The_Darkness Skrevet 7. februar 2008 Del Skrevet 7. februar 2008 plutselig ble laptoppen min gal, så jeg kjørte ccleaner og SaS, samt combofix og Hjt. fikk fjernet noe, men mistenker at det ligger igjen noe tull en plass. så hvis noen kunne tatt en titt ville jeg satt pris på det Combofix: ComboFix 08-02.05.3 - Sondre 2008-02-07 19:47:16.1 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.616 [GMT 1:00] Running from: C:\Documents and Settings\Sondre\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\ljjigdb.dll C:\WINDOWS\Fonts\a.zip C:\WINDOWS\Fonts\svchost.exe C:\WINDOWS\mrofinu1188.exe C:\WINDOWS\system32\arvgjnus.dll C:\WINDOWS\system32\arvgjnus.dll . . . . failed to delete C:\WINDOWS\system32\arvgjnus.dllbox C:\WINDOWS\system32\bbeeg.ini C:\WINDOWS\system32\bbeeg.ini2 C:\WINDOWS\system32\drivers\npf.sys C:\WINDOWS\system32\hdceftjf.dll C:\WINDOWS\system32\ljjigdb.dll C:\WINDOWS\system32\packet.dll C:\WINDOWS\system32\pthreadVC.dll C:\WINDOWS\system32\WanPacket.dll C:\WINDOWS\system32\wpcap.dll C:\WINDOWS\system32\ysrokklh.dll C:\WINDOWS\Fonts\' . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\NPF ((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 ))))))))))))))))))))))))))))))) . 2008-02-07 19:53 . 2008-02-07 19:54 134 ---hs---- C:\WINDOWS\system32\arvgjnus.dllbox 2008-02-07 18:51 . 2008-02-07 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-02-07 18:50 . 2008-02-07 18:50 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-02-07 18:50 . 2008-02-07 18:50 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-02-07 18:50 . 2008-02-07 18:50 <DIR> d-------- C:\Documents and Settings\Sondre\Programdata\SUPERAntiSpyware.com 2008-02-07 18:48 . 2008-02-07 18:48 <DIR> dr-h----- C:\Documents and Settings\Sondre\Siste 2008-02-07 18:46 . 2008-02-07 18:46 <DIR> d-------- C:\Programfiler\CCleaner 2008-02-07 18:43 . 2008-02-07 18:43 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll 2008-02-07 18:41 . 2008-02-07 19:51 163,904 --------- C:\WINDOWS\system32\arvgjnus.dll 2008-01-31 13:06 . 2008-01-31 13:06 8,192 --ahs---- C:\WINDOWS\Thumbs.db . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-07 17:43 278,548 ----a-w C:\WINDOWS\Fonts\Setup.exe 2007-11-14 07:29 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll 2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll 2006-09-29 12:57 39,440 ----a-w C:\Documents and Settings\Sondre\Programdata\GDIPFONTCACHEV1.DAT 2006-11-26 20:48 32 --sha-w C:\WINDOWS\{C91CBDA4-B92C-4BBF-AED7-BA65D7663B99}.dat 2006-11-26 20:48 32 --sha-w C:\WINDOWS\system32\{F9C01832-EB6D-4333-897B-1CFFF1355134}.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}] 2008-02-07 19:51 163904 --------- C:\WINDOWS\system32\arvgjnus.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "StatBar"="C:\Programfiler\Globe Software\StatBar\StatBar.exe" [2003-07-25 02:40 335872] "updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [] "RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 15600128 C:\WINDOWS\RTHDCPL.exe] "SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17 102491] "SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16 692315] "PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 19:59 147456] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 04:09 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 04:06 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 04:10 114688] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30 69632] "EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-25 15:59 212992] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 11:04 3084288] "LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-01 17:38 458752] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00 397312] "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263] "ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2002-08-19 22:22 50880] "ccRegVfy"="C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23 34504] "Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2002-08-26 22:35 79480] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-11-26 22:02 100056] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Service Manager.lnk - C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920] Adobe Reader Speed Launch.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arvgjnus] arvgjnus.dll 2008-02-07 19:51 163904 C:\WINDOWS\system32\arvgjnus.dll . Contents of the 'Scheduled Tasks' folder "2008-02-07 18:54:28 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Programfiler\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-07 19:53:59 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\"C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe\"\00|\00\00\00\00¨¡ [\02\00\00\00\00ÈÚ^\02`ç\13\00pè\13\00pè\13\00ˆ\01\15\00(Ï`\02ÿÿÿÿ\18\02\15\00x\01\15\00\00\00\15\00\00\00\00\00ö\1b" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\arvgjnus.dll PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156] -> C:\WINDOWS\system32\arvgjnus.dll . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe C:\Acer\Empowering Technology\admServ.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe C:\Programfiler\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe C:\Programfiler\Norton AntiVirus\navapsvc.exe C:\Programfiler\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe C:\Programfiler\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\Programfiler\Messenger\msmsgs.exe C:\WINDOWS\system32\igfxext.exe C:\WINDOWS\system32\igfxsrvc.exe . ************************************************************************** . Completion time: 2008-02-07 19:56:35 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-07 18:56:28 . 2008-01-09 16:54:16 --- E O F --- HijackThis: Logfile of HijackThis v1.99.1 Scan saved at 19:58:55, on 07.02.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Acer\Empowering Technology\admServ.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe C:\Programfiler\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe C:\Programfiler\Norton AntiVirus\navapsvc.exe C:\Programfiler\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe C:\Programfiler\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\WINDOWS\RTHDCPL.EXE C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Acer\Empowering Technology\eRecovery\Monitor.exe C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\acer\Empowering Technology\ePower\epm-dm.exe C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE C:\Acer\Empowering Technology\admtray.exe C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\Programfiler\Globe Software\StatBar\StatBar.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\igfxext.exe C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\Programfiler\Messenger\msmsgs.exe C:\Documents and Settings\Sondre\Skrivebord\test\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\arvgjnus.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe" O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [ccApp] C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [statBar] C:\Programfiler\Globe Software\StatBar\StatBar.exe O4 - HKCU\..\Run: [updateMgr] C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: Service Manager.lnk = C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: arvgjnus - C:\WINDOWS\SYSTEM32\arvgjnus.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Programfiler\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programfiler\CyberLink\Shared Files\RichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Programfiler\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing) Lenke til kommentar
norbat Skrevet 7. februar 2008 Del Skrevet 7. februar 2008 (endret) Hei, Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked: O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\arvgjnus.dll O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM O20 - Winlogon Notify: arvgjnus - C:\WINDOWS\SYSTEM32\arvgjnus.dll Gå til nettstedet http://virusscan.jotti.org/</a> og last opp følgende fil for sjekk (i fet): C:\WINDOWS\Fonts\Setup.exe. Du vil få en rapport som forteller om det blir funnet noe på fila. Hvis, noe jeg tror, så lar du det være slik det er ang. filene listet opp under (avenger). Hvis det ikke blir funnet noe på fila, så fjerner du det som er skrevet i rødt under. Hent Avenger og pakk det ut. Start programmet, sett prikk i "Input Script Manually" og klikk på lupen. I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under: Files to delete: C:\WINDOWS\system32\arvgjnus.dll C:\WINDOWS\system32\arvgjnus.dllbox C:\WINDOWS\system32\vbzip10.dll C:\WINDOWS\Fonts\Setup.exe Klikk på Trafikklyset. Restart PC-en. Etter restart vil det komme en loggfil som forteller hva som har skjedd. Post den sammen med en ny combofix-logg (kjør combofix på nytt, post loggen) Hvis noe er uklart, er det bare å spørre. Endret 7. februar 2008 av norbat Lenke til kommentar
The_Darkness Skrevet 9. februar 2008 Forfatter Del Skrevet 9. februar 2008 Skal vi se her, setup.exe fila viste seg å være noe trojan drit, så den fikk seg også en runde i Avenger. Her er loggen fra den Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\opgulcai ******************* Script file located at: \??\C:\hcbcnttb.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\arvgjnus.dll deleted successfully. File C:\WINDOWS\system32\arvgjnus.dllbox deleted successfully. File C:\WINDOWS\system32\vbzip10.dll deleted successfully. File C:\WINDOWS\Fonts\Setup.exe deleted successfully. Completed script processing. ******************* Finished! Terminate. Har kjørt HjT og ordnet de filene du sa, og også kjørt ombofix en gang til, Logg: ComboFix 08-02.05.3 - Sondre 2008-02-09 10:01:46.2 - FAT32x86 Running from: C:\Documents and Settings\Sondre\Skrivebord\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-01-09 to 2008-02-09 ))))))))))))))))))))))))))))))) . 2008-02-09 09:57 . 2008-02-09 09:58 60,416 --a------ C:\WINDOWS\system32\drivers\r^ppexgx.sys 2008-02-07 19:42 . 2004-08-04 20:00 388,096 --a------ C:\kmd.exe 2008-02-07 18:51 . 2008-02-07 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-02-07 18:50 . 2008-02-07 18:50 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-02-07 18:50 . 2008-02-07 18:50 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-02-07 18:50 . 2008-02-07 18:50 <DIR> d-------- C:\Documents and Settings\Sondre\Programdata\SUPERAntiSpyware.com 2008-02-07 18:48 . 2008-02-07 18:48 <DIR> dr-h----- C:\Documents and Settings\Sondre\Siste 2008-02-07 18:46 . 2008-02-07 18:46 <DIR> d-------- C:\Programfiler\CCleaner 2008-01-31 13:06 . 2008-01-31 13:06 8,192 --ahs---- C:\WINDOWS\Thumbs.db . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-14 07:29 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll 2006-09-29 12:57 39,440 ----a-w C:\Documents and Settings\Sondre\Programdata\GDIPFONTCACHEV1.DAT 2006-11-26 20:48 32 --sha-w C:\WINDOWS\{C91CBDA4-B92C-4BBF-AED7-BA65D7663B99}.dat 2006-11-26 20:48 32 --sha-w C:\WINDOWS\system32\{F9C01832-EB6D-4333-897B-1CFFF1355134}.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "StatBar"="C:\Programfiler\Globe Software\StatBar\StatBar.exe" [2003-07-25 02:40 335872] "updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [] "RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 15600128 C:\WINDOWS\RTHDCPL.exe] "SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2005-01-07 16:17 102491] "SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2005-01-07 16:16 692315] "PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 19:59 147456] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00 455168] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 04:09 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 04:06 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 04:10 114688] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30 69632] "EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-25 15:59 212992] "Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 11:04 3084288] "LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-01 17:38 458752] "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 17:00 397312] "ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45 2462208] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07 49263] "ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2002-08-19 22:22 50880] "ccRegVfy"="C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23 34504] "Advanced Tools Check"="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" [2002-08-26 22:35 79480] "Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-11-26 22:02 100056] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Service Manager.lnk - C:\Programfiler\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920] Adobe Reader Speed Launch.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\arvgjnus] arvgjnus.dll R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 01:14] R0 viaagp;VIA AGP-bussfilter;C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-03 23:07] R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 18:20] R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10] R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08] R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 14:46] R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58] R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57] R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 15:34] R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2002-08-14 06:03] *Newly Created Service* - INT15.SYS . Contents of the 'Scheduled Tasks' folder "2008-02-09 09:00:06 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Programfiler\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-09 10:04:06 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** "ImagePath"="\"C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe\"\00|\00\00\00\00¨¡ [\02\00\00\00\00ÈÚ^\02`ç\13\00pè\13\00pè\13\00ˆ\01\15\00(Ï`\02ÿÿÿÿ\18\02\15\00x\01\15\00\00\00\15\00\00\00\00\00ö\1b" . Completion time: 2008-02-09 10:04:30 ComboFix-quarantined-files.txt 2008-02-09 09:04:28 ComboFix2.txt 2008-02-07 18:56:38 . 2008-01-09 16:54:16 --- E O F --- Lenke til kommentar
norbat Skrevet 9. februar 2008 Del Skrevet 9. februar 2008 Fint, Vi sjekker et par filer til på jotti: C:\WINDOWS\system32\drivers\r^ppexgx.sys C:\kmd.exe Mulig du på slå på "Vis skjulte filer og mapper" for å finne filene. Lenke til kommentar
The_Darkness Skrevet 10. februar 2008 Forfatter Del Skrevet 10. februar 2008 Den første fila var det bare panda som fant noe på "Panda Antivirus Found Rootkit/Booto.C". Ingen som fant noe på kmd.exe, så da er vel den grei. den jotti siden er forøverig veldig vanskelig å få brukt da den somregel er på 100% service load, men går da en gang iblant Lenke til kommentar
norbat Skrevet 10. februar 2008 Del Skrevet 10. februar 2008 Ja, jotti er til tider overbelastet. Et alt. (som også til tider er overbelastet er http://www.virustotal.com/) C:\kmd.exe lar vi da være i fred. C:\WINDOWS\system32\drivers\r^ppexgx.sys-fila kunne du ha forandret navnet på til r^ppexgx.sys.vir. Hvis alt fungerer ok over tid, så fjerner du den senere. Kjører ellers PC-en greit? Hvis, så kan du rydde opp litt: Avinstaller combofix ved å skrive combofix /u i kjør-feltet (start->kjør) Fjern de andre prog. du har brukt under fixet (avenger etc.) Lenke til kommentar
The_Darkness Skrevet 10. februar 2008 Forfatter Del Skrevet 10. februar 2008 ja PC-en kjører veldig bra nå, så da kan jeg vel bare rydde opp og si meg ferdig Må si jeg er mektig imponert både over dine kunskaper innenfor emnet, og din vilje til å hjelpe. takk skal du ha, og fortsett på denne måten! Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå