froZZo Skrevet 11. januar 2008 Del Skrevet 11. januar 2008 (endret) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:47:33, on 11.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\Logi_MwX.Exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\3Com\3Com Wireless USB Utility\Wlan.exe C:\Program Files\CNet\802.11 Wireless LAN\CNETWlanMonitor.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\MSN Messenger\usnsvc.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing) O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [- ] C:\WINDOWS\afvxnjhv.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [3COM] "C:\Program Files\3Com\3Com Wireless USB Utility\Wlan.exe" O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: CNet Wireless Utility.lnk = ? O8 - Extra context menu item: E&ksporter til Microsoft Endret 12. januar 2008 av froZZo Lenke til kommentar
Fikseren Skrevet 11. januar 2008 Del Skrevet 11. januar 2008 Ser da helt grei ut den, ser du har en del unødvendige ting i oppstarten din som du kan fjerne med CCleaner ellers bare greit. Lenke til kommentar
froZZo Skrevet 11. januar 2008 Forfatter Del Skrevet 11. januar 2008 Ser da helt grei ut den, ser du har en del unødvendige ting i oppstarten din som du kan fjerne med CCleaner ellers bare greit. ok takk for hjelpa Lenke til kommentar
Fikseren Skrevet 11. januar 2008 Del Skrevet 11. januar 2008 Ser da helt grei ut den, ser du har en del unødvendige ting i oppstarten din som du kan fjerne med CCleaner ellers bare greit. ok takk for hjelpa Ingen Problem;) Lenke til kommentar
norbat Skrevet 11. januar 2008 Del Skrevet 11. januar 2008 Alt er nok ikke helt bra med den loggen, så kjør igjennom langversjonen i følgende post: https://www.diskusjon.no/index.php?showtopic=691246. Loggene det spørres om, poster du her i din egen tråd. Lenke til kommentar
Fikseren Skrevet 11. januar 2008 Del Skrevet 11. januar 2008 hva var gernt da? mybar, searchbar osv? ikke noe farlig i det i alle fall, eneste jeg så som jeg ikke kjente igjenn var afvxnjhv.exe? Lenke til kommentar
norbat Skrevet 11. januar 2008 Del Skrevet 11. januar 2008 (endret) hva var gernt da? mybar, searchbar osv? ikke noe farlig i det i alle fall, eneste jeg så som jeg ikke kjente igjenn var afvxnjhv.exe? - og den linja bør føre til at man anbefaler trådstarter om å kjøre noen ekstra runder. Sannsynligheten for at den fila tilhører en Vundo-infeksjon (e.a) er tilstede. Endret 11. januar 2008 av norbat Lenke til kommentar
Fikseren Skrevet 11. januar 2008 Del Skrevet 11. januar 2008 Har vell rett i det, min feil Lenke til kommentar
froZZo Skrevet 12. januar 2008 Forfatter Del Skrevet 12. januar 2008 ok driver på langversjonen nå. men det viruset er det keylogger som logger alt mulig feks bank og nettsipassord Lenke til kommentar
norbat Skrevet 12. januar 2008 Del Skrevet 12. januar 2008 Umiddelbart tror jeg ikke du trenger å være bekymret for nettbank og passord. Lenke til kommentar
froZZo Skrevet 12. januar 2008 Forfatter Del Skrevet 12. januar 2008 Umiddelbart tror jeg ikke du trenger å være bekymret for nettbank og passord. ok. finner no trjojaner og diverse dritt på super spyware nå, Lenke til kommentar
norbat Skrevet 12. januar 2008 Del Skrevet 12. januar 2008 Post loggene når du har kjørt gjennom hele veiledningen Lenke til kommentar
froZZo Skrevet 12. januar 2008 Forfatter Del Skrevet 12. januar 2008 (endret) SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 01/12/2008 at 05:13 PM Application Version : 3.9.1008 Core Rules Database Version : 3379 Trace Rules Database Version: 1373 Scan type : Complete Scan Total Scan Time : 01:00:32 Memory items scanned : 371 Memory threats detected : 0 Registry items scanned : 5020 Registry threats detected : 121 File items scanned : 37998 File threats detected : 5 Adware.MyWay HKLM\Software\Classes\CLSID\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC}\TypeLib C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL HKLM\Software\Classes\CLSID\{0494D0D9-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}\TypeLib HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC} HKLM\Software\Microsoft\Internet Explorer\Toolbar#{0494D0D9-F8E0-41ad-92A3-14154ECE70AC} HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC} HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0 HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0 HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\win32 HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\FLAGS HKCR\TypeLib\{0494D0D0-F8E0-41ad-92A3-14154ECE70AC}\1.0\HELPDIR HKCR\MyWayToolBar.NetscapeShutdown HKCR\MyWayToolBar.NetscapeShutdown\CLSID HKCR\MyWayToolBar.NetscapeShutdown\CurVer HKCR\MyWayToolBar.NetscapeShutdown.1 HKCR\MyWayToolBar.NetscapeShutdown.1\CLSID HKCR\MyWayToolBar.NetscapeStartup HKCR\MyWayToolBar.NetscapeStartup\CLSID HKCR\MyWayToolBar.NetscapeStartup\CurVer HKCR\MyWayToolBar.NetscapeStartup.1 HKCR\MyWayToolBar.NetscapeStartup.1\CLSID HKCR\MyWayToolBar.SettingsPlugin HKCR\MyWayToolBar.SettingsPlugin\CLSID HKCR\MyWayToolBar.SettingsPlugin\CurVer HKCR\MyWayToolBar.SettingsPlugin.1 HKCR\MyWayToolBar.SettingsPlugin.1\CLSID HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\Control HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1 HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0D2-F8E0-41ad-92A3-14154ECE70AC}\Version HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\Control HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1 HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0D3-F8E0-41ad-92A3-14154ECE70AC}\Version HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\ProgID HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0D5-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\ProgID HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0D7-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC} HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Control HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32 HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\InprocServer32#ThreadingModel HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\MiscStatus\1 HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\ProgID HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Programmable HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\TypeLib HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\Version HKCR\CLSID\{0494D0DB-F8E0-41ad-92A3-14154ECE70AC}\VersionIndependentProgID HKLM\Software\MyWay HKLM\Software\MyWay\myBar HKLM\Software\MyWay\myBar#Dir HKLM\Software\MyWay\myBar#ShzmCurInstall HKLM\Software\MyWay\myBar#pid HKLM\Software\MyWay\myBar#strings HKLM\Software\MyWay\myBar#CurInstall HKLM\Software\MyWay\myBar#sr HKLM\Software\MyWay\myBar#pl HKLM\Software\MyWay\myBar#Id HKLM\Software\MyWay\myBar#Build HKLM\Software\MyWay\myBar#CacheDir HKLM\Software\MyWay\myBar#HistoryDir HKLM\Software\MyWay\myBar#Visible HKLM\Software\MyWay\myBar#Maximized HKLM\Software\MyWay\myBar#SettingsDir HKLM\Software\MyWay\myBar#ConfigRevision HKLM\Software\MyWay\myBar#ConfigRevisionURL HKLM\Software\MyWay\myBar#ConfigDateStamp HKLM\Software\MyWay\myBar#CheckForConnection HKLM\Software\MyWay\myBar\partner HKLM\Software\MyWay\myBar\partner#bitmap HKLM\Software\MyWay\myBar\partner#name HKLM\Software\MyWay\myBar\partner#test HKLM\Software\MyWay\myBar\partner#PM-Home HKLM\Software\MyWay\myBar\partner#PM-Points HKLM\Software\MyWay\myBar\partner#PM-Redeem HKLM\Software\MyWay\myBar\partner#PM-Wallet HKLM\Software\MyWay\myBar\partner#PM-Settings HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#HelpLink HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#Publisher HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UninstallString HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Way Speedbar Uninstall#UrlInfoAbout Adware.Tracking Cookie C:\Documents and Settings\privat\Cookies\privat@adtech[1].txt C:\Documents and Settings\privat\Cookies\[email protected][1].txt Adware.IST/YourSiteBar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll#.Owner HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ysbactivex.dll#{771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs#C:\WINDOWS\Downloaded Program Files\ysbactivex.dll [ ] Adware.IST/ISTBar (Slotch Bar) HKU\S-1-5-21-1177238915-823518204-1801674531-1003\Software\Microsoft\Internet Explorer\Main#BandRest HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest Trojan.ErrorSafe C:\DOCUMENTS AND SETTINGS\PRIVAT\APPLICATION DATA\ERRORSAFEFREEINSTALL_NO[1].EXE Trojan.WinAntiSpyware/WinAntiVirus 2006 C:\SYSTEM VOLUME INFORMATION\_RESTORE{FF7C848C-B8F6-4F40-9060-2A8E7B6B0C11}\RP690\A0197101.EXE Klikk for å se/fjerne spoilerteksten nedenfor Endret 12. januar 2008 av froZZo Lenke til kommentar
froZZo Skrevet 12. januar 2008 Forfatter Del Skrevet 12. januar 2008 (endret) combofix logg ComboFix 08-01-11.3 - privat 2008-01-12 17:23:43.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.24 [GMT 1:00] Running from: C:\Documents and Settings\privat\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . F:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 ))))))))))))))))))))))))))))))) . 2008-01-12 17:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-12 16:12 . 2008-01-12 16:13 d-------- C:\Program Files\SUPERAntiSpyware 2008-01-12 16:12 . 2008-01-12 16:12 d-------- C:\Documents and Settings\privat\Application Data\SUPERAntiSpyware.com 2008-01-12 16:12 . 2008-01-12 16:12 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-01-12 16:10 . 2008-01-12 16:10 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-01-12 16:07 . 2008-01-12 16:07 d-------- C:\extensions 2008-01-12 16:06 . 2008-01-12 16:07 d-------- C:\Program Files\Yahoo! 2008-01-12 16:06 . 2008-01-12 16:07 d-------- C:\Program Files\CCleaner 2008-01-11 18:46 . 2008-01-11 18:46 d-------- C:\Program Files\Trend Micro 2008-01-04 23:01 . 2008-01-11 18:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-04 23:01 . 2008-01-04 23:01 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-12 15:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7 2008-01-12 15:11 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-01-11 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-01-11 18:16 --------- d-----w C:\Documents and Settings\privat\Application Data\AVG7 2008-01-11 17:43 --------- d-----w C:\Program Files\iPod 2008-01-11 17:42 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-10 18:06 --------- d-----w C:\Documents and Settings\privat\Application Data\dvdcss 2008-01-06 07:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2008-01-04 21:58 --------- d-----w C:\Program Files\QuickTime 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 16:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [ ] "3COM"="C:\Program Files\3Com\3Com Wireless USB Utility\Wlan.exe" [2005-03-23 22:03 409600] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-12-10 01:35 188416] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 20:50 155648] "- "="C:\WINDOWS\afvxnjhv.exe" [ ] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-02 19:44 579072] "SoundMan"="SOUNDMAN.EXE" [2005-01-20 21:04 77824 C:\WINDOWS\SOUNDMAN.EXE] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 03:06 7311360] "nwiz"="nwiz.exe" [2005-12-10 03:06 1519616 C:\WINDOWS\system32\nwiz.exe] "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 19968 C:\WINDOWS\LOGI_MWX.EXE] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-12-10 03:06 86016] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 12:03 36975] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 07:04 219136] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll R0 ABIT-IO;ABIT-IO;C:\WINDOWS\system32\Drivers\ABIT-IO.sys [2005-12-08 13:53] R0 viaagp1;VIA AGP Filter;C:\WINDOWS\system32\DRIVERS\viaagp1.sys [2003-07-02 13:42] R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2004-08-01 08:09] R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2004-08-01 08:09] R3 ZD1211U(3COM Corporation);3COM OfficeConnect Wireless 11g Compact USB Adapter(3COM Corporation);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2005-03-28 13:24] S3 FVNETusb(505 2958)®; FVNETusb(505 2958)® Service for CNet Wireless LAN 11Mbps USB Adapter;C:\WINDOWS\system32\DRIVERS\vnet558x.sys [2003-07-23 13:02] S3 s716bus;Sony Ericsson Device 716 driver (WDM);C:\WINDOWS\system32\DRIVERS\s716bus.sys [2007-06-29 09:59] S3 s716mdfl;Sony Ericsson Device 716 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s716mdfl.sys [2007-04-04 11:43] S3 s716mdm;Sony Ericsson Device 716 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s716mdm.sys [2007-04-04 11:43] S3 s716mgmt;Sony Ericsson Device 716 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s716mgmt.sys [2007-04-04 11:43] S3 s716nd5;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (NDIS);C:\WINDOWS\system32\DRIVERS\s716nd5.sys [2007-04-04 11:43] S3 s716obex;Sony Ericsson Device 716 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s716obex.sys [2007-04-04 11:43] S3 s716unic;Sony Ericsson Device 716 USB Ethernet Emulation SEMC716 (WDM);C:\WINDOWS\system32\DRIVERS\s716unic.sys [2007-04-04 11:43] *Newly Created Service* - PROCEXP90 . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-12 17:26:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 Endret 12. januar 2008 av froZZo Lenke til kommentar
froZZo Skrevet 12. januar 2008 Forfatter Del Skrevet 12. januar 2008 (endret) hijacthis logg Klikk for å se/fjerne spoilerteksten nedenforLogfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:40:20, on 12.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\Logi_MwX.Exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\3Com\3Com Wireless USB Utility\Wlan.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\CNet\802.11 Wireless LAN\CNETWlanMonitor.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Winamp\Winamp.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [- ] C:\WINDOWS\afvxnjhv.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [3COM] "C:\Program Files\3Com\3Com Wireless USB Utility\Wlan.exe" O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: CNet Wireless Utility.lnk = ? O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://euphspace.spaces.msn.com//PhotoUpload/MsnPUpld.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 5597 bytes combofix logg. sas kjem seiner, tar nesten 1 time å kjøre den på drittmaskina her. Endret 12. januar 2008 av froZZo Lenke til kommentar
norbat Skrevet 12. januar 2008 Del Skrevet 12. januar 2008 Start hjt, velg "Do a system scan only", sett merke framfor følgende linje og klikk Fix checked: O4 - HKLM\..\Run: [-] C:\WINDOWS\afvxnjhv.exe Oppdater JAVA: http://java.com/en/download/index.jsp Avinstaller Combofix: Klikk: Start->Kjør SKriv: ComboFix /u Combofix vil starte opp og deretter avinstallere seg. Tøm temp.filer: Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'. Kjør også noen runder med 'Register'til det ikke finner flere feil. Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....", restart pc, fjern merket igjen for å aktivere funksjonen. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå