jitte Skrevet 30. januar 2008 Del Skrevet 30. januar 2008 Sliter med en infisert PC om dagen, har prøvd det meste som har blitt foreslått rundt om, men får ikke fjernet Vundo... Her er HiJackThis-loggen: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 07:54:13, on 29.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\System32\svchost.exe C:\Programfiler\Nokia\Nokia Software Launcher\NSLauncher.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe C:\WINDOWS\system32\wuauclt.exe C:\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.hennum.as/webmail/driver?nimlet=showlogin R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5AAF23D8-4489-43D8-A064-319D1254ABCA} - C:\WINDOWS\system32\iifdbxw.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NSLauncher] C:\Programfiler\Nokia\Nokia Software Launcher\NSLauncher.exe /startup O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Start 3DxWare.lnk = C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} (Image Uploader) - http://www.extrafilm.no/ImageUploader4.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe -- End of file - 7475 bytes I tillegg får jeg stadig meldinger fra Spybot om at det er noe som vil endre registeret, regner med det er vundo... Her er screenshot: Jeg nektet denne tilgang, fikk et par nye, og etter tredje eller fjerde så ble det bare hengende (Spybot nektet pga. min blacklist, ny endring ble forsøkt, spybot nektet osv.) til jeg måtte bruke powerknappen for å få slått av pc-en. Ved ny oppstart fikk jeg en ny melding: Denne har jeg bare latt stå uten å gjøre noe med den. Ingen levelig løsning i lengden, men nå kommer jeg i hvert fall inn på maskinen... Noen som kan hjelpe meg videre? Lenke til kommentar
norbat Skrevet 30. januar 2008 Del Skrevet 30. januar 2008 Start hjt, velg "Do a system scan only", sett merke framfor følgende linje og klikk Fix checked: O2 - BHO: (no name) - {5AAF23D8-4489-43D8-A064-319D1254ABCA} - C:\WINDOWS\system32\iifdbxw.dll Hent Combofix, og legg det på skrivebordet Kjør combofix.exe, og følg veiledningen. Du må ikke klikke på vinduet mens programmet kjører. Post loggfilen fra combofix. (vanligvis c:\combofix.txt) Lenke til kommentar
jitte Skrevet 30. januar 2008 Forfatter Del Skrevet 30. januar 2008 Takk for raskt svar, skal gjøre det så snart jeg kommer hjem i ettermiddag (er på jobb nå, på virusfri PC heldigvis!) Lenke til kommentar
jitte Skrevet 30. januar 2008 Forfatter Del Skrevet 30. januar 2008 Sånn, da var det gjort. Combofix-log: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-01-30.6 - Jørn Arild 2008-01-30 17:44:57.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.666 [GMT 1:00] Running from: C:\Documents and Settings\Jørn Arild\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\JBZNNML9\www.broadcaster.com C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\system32\iifdbxw.dll . ((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 ))))))))))))))))))))))))))))))) . 2008-01-29 07:11 . 2008-01-30 17:43 <DIR> d-------- C:\HiJackThis 2008-01-29 07:08 . 2008-01-29 07:20 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-29 07:08 . 2008-01-29 07:08 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-29 07:08 . 2008-01-29 07:08 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-29 07:08 . 2008-01-29 07:08 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-28 21:55 . 2008-01-28 21:55 <DIR> d-------- C:\Programfiler\Lavasoft 2008-01-28 21:55 . 2008-01-28 21:55 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Programdata\Lavasoft 2008-01-28 21:54 . 2008-01-28 21:54 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-01-28 21:36 . 2008-01-28 21:52 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Programdata\Spybot - Search & Destroy 2008-01-28 20:42 . 2008-01-30 17:39 <DIR> d-------- C:\VundoFix Backups 2008-01-26 03:06 . 2008-01-26 03:06 <DIR> d-------- C:\Tube 2008-01-22 16:32 . 2008-01-22 16:32 <DIR> d-------- C:\Programfiler\Enigma Software Group 2008-01-21 17:35 . 2008-01-21 17:35 268 --ah----- C:\sqmdata09.sqm 2008-01-21 17:35 . 2008-01-21 17:35 244 --ah----- C:\sqmnoopt09.sqm 2008-01-21 15:18 . 2008-01-21 15:18 21,603 --a------ C:\WINDOWS\Bilde5-2008.zip 2008-01-20 22:38 . 2008-01-20 22:38 21,611 --a------ C:\WINDOWS\img21812.zip 2007-12-30 18:10 . 2007-12-30 18:10 <DIR> d-------- C:\Documents and Settings\Sonja\Programdata\Jasc Software Inc 2007-12-27 13:38 . 2007-12-27 13:38 <DIR> d-------- C:\Programfiler\VideoLAN 2007-12-14 11:32 . 2007-12-14 11:32 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe 2007-12-09 19:52 . 2007-12-09 19:52 <DIR> d-------- C:\Programfiler\CCleaner 2007-12-09 19:49 . 2007-12-09 19:49 <DIR> d-------- C:\Programfiler\7-Zip . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-28 23:28 --------- d-----w C:\Programfiler\Azureus 2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2006-10-26 16:49 65,536 ----a-w C:\Documents and Settings\Admin\ICE_JNIRegistry.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0836272-E4E9-4842-B915-2B60375E9239}] C:\WINDOWS\system32\ssttt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" [2005-10-28 15:25 94208] "SpybotSD TeaTimer"="C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-04 17:21 2089808] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-08 17:57 7110656] "avast!"="C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224] "CTHelper"="CTHELPER.EXE" [2005-11-08 19:30 16384 C:\WINDOWS\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 11:00 18944 C:\WINDOWS\system32\CTXFIHLP.EXE] "Adobe Photo Downloader"="C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50 155648] "NSLauncher"="C:\Programfiler\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 14:44 3100672] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 11:00 208952] "IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 11:00 44032] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 11:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 11:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 11:00 455168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "WIAWizardMenu"="C:\WINDOWS\system32\sti_ci.dll" [2004-08-04 11:00 136704] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "3DxAssociateFileExts"="C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe" [ ] C:\Documents and Settings\All Users.WINDOWS\Start-meny\Programmer\Oppstart\ Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office\OSA9.EXE [1999-02-17 17:05:56 65588] Start 3DxWare.lnk - C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe [2007-07-10 17:54:02 118272] [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start-meny^Programmer^Oppstart^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start-meny\Programmer\Oppstart\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start-meny^Programmer^Oppstart^HP Image Zone Hurtigstart.lnk] path=C:\Documents and Settings\All Users.WINDOWS\Start-meny\Programmer\Oppstart\HP Image Zone Hurtigstart.lnk backup=C:\WINDOWS\pss\HP Image Zone Hurtigstart.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a------ 2004-05-12 14:18 241664 C:\Programfiler\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2004-02-12 12:38 49152 C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-04-24 12:12] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-30 18:01:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Programfiler\Nokia\Nokia Software Launcher\NSLauncher.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe . ************************************************************************** . Completion time: 2008-01-30 18:10:51 - machine was rebooted ComboFix-quarantined-files.txt 2008-01-30 17:10:48 . 2008-01-10 02:01:45 --- E O F --- Tok en ny hijackthis-log også: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:12:23, on 30.01.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe C:\Programfiler\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\system32\CTXFIHLP.EXE C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Programfiler\Nokia\Nokia Software Launcher\NSLauncher.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe C:\WINDOWS\system32\notepad.exe C:\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.hennum.as/webmail/driver?nimlet=showlogin R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {F0836272-E4E9-4842-B915-2B60375E9239} - C:\WINDOWS\system32\ssttt.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programfiler\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NSLauncher] C:\Programfiler\Nokia\Nokia Software Launcher\NSLauncher.exe /startup O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Start 3DxWare.lnk = C:\Programfiler\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} (Image Uploader) - http://www.extrafilm.no/ImageUploader4.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe -- End of file - 7455 bytes Ser bra ut så langt, skal kjøre Vundofix, virusscanner og hele pakka igjen og se om de finner noe. Var inne på www.hijackthis.de for å sjekke siste loggen, og den sa at jeg kunne fjerne O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) og O2 - BHO: (no name) - {F0836272-E4E9-4842-B915-2B60375E9239} - C:\WINDOWS\system32\ssttt.dll (file missing) Enig? Lenke til kommentar
norbat Skrevet 30. januar 2008 Del Skrevet 30. januar 2008 Ja, begge de 02-linjene du nevner, fixer du med hjt. Er følgende to filer noe du kjenner til? C:\WINDOWS\Bilde5-2008.zip C:\WINDOWS\img21812.zip Hvis ikke, kan du sjekke dem på nettstedet http://virusscan.jotti.org/ (øverst på nettsiden kan du laste opp filene for sjekk. Gi gjerne tilbakemelding på om/hva som ble resultatet). Lenke til kommentar
jitte Skrevet 31. januar 2008 Forfatter Del Skrevet 31. januar 2008 Ai... begge to var infisert gitt... logg for img21812.zip: Klikk for å se/fjerne innholdet nedenfor Scan taken on 31 Jan 2008 16:31:05 (GMT) A-Squared Found nothing AntiVir Found WORM/IrcBot.21449 ArcaVir Found nothing Avast Found nothing AVG Antivirus Found BackDoor.Ircbot.CVE BitDefender Found Backdoor.IRCBot.ABHQ ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found Backdoor.Win32.IRCBot.bdm Fortinet Found W32/IRCBot.BDM!tr.bdr Ikarus Found Backdoor.IRCBot.ABHQ Kaspersky Anti-Virus Found Backdoor.Win32.IRCBot.bdm NOD32 Found a variant of Win32/IRCBot.ACC Norman Virus Control Found Ircbot.gen8 Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found Mal/Generic-A VirusBuster Found nothing VBA32 Found Backdoor.Win32.IRCBot.bdm logg for Bilde5-2008.zip: Klikk for å se/fjerne innholdet nedenfor Scan taken on 31 Jan 2008 16:38:37 (GMT) A-Squared Found nothing AntiVir Found WORM/IrcBot.21449 ArcaVir Found nothing Avast Found nothing AVG Antivirus Found BackDoor.Ircbot.CVE BitDefender Found Backdoor.IRCBot.ABHQ ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found Backdoor.Win32.IRCBot.bdm Fortinet Found W32/IRCBot.BDM!tr.bdr Ikarus Found Backdoor.IRCBot.ABHQ Kaspersky Anti-Virus Found Backdoor.Win32.IRCBot.bdm NOD32 Found a variant of Win32/IRCBot.ACC Norman Virus Control Found Ircbot.gen8 Panda Antivirus Found nothing Rising Antivirus Found nothing Sophos Antivirus Found Mal/Generic-A VirusBuster Found nothing VBA32 Found Backdoor.Win32.IRCBot.bdm Forslag? Jeg bruker Avast til vanlig, og den takler dem tydeligvis ikke... kan jeg fjerne disse med hijackthis eller combofix? Lenke til kommentar
jitte Skrevet 31. januar 2008 Forfatter Del Skrevet 31. januar 2008 Tok sjansen på å slette dem i safe mode jeg... fikk i hvert fall fjernet dem, håper det holder! Lenke til kommentar
norbat Skrevet 31. januar 2008 Del Skrevet 31. januar 2008 Ja, det ante meg da filnavnene likner på filer knyttet til infeksjoner via MSN. Det skal fungere fint å slette dem fra sikker modus. Vil mene at PC-en nå er grei og du trenger ikke å poste noen flere logger. Du kan avinstallere combofix ved å skrive combofix /u fra kjør-vinduet (start->kjør) Det fjerner combofix, div backup og karantenefiler samt nullstiller systemgjenopprettingen. Lenke til kommentar
jitte Skrevet 31. januar 2008 Forfatter Del Skrevet 31. januar 2008 Ok, tusen hjertelig takk for hjelpen! Håper jeg ikke trenger mer hjelp på en stund nå Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå