InprocServer32#ThreadingModel Adware.eZula D:\WINDOWS\SYSTEM32\YFAKESWR.EXE D:\WINDOWS\SYSTEM32\YFAKESWR.EXE D:\WINDOWS\Prefetch\YFAKESWR.EXE-1FE24168.pf Adware.Vundo Variant HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A} HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A} HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32 HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel D:\WINDOWS\SYSTEM32\NRWBFAQZ.DLL HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033} HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32 HKCR\CLSID\{89AD4D75-2429-462E-BD4E-443F233F6033}\InprocServer32#ThreadingModel HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A} HKCR\CLSID\{E908A6A7-026C-4FBE-93A9-96020BEEAD53} HKCR\CLSID\{E908A6A7-026C-4FBE-93A9-96020BEEAD53}\InprocServer32 HKCR\CLSID\{E908A6A7-026C-4FBE-93A9-96020BEEAD53}\InprocServer32#ThreadingModel Unclassified.Unknown Origin HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583} HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583} HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583} HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32 HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel Adware.Tracking Cookie D:\Documents and Settings\Thomas Andre\Cookies\thomas_andre@bestsellerantivirus[2].txt D:\Documents and Settings\Thomas Andre\Cookies\thomas_andre@linksynergy[1].txt D:\Documents and Settings\Thomas Andre\Cookies\thomas_andre@wysistat[1].txt D:\Documents and Settings\Thomas Andre\Cookies\thomas_andre@imrworldwide[2].txt D:\Documents and Settings\Thomas Andre\Cookies\[email protected][1].txt D:\Documents and Settings\Thomas Andre\Cookies\thomas_andre@azjmp[2].txt D:\Documents and Settings\Thomas Andre\Cookies\[email protected][1].txt Adware.ClickSpring/Outer Info Network HKLM\Software\Outerinfo HKLM\Software\Outerinfo#InstallDirectory D:\Program Files\Outerinfo\outerinfo.ico D:\Program Files\Outerinfo Adware.Vundo-Variant D:\WINDOWS\SYSTEM32\BOYVJKLL.DLL D:\WINDOWS\SYSTEM32\USPNTJMR.DLL ComboFix 07-11-07.3 - Thomas Andre 2007-11-07 9:22:02.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1520 [GMT 1:00] Running from: D:\Documents and Settings\Thomas Andre\Desktop\ComboFix.exe * Created a new restore point . Unable to gain System Privileges ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Program Files\icroso~1 D:\Program Files\icroso~1\?icrosoft\ D:\WINDOWS\cookies.ini D:\WINDOWS\system32\__c001F98D.dat D:\WINDOWS\system32\__c0039E30.dat D:\WINDOWS\system32\__c0052AA1.dat D:\WINDOWS\system32\__c00680B6.dat D:\WINDOWS\system32\__c00715C5.dat D:\WINDOWS\system32\__c0072084.dat D:\WINDOWS\system32\__c0073E58.dat D:\WINDOWS\system32\__c0088B54.dat D:\WINDOWS\system32\__c0096532.dat D:\WINDOWS\system32\__c00AFBFC.dat D:\WINDOWS\system32\__c00C0FE5.dat D:\WINDOWS\system32\__c00C7C2C.dat D:\WINDOWS\system32\__c00CCDBC.dat D:\WINDOWS\system32\__c00D188.dat D:\WINDOWS\system32\__c00D28F3.dat D:\WINDOWS\system32\__c00E26B9.dat D:\WINDOWS\system32\__c00EA400.dat D:\WINDOWS\system32\__c00F5EC1.dat D:\WINDOWS\system32\aqcrafoc.dll D:\WINDOWS\system32\bjvggjlr.dll D:\WINDOWS\system32\Cache D:\WINDOWS\system32\cphksqqu.dll D:\WINDOWS\system32\dcrdyksj.dll D:\WINDOWS\system32\ddgayyyt.dll D:\WINDOWS\system32\drivers\Phibtn.exe D:\WINDOWS\system32\drivers\Tray900.exe D:\WINDOWS\system32\egqvfrrm.dll D:\WINDOWS\system32\eirxcrty.dll D:\WINDOWS\system32\engtiuls.dll D:\WINDOWS\system32\hjjlm.bak1 D:\WINDOWS\system32\hjjlm.bak2 D:\WINDOWS\system32\hjjlm.ini D:\WINDOWS\system32\hjjlm.ini2 D:\WINDOWS\system32\hjjlm.tmp D:\WINDOWS\system32\isubcrnx.dll D:\WINDOWS\system32\ithlpnad.dll D:\WINDOWS\system32\iuggsevk.dll D:\WINDOWS\system32\jqyncrvh.dll D:\WINDOWS\system32\jtqirkoe.dll D:\WINDOWS\system32\lsbbjjqo.dll D:\WINDOWS\system32\mealynoj.dll D:\WINDOWS\system32\mgdnyrcl.dll D:\WINDOWS\system32\mljjh.dll D:\WINDOWS\system32\nbeayrit.dll D:\WINDOWS\system32\nhscrmdg.dll D:\WINDOWS\system32\nrwbfaqz.dllbox D:\WINDOWS\system32\oeilfutq.dll D:\WINDOWS\system32\ojuydifg.dll D:\WINDOWS\system32\pjstmuqe.dll D:\WINDOWS\system32\qpuscdcn.dll D:\WINDOWS\system32\rdnvwmbr.dll D:\WINDOWS\system32\rvbhjtox.dll D:\WINDOWS\system32\ryfdotni.dll D:\WINDOWS\system32\srleirbh.dll D:\WINDOWS\system32\ubumiyot.dll D:\WINDOWS\system32\udwqmwav.dll D:\WINDOWS\system32\uytrhmms.dll D:\WINDOWS\system32\wepcwvpl.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_DOMAINSERVICE -------\DomainService ((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 ))))))))))))))))))))))))))))))) . 2007-11-07 09:20 51,200 --a------ D:\WINDOWS\NirCmd.exe 2007-11-07 09:19 71,232 --a------ D:\WINDOWS\system32\imieemsi.exe 2007-11-07 09:04 86,080 --a------ D:\WINDOWS\system32\gptofpei.dll 2007-11-07 08:55 71,232 --a------ D:\WINDOWS\system32\lefakxob.exe 2007-11-06 23:43 87,104 --a------ D:\WINDOWS\system32\nuwkappy.dll 2007-11-06 23:34 71,232 --a------ D:\WINDOWS\system32\xfwytbfw.exe 2007-11-06 23:21 <DIR> d-------- D:\Program Files\Trend Micro 2007-11-06 23:21 <DIR> d-------- D:\Program Files\SUPERAntiSpyware 2007-11-06 23:21 <DIR> d-------- D:\Documents and Settings\Thomas Andre\Application Data\SUPERAntiSpyware.com 2007-11-06 23:21 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2007-11-06 22:29 87,104 --a------ D:\WINDOWS\system32\iwrnpitj.dll 2007-11-06 22:23 71,232 --a------ D:\WINDOWS\system32\fgoamxee.exe 2007-11-06 22:13 71,232 --a------ D:\WINDOWS\system32\fhfrpaxw.exe 2007-11-06 22:06 71,232 --a------ D:\WINDOWS\system32\vwyamium.exe 2007-11-06 22:05 <DIR> d-------- D:\WINDOWS\system32\xircom 2007-11-06 22:05 <DIR> d-------- D:\WINDOWS\srchasst 2007-11-06 22:05 <DIR> d-------- D:\Program Files\microsoft frontpage 2007-11-06 21:54 145,984 --a------ D:\WINDOWS\system32\ppgqaeai.dll 2007-11-04 21:25 <DIR> d-------- D:\Program Files\EA GAMES 2007-11-04 19:57 21,504 --a------ D:\WINDOWS\system32\hidserv.dll 2007-11-04 19:37 <DIR> d-------- D:\Worms Armageddon - New Edition 2007-11-03 17:38 <DIR> d-------- D:\Program Files\Diskeeper Corporation 2007-11-03 17:38 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Diskeeper Corporation 2007-11-01 23:29 <DIR> d-------- D:\Documents and Settings\Thomas Andre\Application Data\ESET 2007-10-30 14:16 <DIR> d-------- D:\Harry.Potter.And.The.Order.Of.The.Phoenix.2007.Custom.DKsubs.NTSC.DVDR-XXX 2007-10-30 11:26 <DIR> d-------- D:\Program Files\Mozilla Thunderbird 2007-10-30 11:26 <DIR> d-------- D:\Documents and Settings\Thomas Andre\Application Data\Thunderbird 2007-10-30 11:26 0 --a------ D:\WINDOWS\nsreg.dat 2007-10-30 10:11 589 --a------ D:\WINDOWS\system32\jupglrnp.dll 2007-10-29 10:03 589 --a------ D:\WINDOWS\system32\lahajxud.dll 2007-10-29 09:03 589 --a------ D:\WINDOWS\system32\xscjnkuu.dll 2007-10-25 09:27 30,728 --a------ D:\WINDOWS\system32\drivers\epfwtdir.sys 2007-10-25 09:25 33,800 --a------ D:\WINDOWS\system32\drivers\eamon.sys 2007-10-25 09:25 27,144 --a------ D:\WINDOWS\system32\drivers\easdrv.sys 2007-10-22 20:35 <DIR> d-------- D:\Program Files\MediaMonkey 2007-10-20 01:56 3,596,288 --a------ D:\WINDOWS\system32\qt-dx331.dll 2007-10-20 01:56 1,044,480 --a------ D:\WINDOWS\system32\libdivx.dll 2007-10-20 01:56 524,288 --a------ D:\WINDOWS\system32\DivXsm.exe 2007-10-20 01:56 200,704 --a------ D:\WINDOWS\system32\ssldivx.dll 2007-10-20 01:54 823,296 --a------ D:\WINDOWS\system32\divx_xx0c.dll 2007-10-20 01:54 823,296 --a------ D:\WINDOWS\system32\divx_xx07.dll 2007-10-20 01:54 802,816 --a------ D:\WINDOWS\system32\divx_xx11.dll 2007-10-20 01:54 739,840 --a------ D:\WINDOWS\system32\DivX.dll 2007-10-20 01:54 196,608 --a------ D:\WINDOWS\system32\dtu100.dll 2007-10-20 01:54 81,920 --a------ D:\WINDOWS\system32\dpl100.dll 2007-10-18 22:18 <DIR> d-------- D:\Program Files\Alcohol Soft 2007-10-18 10:06 156,992 --a------ D:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-10-18 10:03 593,920 --a------ D:\WINDOWS\system32\dpuGUI11.dll 2007-10-18 10:03 344,064 --a------ D:\WINDOWS\system32\dpus11.dll 2007-10-18 10:03 294,912 --a------ D:\WINDOWS\system32\dpu11.dll 2007-10-18 10:03 294,912 --a------ D:\WINDOWS\system32\dpu10.dll 2007-10-18 10:03 57,344 --a------ D:\WINDOWS\system32\dpv11.dll 2007-10-18 10:03 53,248 --a------ D:\WINDOWS\system32\dpuGUI10.dll 2007-10-18 10:02 12,288 --a------ D:\WINDOWS\system32\DivXWMPExtType.dll 2007-10-18 00:33 <DIR> d-------- D:\Program Files\DAEMON Tools 2007-10-17 21:59 5,824 --a------ D:\WINDOWS\system32\drivers\ASUSHWIO.SYS 2007-10-17 18:13 356,352 --a------ D:\WINDOWS\system32\NVUNINST.EXE 2007-10-17 12:47 <DIR> d-------- D:\New Folder (2) 2007-10-14 20:08 2,048 --a------ D:\WINDOWS\system32\Tr_sttool.dat 2007-10-13 18:50 <DIR> d-------- D:\Program Files\FM Modifier 2.1 2007-10-13 18:38 <DIR> d-------- D:\WINDOWS\SafeDisc 4 Blocker 2007-10-13 17:44 1,790 --a------ D:\WINDOWS\system32\sdbackup.reg 2007-10-13 16:44 141,671 --a------ D:\Documents and Settings\Thomas Andre\uninstall_flash_player.exe 2007-10-11 09:27 128,104 --a------ D:\WINDOWS\system32\drivers\WimFltr.sys 2007-10-09 19:05 584,192 --a------ D:\WINDOWS\system32\dllcache\rpcrt4.dll 2007-10-09 19:05 63,488 --a------ D:\WINDOWS\system32\dllcache\icardie.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-07 08:14 --------- d-----w D:\Documents and Settings\Thomas Andre\Application Data\uTorrent 2007-11-06 22:21 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard 2007-11-06 22:19 --------- d-----w D:\Program Files\FlashGet 2007-11-03 16:43 --------- d-----w D:\Program Files\DivX 2007-11-01 22:17 --------- d-----w D:\Documents and Settings\All Users\Application Data\Eset 2007-10-23 07:03 --------- d-----w D:\Program Files\Common Files\Adobe 2007-10-19 23:22 --------- d--h--w D:\Program Files\InstallShield Installation Information 2007-10-17 23:35 --------- d-----w D:\Program Files\Sports Interactive 2007-10-13 16:45 --------- d-----w D:\Documents and Settings\Thomas Andre\Application Data\Sports Interactive 2007-10-13 16:37 163,644 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys 2007-10-13 16:26 --------- d-----w D:\Program Files\Common Files\InstallShield 2007-10-12 16:58 --------- d-----w D:\Program Files\Nokia 2007-10-12 16:58 --------- d-----w D:\Program Files\Common Files\Nokia 2007-10-11 10:48 --------- d-----w D:\Program Files\Common Files\Nero 2007-10-11 10:46 --------- d-----w D:\Documents and Settings\All Users\Application Data\Nero 2007-10-09 18:15 --------- d-----w D:\Documents and Settings\All Users\Application Data\Microsoft Help 2007-10-04 11:35 --------- d-----w D:\Documents and Settings\Thomas Andre\Application Data\Nokia 2007-10-04 11:35 --------- d-----w D:\Documents and Settings\All Users\Application Data\PC Suite 2007-10-03 17:06 --------- d-----w D:\Documents and Settings\All Users\Application Data\Raxco 2007-10-01 20:34 --------- d--h--w D:\Program Files\Zero G Registry 2007-09-30 17:18 107,888 ----a-w D:\WINDOWS\system32\CmdLineExt.dll 2007-09-30 17:18 --------- d--h--r D:\Documents and Settings\Thomas Andre\Application Data\SecuROM 2007-09-30 15:18 --------- d-----w D:\Documents and Settings\Thomas Andre\Application Data\DAEMON Tools Pro 2007-09-30 15:13 --------- d-----w D:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro 2007-09-30 15:10 685,816 ----a-w D:\WINDOWS\system32\drivers\sptd.sys 2007-09-24 13:57 --------- d-----w D:\Documents and Settings\Thomas Andre\Application Data\Nero 2007-09-24 13:54 --------- d-----w D:\Program Files\Nero 2007-09-24 07:05 132,904 ----a-w D:\WINDOWS\system32\drivers\imagesrv.sys 2007-09-24 07:05 11,304 ----a-w D:\WINDOWS\system32\drivers\imagedrv.sys 2007-09-23 22:37 --------- d-----w D:\Program Files\jv16 PowerTools 2007 2007-09-20 18:21 --------- d-----w D:\Documents and Settings\All Users\Application Data\EPSON 2007-09-20 18:20 --------- d-----w D:\Program Files\EPSON 2007-09-20 07:59 972,072 ----a-w D:\WINDOWS\UNRecode.exe 2007-09-20 07:55 972,072 ----a-w D:\WINDOWS\UNNeroMediaHome.exe 2007-09-20 07:55 95,600 ----a-w D:\WINDOWS\system32\NeroCo.dll 2007-09-19 14:52 --------- d-----w D:\Documents and Settings\All Users\Application Data\Messenger Plus! 2007-09-19 09:20 --------- d-----w D:\Program Files\Windows Live 2007-09-18 19:17 --------- d--h--w D:\Program Files\Zenographics 2007-09-18 19:17 --------- d-----w D:\Program Files\Hewlett-Packard 2007-09-08 10:03 --------- d-----w D:\Documents and Settings\Thomas Andre\Application Data\DivX 2007-09-05 14:48 86,073 ----a-w D:\WINDOWS\system32\usrfaxa.dll 2007-09-05 14:48 8,192 ----a-w D:\WINDOWS\system32\tsbyuv.dll 2007-09-05 14:48 8,192 ----a-w D:\WINDOWS\system32\streamci.dll 2007-09-05 14:48 77,891 ----a-w D:\WINDOWS\system32\usrmlnka.exe 2007-09-05 14:48 77,890 ----a-w D:\WINDOWS\system32\usrdpa.dll 2007-09-05 14:48 77,883 ----a-w D:\WINDOWS\system32\usrrtosa.dll 2007-09-05 14:48 72,192 ----a-w D:\WINDOWS\system32\sprio800.dll 2007-09-05 14:48 70,656 ----a-w D:\WINDOWS\system32\sprio600.dll 2007-09-05 14:48 69,700 ----a-w D:\WINDOWS\system32\usrshuta.exe 2007-09-05 14:48 69,699 ----a-w D:\WINDOWS\system32\usrcoina.dll 2007-09-05 14:48 69,632 ----a-w D:\WINDOWS\system32\spnike.dll 2007-09-05 14:48 61,508 ----a-w D:\WINDOWS\system32\usrprbda.exe 2007-09-05 14:48 61,500 ----a-w D:\WINDOWS\system32\usrcntra.dll 2007-09-05 14:48 55,296 ----a-w D:\WINDOWS\system32\dvdplay.exe 2007-09-05 14:48 53,305 ----a-w D:\WINDOWS\system32\usrlbva.dll 2007-09-05 14:48 52,224 ----a-w D:\WINDOWS\system32\dmutil.dll 2007-09-05 14:48 51,712 ----a-w D:\WINDOWS\system32\wzcsapi.dll 2007-09-05 14:48 49,211 ----a-w D:\WINDOWS\system32\usrvpa.dll 2007-09-05 14:48 49,211 ----a-w D:\WINDOWS\system32\usrsdpia.dll 2007-09-05 14:48 49,209 ----a-w D:\WINDOWS\system32\usrv80a.dll 2007-09-05 14:48 47,616 ----a-w D:\WINDOWS\system32\iyuv_32.dll 2007-09-05 14:48 47,104 ----a-w D:\WINDOWS\system32\cnbjmon.dll 2007-09-05 14:48 45,116 ----a-w D:\WINDOWS\system32\usrvoica.dll 2007-09-05 14:48 41,019 ----a-w D:\WINDOWS\system32\usrsvpia.dll 2007-09-05 14:48 359,936 ----a-w D:\WINDOWS\system32\wzcsvc.dll 2007-09-05 14:48 35,328 ----a-w D:\WINDOWS\system32\pid.dll 2007-09-05 14:48 323,641 ----a-w D:\WINDOWS\system32\usrdtea.dll 2007-09-05 14:48 3,200 ----a-w D:\WINDOWS\system32\wowfax.dll 2007-09-05 14:48 20,992 ----a-w D:\WINDOWS\system32\hid.dll 2007-09-05 14:48 2,017,280 ----a-w D:\WINDOWS\system32\ntkrnlpa.exe 2007-09-05 14:48 17,408 ----a-w D:\WINDOWS\system32\msyuv.dll 2007-09-05 14:48 157,696 ----a-w D:\WINDOWS\system32\paqsp.dll 2007-09-05 14:48 15,360 ----a-w D:\WINDOWS\system32\pjlmon.dll 2007-09-05 14:48 147,968 ----a-w D:\WINDOWS\system32\mdwmdmsp.dll 2007-09-05 14:48 13,824 ----a-w D:\WINDOWS\system32\wowfaxui.dll 2007-09-05 14:48 102,457 ----a-w D:\WINDOWS\system32\usrv42a.dll 2007-09-05 14:46 984,576 ----a-w D:\WINDOWS\system32\syssetup.dll 2007-09-05 14:46 981,760 ----a-w D:\WINDOWS\system32\mfc42u.dll 2007-09-05 14:46 96,768 ----a-w D:\WINDOWS\system32\srvsvc.dll 2007-09-05 14:46 956,416 ----a-w D:\WINDOWS\system32\msdtctm.dll 2007-09-05 14:46 927,504 ----a-w D:\WINDOWS\system32\mfc40u.dll 2007-09-05 14:46 91,136 ----a-w D:\WINDOWS\system32\mtxoci.dll 2007-09-05 14:46 884,736 ----a-w D:\WINDOWS\system32\msimsg.dll 2007-09-05 14:46 80,896 ----a-w D:\WINDOWS\system32\fontsub.dll 2007-09-05 14:46 78,848 ----a-w D:\WINDOWS\system32\msiexec.exe 2007-09-05 14:46 74,752 ----a-w D:\WINDOWS\system32\olecli32.dll 2007-09-05 14:46 74,240 ----a-w D:\WINDOWS\system32\mscms.dll 2007-09-05 14:46 721,920 ----a-w D:\WINDOWS\system32\lsasrv.dll 2007-09-05 14:46 72,704 ----a-w D:\WINDOWS\system32\hlink.dll 2007-09-05 14:46 713,216 ----a-w D:\WINDOWS\system32\sxs.dll 2007-09-05 14:46 68,096 ----a-w D:\WINDOWS\system32\webclnt.dll 2007-09-05 14:46 66,560 ----a-w D:\WINDOWS\system32\mtxclu.dll 2007-09-05 14:46 65,536 ----a-w D:\WINDOWS\system32\nwwks.dll 2007-09-05 14:46 64,000 ----a-w D:\WINDOWS\system32\nwapi32.dll 2007-09-05 14:46 577,536 ----a-w D:\WINDOWS\system32\user32.dll 2007-09-05 14:46 57,856 ----a-w D:\WINDOWS\system32\spoolsv.exe 2007-09-05 14:46 549,376 ----a-w D:\WINDOWS\system32\oleaut32.dll 2007-09-05 14:46 498,742 ----a-w D:\WINDOWS\system32\dxmasf.dll 2007-09-05 14:46 426,496 ----a-w D:\WINDOWS\system32\msdtcprx.dll 2007-09-05 14:46 41,472 ----a-w D:\WINDOWS\system32\hhsetup.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QlbCtrl"="D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 08:47] "SoundMAX"="D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 06:12] "IAAnotif"="D:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 12:00] "SynTPEnh"="D:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 16:47] "IgfxTray"="D:\WINDOWS\system32\igfxtray.exe" [2007-05-18 20:50] "HotKeysCmds"="D:\WINDOWS\system32\hkcmd.exe" [2007-05-18 20:50] "Persistence"="D:\WINDOWS\system32\igfxpers.exe" [2007-05-18 20:50] "SoundMAXPnP"="D:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 16:36] "SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00] "AAWTray"="D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 14:53] "PhiBtn"="D:\WINDOWS\System32\drivers\PhiBtn.exe" [] "Traymin900"="D:\WINDOWS\System32\drivers\Tray900.exe" [] "VCheck"="" [] "imekrmig7.0"="D:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2007-04-19 13:00] "IMSCMig"="D:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.exe" [2007-04-02 20:42] "CJIMETIPSYNC"="D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.exe" [2007-03-22 18:17] "PHIMETIPSYNC"="D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.exe" [2007-03-22 18:17] "IMJPMIG9.0"="D:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.exe" [2007-04-19 13:00] "NBKeyScan"="D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 08:51] "NeroFilterCheck"="D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 14:57] "Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51] "egui"="D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-10-25 09:26] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56] "SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Nokia.PCSync"=D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"=1 (0x1) "ForceClassicControlPanel"=1 (0x1) "NoSharedDocuments"=1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"=1 (0x1) "ForceClassicControlPanel"=1 (0x1) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nrwbfaqz] nrwbfaqz.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 D:\WINDOWS\system32\mljjh.dll R1 easdrv;easdrv;D:\WINDOWS\system32\DRIVERS\easdrv.sys R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys R2 eamon;EAMON;D:\WINDOWS\system32\DRIVERS\eamon.sys R2 ekrn;Eset Service;"D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe" R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);D:\WINDOWS\system32\inetsrv\inetinfo.exe R2 SWIHPWMI;SWIHPWMI;D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe S3 camvid40;Philips SPC 900NC PC Camera;D:\WINDOWS\system32\DRIVERS\camdrv41.sys S3 EhttpSrv;Eset HTTP Server;"D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe" S3 HP24X;HP PC Card Smart Card Reader;D:\WINDOWS\system32\DRIVERS\HP24X.sys S3 SaiHFF0C;SaiHFF0C;D:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys S3 SaiUFF0C;SaiUFF0C;D:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys S3 WimFltr;WimFltr;D:\WINDOWS\system32\DRIVERS\wimfltr.sys S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver;D:\WINDOWS\system32\DRIVERS\rt2500usb.sys . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-07 09:27:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "QlbCtrl"=expand:"%ProgramFiles%\\Hewlett-Packard\\HP Quick Launch Buttons\\QlbCtrl.exe /Start" "SoundMAX"="D:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray" "IAAnotif"="\"D:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe\"" "SynTPEnh"="D:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "IgfxTray"="D:\\WINDOWS\\system32\\igfxtray.exe" "Persistence"="D:\\WINDOWS\\system32\\igfxpers.exe" "SoundMAXPnP"="D:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe" "SunJavaUpdateSched"="\"D:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\"" "AAWTray"="D:\\Program Files\\Lavasoft\\Ad-Aware 2007\\AAWTray.exe" . Completion time: 2007-11-07 9:28:05 - machine was rebooted . --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:29:02, on 07.11.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\agrsmsvc.exe D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe D:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe D:\WINDOWS\system32\inetsrv\inetinfo.exe D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe D:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe D:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe D:\Program Files\Synaptics\SynTP\SynTPEnh.exe D:\WINDOWS\system32\igfxtray.exe D:\WINDOWS\system32\hkcmd.exe D:\WINDOWS\system32\igfxsrvc.exe D:\WINDOWS\system32\igfxpers.exe D:\Program Files\Analog Devices\Core\smax4pnp.exe D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [soundMAX] D:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [iAAnotif] "D:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [synTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [igfxTray] D:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] D:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [soundMAXPnP] D:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe O4 - HKLM\..\Run: [imekrmig7.0] "D:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" O4 - HKLM\..\Run: [iMSCMig] D:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload O4 - HKLM\..\Run: [CJIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync O4 - HKLM\..\Run: [PHIMETIPSYNC] D:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync O4 - HKLM\..\Run: [iMJPMIG9.0] D:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32 O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Last ned alle med FlashGet - D:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Last ned med FlashGet - D:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: nrwbfaqz - nrwbfaqz.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - D:\WINDOWS\system32\agrsmsvc.exe O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - D:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - D:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SWIHPWMI - Sierra Wireless Inc. - D:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe -- End of file - 8210 bytes Det ser ut som SAS Pro tok knekken på problemet, etter som det ikke kom opp igjen etter QuickScanen var utført Takker for all hjelp.. Lenke til kommentar
norbat Skrevet 7. november 2007 Del Skrevet 7. november 2007 (endret) Vi er ikke helt ferdige Kjør hjt, sett merke framfor følgende linje og klikk Fix checked: O20 - Winlogon Notify: nrwbfaqz - nrwbfaqz.dll (file missing) Hent Avenger og pakk det ut. Jeg har ingen mulighet til å sjekke filene som nå skal slettes, derfor kan du sjekke filene på følgende nettsted: http://virusscan.jotti.org/ før du gjennomfører det under. Last opp en og en fil. Du vil få en tilbakemelding på om det er funnet noe i tilkytning til fila. Filene er mest sannsyling knyttet til infeksjonen du hadde. Start programmet, sett prikk i "Input Script Manually" og klikk på lupen. I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under: Files to delete: D:\WINDOWS\system32\imieemsi.exe D:\WINDOWS\system32\gptofpei.dll D:\WINDOWS\system32\lefakxob.exe D:\WINDOWS\system32\nuwkappy.dll D:\WINDOWS\system32\xfwytbfw.exe D:\WINDOWS\system32\iwrnpitj.dll D:\WINDOWS\system32\fgoamxee.exe D:\WINDOWS\system32\fhfrpaxw.exe D:\WINDOWS\system32\vwyamium.exe D:\WINDOWS\system32\ppgqaeai.dll D:\WINDOWS\system32\jupglrnp.dll D:\WINDOWS\system32\lahajxud.dll D:\WINDOWS\system32\xscjnkuu.dll Klikk på Trafikklyset. Restart PC-en. Etter restart vil det komme en loggfil. Du trenger ikke å poste den. Gi tilbakemelding på hvordan PC-en kjører. Endret 7. november 2007 av norbat Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå