vegas82 Skrevet 27. januar 2008 Del Skrevet 27. januar 2008 Hei Jeg sliter med ett eller annet på PC-en min. Varsel om en trojansk 'trussel' dukker opp OFTE! legger ved hijack this loggen min og håper på hjelp... På forhånd takk! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:11:34, on 27.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Picasa2\PicasaMediaDetector.exe C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\MSN Messenger\msnmsgr.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avscan.exe C:\Programfiler\Trend Micro\testing\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vg.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programfiler\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programfiler\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [avgnt] "C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) - http://no.pixaco.com/static/download/pixacodndupload.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://CD-en.scan.onecare.live.com/resource/...lscbase4009.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155217057390 O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.eurofoto.no/uploader/ImageUploader4.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://johanne22.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} (Image Uploader) - http://www.extrafilm.no/ImageUploader4.cab O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.com/clients/uploader_uni_dd_final.cab O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab O21 - SSODL: E404Helper - {067f0191-238d-461e-96e8-09a93416fa39} - e404d.dll (file missing) O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 7312 bytes Lenke til kommentar
norbat Skrevet 27. januar 2008 Del Skrevet 27. januar 2008 Hent Smitfraudfix, legg det på skrivebordet Kjør Smitfraudfix, velg valg 1, post loggen. Lenke til kommentar
vegas82 Skrevet 27. januar 2008 Forfatter Del Skrevet 27. januar 2008 SmitFraudFix v2.274 Scan done at 14:10:59,12, 27.01.2008 Run from C:\Documents and Settings\Johanne Gr›ndal\Skrivebord\SmitfraudFix OS: Microsoft Windows XP [Versjon 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ C:\uniq FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Johanne Gr›ndal »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Johanne Gr›ndal\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\JOHANN~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Programfiler »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Min gjeldende hjemmeside" »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix.exe by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock pe386 detected, use a Rootkit scanner »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: Realtek RTL8139 Family PCI Fast Ethernet-kort - Miniport for pakkeplanlegger DNS Server Search Order: 193.213.112.4 DNS Server Search Order: 130.67.15.198 DNS Server Search Order: 130.67.60.68 HKLM\SYSTEM\CCS\Services\Tcpip\..\{8537A1BA-5BBC-44FA-A73F-A69859A38E6C}: DhcpNameServer=193.213.112.4 130.67.15.198 130.67.60.68 HKLM\SYSTEM\CS1\Services\Tcpip\..\{8537A1BA-5BBC-44FA-A73F-A69859A38E6C}: DhcpNameServer=195.134.40.18 195.134.40.14 HKLM\SYSTEM\CS2\Services\Tcpip\..\{8537A1BA-5BBC-44FA-A73F-A69859A38E6C}: DhcpNameServer=193.213.112.4 130.67.15.198 130.67.60.68 HKLM\SYSTEM\CS3\Services\Tcpip\..\{8537A1BA-5BBC-44FA-A73F-A69859A38E6C}: DhcpNameServer=193.213.112.4 130.67.15.198 130.67.60.68 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=193.213.112.4 130.67.15.198 130.67.60.68 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=195.134.40.18 195.134.40.14 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=193.213.112.4 130.67.15.198 130.67.60.68 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=193.213.112.4 130.67.15.198 130.67.60.68 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Lenke til kommentar
norbat Skrevet 27. januar 2008 Del Skrevet 27. januar 2008 Last ned RustbFix til skrivebordet. Kjør programmet, følg veiledningen. Det lages noen logger som du kan poste når det er ferdigkjørt. Deretter kjører du gjennom langversjonen i følgende post: https://www.diskusjon.no/index.php?showtopic=691246. Loggene det spørres etter, poste du her i din egen tråd. Lenke til kommentar
vegas82 Skrevet 27. januar 2008 Forfatter Del Skrevet 27. januar 2008 Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\guhpeoss ******************* Script file located at: vpxfyhid Could not open script file! Error Could not open script file! Status: 0xc000003b Abort! Skal jeg prøve igjen?? Eller bare fortsette med linken du sendte med? Lenke til kommentar
vegas82 Skrevet 27. januar 2008 Forfatter Del Skrevet 27. januar 2008 SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 01/27/2008 at 04:02 PM Application Version : 3.9.1008 Core Rules Database Version : 3389 Trace Rules Database Version: 1383 Scan type : Complete Scan Total Scan Time : 00:44:03 Memory items scanned : 387 Memory threats detected : 0 Registry items scanned : 4818 Registry threats detected : 51 File items scanned : 36072 File threats detected : 5 Adware.Tracking Cookie C:\Documents and Settings\Johanne Grøndal\Cookies\[email protected][1].txt C:\Documents and Settings\Johanne Grøndal\Cookies\[email protected][1].txt C:\Documents and Settings\Johanne Grøndal\Cookies\X@xiti[1].txt C:\Documents and Settings\Johanne Grøndal\Cookies\[email protected][2].txt Trojan.Rustock/LZX32 C:\WINDOWS\system32:lzx32.sys HKLM\SYSTEM\CurrentControlSet\Services\pe386 HKLM\SYSTEM\CurrentControlSet\Services\pe386#Type HKLM\SYSTEM\CurrentControlSet\Services\pe386#Start HKLM\SYSTEM\CurrentControlSet\Services\pe386#ErrorControl HKLM\SYSTEM\CurrentControlSet\Services\pe386#ImagePath HKLM\SYSTEM\CurrentControlSet\Services\pe386#DisplayName HKLM\SYSTEM\CurrentControlSet\Services\pe386#Group HKLM\SYSTEM\CurrentControlSet\Services\pe386#ExtParam HKLM\SYSTEM\CurrentControlSet\Services\pe386#Checked HKLM\SYSTEM\CurrentControlSet\Services\pe386#ExtParamX HKLM\SYSTEM\CurrentControlSet\Services\pe386#ExtParamD HKLM\SYSTEM\CurrentControlSet\Services\pe386\Security HKLM\SYSTEM\CurrentControlSet\Services\pe386\Security#Security HKLM\SYSTEM\ControlSet001\Services\pe386 HKLM\SYSTEM\ControlSet001\Services\pe386#Type HKLM\SYSTEM\ControlSet001\Services\pe386#Start HKLM\SYSTEM\ControlSet001\Services\pe386#ErrorControl HKLM\SYSTEM\ControlSet001\Services\pe386#ImagePath HKLM\SYSTEM\ControlSet001\Services\pe386#DisplayName HKLM\SYSTEM\ControlSet001\Services\pe386#Group HKLM\SYSTEM\ControlSet001\Services\pe386#ExtParam HKLM\SYSTEM\ControlSet001\Services\pe386#Checked HKLM\SYSTEM\ControlSet001\Services\pe386\Security HKLM\SYSTEM\ControlSet001\Services\pe386\Security#Security HKLM\SYSTEM\ControlSet002\Services\pe386 HKLM\SYSTEM\ControlSet002\Services\pe386#Type HKLM\SYSTEM\ControlSet002\Services\pe386#Start HKLM\SYSTEM\ControlSet002\Services\pe386#ErrorControl HKLM\SYSTEM\ControlSet002\Services\pe386#ImagePath HKLM\SYSTEM\ControlSet002\Services\pe386#DisplayName HKLM\SYSTEM\ControlSet002\Services\pe386#Group HKLM\SYSTEM\ControlSet002\Services\pe386#ExtParam HKLM\SYSTEM\ControlSet002\Services\pe386#Checked HKLM\SYSTEM\ControlSet002\Services\pe386#ExtParamX HKLM\SYSTEM\ControlSet002\Services\pe386#ExtParamD HKLM\SYSTEM\ControlSet002\Services\pe386\Security HKLM\SYSTEM\ControlSet002\Services\pe386\Security#Security HKLM\SYSTEM\ControlSet003\Services\pe386 HKLM\SYSTEM\ControlSet003\Services\pe386#Type HKLM\SYSTEM\ControlSet003\Services\pe386#Start HKLM\SYSTEM\ControlSet003\Services\pe386#ErrorControl HKLM\SYSTEM\ControlSet003\Services\pe386#ImagePath HKLM\SYSTEM\ControlSet003\Services\pe386#DisplayName HKLM\SYSTEM\ControlSet003\Services\pe386#Group HKLM\SYSTEM\ControlSet003\Services\pe386#ExtParam HKLM\SYSTEM\ControlSet003\Services\pe386#Checked HKLM\SYSTEM\ControlSet003\Services\pe386#ExtParamX HKLM\SYSTEM\ControlSet003\Services\pe386#ExtParamD HKLM\SYSTEM\ControlSet003\Services\pe386\Security HKLM\SYSTEM\ControlSet003\Services\pe386\Security#Security Trojan.Media-Codec/V4 HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#E404Helper [ {067f0191-238d-461e-96e8-09a93416fa39} ] Lenke til kommentar
vegas82 Skrevet 27. januar 2008 Forfatter Del Skrevet 27. januar 2008 ComboFix 08-01-23.1C - XX 2008-01-27 16:19:33.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.132 [GMT 1:00] Running from: C:\Documents and Settings\XX\Lokale innstillinger\Temporary Internet Files\Content.IE5\V0NFQQ1Z\ComboFix[1].exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Programfiler\Fellesfiler\{105C1~1 C:\uniq . ((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 ))))))))))))))))))))))))))))))) . 2008-01-27 16:18 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-27 15:13 . 2008-01-27 16:11 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-01-27 15:13 . 2008-01-27 15:13 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-01-27 15:03 . 2008-01-27 15:03 <DIR> d-------- C:\Programfiler\CCleaner 2008-01-27 14:39 . 2008-01-27 14:39 <DIR> d-------- C:\Rustbfix 2008-01-27 14:39 . 2008-01-27 14:39 16 --a------ C:\chdir.bat 2008-01-27 14:11 . 2008-01-27 14:11 974 --a------ C:\WINDOWS\system32\tmp.reg 2008-01-27 14:09 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-01-27 14:09 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-01-27 14:09 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-01-27 14:09 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-01-27 14:09 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-01-27 14:09 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-01-27 12:10 . 2008-01-27 12:10 <DIR> d-------- C:\Programfiler\Trend Micro 2008-01-27 11:04 . 2008-01-27 16:22 5,584,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2008-01-27 11:04 . 2008-01-27 16:06 66,068 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2008-01-27 11:00 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe 2008-01-27 10:33 . 2008-01-27 10:33 <DIR> d-------- C:\Programfiler\Avira 2008-01-12 15:17 . 2008-01-12 15:17 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-01-12 15:17 . 2008-01-12 15:17 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-26 22:12 --------- d-----w C:\Programfiler\Windows Live Safety Center 2008-01-07 19:36 --------- d-----w C:\Programfiler\Hitman Pro 2007-12-19 17:47 --------- d-----w C:\Programfiler\Messenger Plus! Live 2007-12-19 17:46 --------- d-----w C:\Programfiler\MSN Messenger 2007-12-15 19:05 --------- d-----w C:\Programfiler\ZoneAlarmSB 2007-11-14 15:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll 2007-06-10 16:57 54,167 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2007_06_10_17_48_15_small.dmp.zip . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}] 2007-12-15 20:05 262144 --a------ C:\Programfiler\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Programfiler\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2007-12-15 20:05 262144] [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Programfiler\Picasa2\PicasaMediaDetector.exe" [2007-06-16 00:15 366400] "Sony Ericsson PC Suite"="C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 00:06 487424] "avgnt"="C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-27 10:36 249896] "ZoneAlarm Client"="C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ hp psc 2000 Series.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-05 23:37:10 323646] hpoddt01.exe.lnk - C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 00:06:58 28672] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^X^Start-meny^Programmer^Oppstart^Slide.exe.lnk] path=C:\Documents and Settings\X\Start-meny\Programmer\Oppstart\Slide.exe.lnk backup=C:\WINDOWS\pss\Slide.exe.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] -ra------ 2005-02-08 03:36 155648 C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 09:50 155648 C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2005-04-13 02:48 36975 C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 15:45 313472 C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Dialog Verify] S3 se44bus;Sony Ericsson Device 068 driver (WDM);C:\WINDOWS\system32\DRIVERS\se44bus.sys [2006-11-30 14:58] S3 se44mdfl;Sony Ericsson Device 068 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se44mdfl.sys [2006-11-30 14:58] S3 se44mdm;Sony Ericsson Device 068 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se44mdm.sys [2006-11-30 14:58] S3 se44mgmt;Sony Ericsson Device 068 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se44mgmt.sys [2006-11-30 14:58] S3 se44nd5;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (NDIS);C:\WINDOWS\system32\DRIVERS\se44nd5.sys [2006-11-30 14:58] S3 se44obex;Sony Ericsson Device 068 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se44obex.sys [2006-11-30 14:58] S3 se44unic;Sony Ericsson Device 068 USB Ethernet Emulation SEMC44 (WDM);C:\WINDOWS\system32\DRIVERS\se44unic.sys [2006-11-30 14:58] S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2004-09-18 07:04] S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2004-09-18 07:05] S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2004-09-18 07:05] *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder "2007-05-17 07:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Programfiler\Apple Software Update\SoftwareUpdate.exe "2007-09-12 15:00:25 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1154354235.job" - C:\Programfiler\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I "2008-01-22 19:39:00 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job" - C:\Programfiler\Uniblue\SpyEraser\SpyEraser.exe "2007-05-17 18:39:07 C:\WINDOWS\Tasks\Uniblue SpyEraser.job" - C:\Programfiler\Uniblue\SpyEraser\SpyEraser.exe . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 16:22:48 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-27 16:23:40 ComboFix-quarantined-files.txt 2008-01-27 15:23:36 . 2008-01-09 19:05:13 --- E O F --- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:26:07, on 27.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe C:\WINDOWS\explorer.exe C:\Programfiler\Trend Micro\testing\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vg.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programfiler\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Programfiler\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [Picasa Media Detector] C:\Programfiler\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [avgnt] "C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programfiler\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programfiler\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) - http://no.pixaco.com/static/download/pixacodndupload.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://CD-en.scan.onecare.live.com/resource/...lscbase4009.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155217057390 O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.eurofoto.no/uploader/ImageUploader4.cab O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://johanne22.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} (Image Uploader) - http://www.extrafilm.no/ImageUploader4.cab O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://www.pixdiscount.com/clients/uploader_uni_dd_final.cab O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://www.eurofoto.no/activex/ImageUploader3.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 6799 bytes Lenke til kommentar
vegas82 Skrevet 27. januar 2008 Forfatter Del Skrevet 27. januar 2008 ********************************* ROOTCHK-(28-12-07)-LOG, by ejvindh 27.01.2008 16:35:26,84 NOTICE!! Rootchk is not being updated anymore, and is thus gradually getting outdated. Last update was made 28-12-07 The rootkits that are detected by this tool were not found. ********************************* ROOTCHK-LOG-end catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-27 16:35:33 Windows 5.1.2600 Service Pack 2 scanning hidden processes ... IPC error: 2 Systemet finner ikke angitt fil. scanning hidden services & system hive ... IPC error: 2 Systemet finner ikke angitt fil. scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher] "TracesProcessed"=dword:00000455 scanning hidden files ... IPC error: 2 Systemet finner ikke angitt fil. hidden processes: 0 hidden services: 0 hidden files: 0 Lenke til kommentar
norbat Skrevet 27. januar 2008 Del Skrevet 27. januar 2008 Hvordan går det med 'virus-meldingene' nå? Lenke til kommentar
vegas82 Skrevet 27. januar 2008 Forfatter Del Skrevet 27. januar 2008 Hvordan går det med 'virus-meldingene' nå? Det har ikke kommet noen enda.. Det har vært en jevn strøm tidligere i dag.. Er det håp for maskina mi eller...?? Lenke til kommentar
vegas82 Skrevet 27. januar 2008 Forfatter Del Skrevet 27. januar 2008 oups. der var de på plass igjen gitt... nye meldinger om trojanere.. Lenke til kommentar
norbat Skrevet 27. januar 2008 Del Skrevet 27. januar 2008 Hvor skal disse trojanerene ligge? Lenke til kommentar
vegas82 Skrevet 28. januar 2008 Forfatter Del Skrevet 28. januar 2008 i følgende mapper; Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\J2E0L5FL\sdfsdf[1].htm C:\WINDOWS\Temp\ C:\{00004495-0000-0000-9BAB-404675D96DC6}\DATA.CAB [0] Archive type: CAB (Microsoft) (????) Kan godt legge ut loggen fra virusprogrammet om det er til hjelp.. Lenke til kommentar
snippsat Skrevet 28. januar 2008 Del Skrevet 28. januar 2008 Dette er temp mapper som bør ryddes opp i,med jevne mellomrom. Last ned kjør CCleaner Lenke til kommentar
vegas82 Skrevet 28. januar 2008 Forfatter Del Skrevet 28. januar 2008 ok. Gjort det. Igjen... Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå