r2d290 Skrevet 16. februar 2008 Del Skrevet 16. februar 2008 (endret) Endret 16. februar 2008 av r2d290 Lenke til kommentar
r2d290 Skrevet 16. februar 2008 Forfatter Del Skrevet 16. februar 2008 (endret) etter sas. ser hjt-loggen slik ut: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:03:32, on 16.02.2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\CTSvcCDA.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.exe C:\WINNT\system32\winhelp\smss.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\D-Tools\daemon.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.EXE C:\WINNT\system32\ctfmon.exe C:\Program Files\Creative\Shared Files\CamTray.exe C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe C:\WINNT\System32\svchost.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.*sensurert*.org/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\winhelp\smss.exe O1 - Hosts: 191.188.185.49 www.symantec.com O1 - Hosts: 191.188.185.49 symantec.com O1 - Hosts: 191.188.185.49 securityresponse.symantec.com O1 - Hosts: 100.200.185.82 symantecstore.com O1 - Hosts: 100.200.185.82 www.symantecstore.com O1 - Hosts: 100.200.185.82 service1.symantec.com O1 - Hosts: 137.84.185.115 sarc.com O1 - Hosts: 137.84.185.115 www.sarc.com O1 - Hosts: 137.84.185.115 www.sophos.com O1 - Hosts: 137.84.185.115 sophos.com O1 - Hosts: 174.96.185.147 www.mcafee.com O1 - Hosts: 174.96.185.147 mcafee.com O1 - Hosts: 174.96.185.147 customer.symantec.com O1 - Hosts: 83.107.58.180 liveupdate.symantec.com O1 - Hosts: 83.107.58.180 liveupdate.symantecliveupdate.com O1 - Hosts: 83.107.58.180 www.viruslist.com O1 - Hosts: 121.246.58.213 viruslist.com O1 - Hosts: 121.246.58.213 f-secure.com O1 - Hosts: 121.246.58.213 www.f-secure.com O1 - Hosts: 158.3.58.245 f-prot.com O1 - Hosts: 158.3.58.245 www.f-prot.com O1 - Hosts: 158.3.58.245 kaspersky.com O1 - Hosts: 67.141.58.23 kaspersky-labs.com O1 - Hosts: 67.141.58.23 www.avp.com O1 - Hosts: 67.141.58.23 avp.com O1 - Hosts: 104.153.185.56 www.kaspersky.com O1 - Hosts: 104.153.185.56 www.networkassociates.com O1 - Hosts: 104.153.185.56 networkassociates.com O1 - Hosts: 104.153.185.56 www.ca.com O1 - Hosts: 141.37.185.88 www3.ca.com O1 - Hosts: 141.37.185.88 ca.com O1 - Hosts: 141.37.185.88 mast.mcafee.com O1 - Hosts: 50.49.185.121 my-etrust.com O1 - Hosts: 50.49.185.121 www.my-etrust.com O1 - Hosts: 50.49.185.121 dispatch.mcafee.com O1 - Hosts: 87.187.57.153 secure.nai.com O1 - Hosts: 87.187.57.153 nai.com O1 - Hosts: 87.187.57.153 www.nai.com O1 - Hosts: 87.187.57.153 vil.nai.com O1 - Hosts: 125.199.57.186 update.symantec.com O1 - Hosts: 125.199.57.186 updates.symantec.com O1 - Hosts: 125.199.57.186 us.mcafee.com O1 - Hosts: 34.83.57.219 mcafee.net O1 - Hosts: 34.83.57.219 rads.mcafee.com O1 - Hosts: 34.83.57.219 download.mcafee.com O1 - Hosts: 71.94.57.251 trendmicro.com O1 - Hosts: 71.94.57.251 www.trendmicro.com O1 - Hosts: 71.94.57.251 housecall.trendmicro.com O1 - Hosts: 71.94.57.251 pandasoftware.com O1 - Hosts: 108.106.184.29 www.pandasoftware.com O1 - Hosts: 108.106.184.29 www.trendmicro.com O1 - Hosts: 108.106.184.29 free.grisoft.com O1 - Hosts: 17.245.184.62 www.grisoft.com O1 - Hosts: 17.245.184.62 grisoft.com O1 - Hosts: 17.245.184.62 clamav.net O1 - Hosts: 54.2.184.94 www.clamav.net O1 - Hosts: 54.2.184.94 free-av.com O1 - Hosts: 54.2.184.94 www.free-av.com O1 - Hosts: 91.140.56.127 www.avast.com O1 - Hosts: 91.140.56.127 avast.com O1 - Hosts: 91.140.56.127 cert.org O1 - Hosts: 0.152.56.160 www.cert.org O1 - Hosts: 38.36.57.192 www.microsoft.com O1 - Hosts: 38.36.57.192 microsoft.com O1 - Hosts: 38.36.57.192 www.virustotal.com O1 - Hosts: 75.47.57.225 virustotal.com O1 - Hosts: 75.47.57.225 www.teamanti-virus.org O1 - Hosts: 75.47.57.225 teamanti-virus.org O1 - Hosts: 239.186.184.3 www.drsolomon.com O1 - Hosts: 239.186.184.3 drsolomon.com O1 - Hosts: 239.186.184.3 www.virusbtn.com O1 - Hosts: 239.186.184.3 virusbtn.com O1 - Hosts: 21.198.184.35 update.microsoft.com O1 - Hosts: 21.198.184.35 windowsupdate.microsoft.com O1 - Hosts: 21.198.184.35 www.avgbulgaria.com O1 - Hosts: 58.210.184.68 avgbulgaria.com O1 - Hosts: 58.210.184.68 www.vet.com.au O1 - Hosts: 58.210.184.68 vet.com.au O1 - Hosts: 222.93.56.101 antivirus.about.com O1 - Hosts: 222.93.56.101 www.avg-antivirus.net O1 - Hosts: 222.93.56.101 avg-antivirus.net O1 - Hosts: 222.93.56.101 nod32.com O1 - Hosts: 4.105.56.133 www.nod32.com O1 - Hosts: 4.105.56.133 virus-radar.com O1 - Hosts: 4.105.56.133 www.virus-radar.com O1 - Hosts: 42.244.56.166 bitdefender.com O1 - Hosts: 42.244.56.166 www.bitdefender.com O1 - Hosts: 42.244.56.166 www.freebyte.com O1 - Hosts: 206.0.56.199 freebyte.com O1 - Hosts: 206.0.56.199 www.zonelabs.com O1 - Hosts: 206.0.56.199 zonelabs.com O1 - Hosts: 243.139.183.231 download.zonelabs.com O1 - Hosts: 243.139.183.231 smb.sygate.com O1 - Hosts: 243.139.183.231 www.agnitum.com O1 - Hosts: 25.151.183.9 agnitum.com O1 - Hosts: 25.151.183.9 kasperskyusa.com O1 - Hosts: 25.151.183.9 www.kasperskyusa.com O1 - Hosts: 25.151.183.9 www.kaspersky.com.au O1 - Hosts: 189.35.183.42 kaspersky.com.au O1 - Hosts: 189.35.183.42 www.kaspersky.co.uk O1 - Hosts: 189.35.183.42 kaspersky.co.uk O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: HttpGuard - {98B822AD-6BE7-49BC-B773-97240B774080} - C:\WINNT\system32\AClient.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [PK Guard 32] C:\WINNT\system32\winhelp\smss.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\RunServices: [PK Guard 32] C:\WINNT\system32\winhelp\smss.exe O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -3 O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [PK Guard 32] C:\WINNT\system32\winhelp\smss.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\RunServices: [PK Guard 32] C:\WINNT\system32\winhelp\smss.exe O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\NPSWF32_FlashUtil.exe -p O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm076YYNO O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe -- End of file - 9916 bytes edit: det viser seg at den forrige sjekken ikke ble ferdig (programmet klikket), så jeg kommer til å endre på sas-loggen i morgen. Endret 16. februar 2008 av r2d290 Lenke til kommentar
snippsat Skrevet 16. februar 2008 Del Skrevet 16. februar 2008 (endret) Ja var litt grums her. Start->kjør Lim inn fet tekst. notepad %systemroot%\system32\drivers\etc\hosts Fjern alt etter. 127.0.0.1 localhost Så lagre. Ja får se hva comofix og sas tar. Før en gjør noe mere. Endret 16. februar 2008 av SNIPPSAT Lenke til kommentar
r2d290 Skrevet 16. februar 2008 Forfatter Del Skrevet 16. februar 2008 jeg fjernet alt som var i lista, og prøvde å lagre det som hosts. Deretter skriver jeg samme komandolinje inn igjen, og ip-adressene er tilbake. Hvorfor? Lenke til kommentar
snippsat Skrevet 16. februar 2008 Del Skrevet 16. februar 2008 Hmm ja vi får se etter combofix og sas er ferdig Lenke til kommentar
r2d290 Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 (endret) siden sas klikket sist jeg kjørte det, poster jeg en ny logg. loggen er så stor at jeg får ISP error, så jeg laster derfor opp fila istede... edit: siden jeg ikke får lov til å legge ut en txt-fil, har jeg pakket den til *.rar edit2: fikk ikke til å legge ut ny sas-logg, men går ut ifra at den er ganske lik den forrige... Endret 17. februar 2008 av r2d290 Lenke til kommentar
r2d290 Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 (endret) er combofix nødvendig? Endret 17. februar 2008 av r2d290 Lenke til kommentar
snippsat Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 er combofix nødvendig? Skulle hatt combofix her ja. Kunne du kjørt igjennom det i denne posten. https://www.diskusjon.no/index.php?showtopi...50&hl=drweb Du kan prøve denne viss du ikke får til combofix. Hent Deckard legg på skrivebord. Kjør dss.exe og følge veiledningen. Når scanningen er ferdig, åpnes det en logg (main.txt). Den kopierer du og poster Lenke til kommentar
r2d290 Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 (endret) den linken du ga meg, var vel ment til den andre dataen min? har lagt ut to innlegg (gammel data, og 3-4 uker gammelt virus) combofix ComboFix 08-02-17.2 - Administrator 17.02.2008 14:40:45.1 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.162 [GMT -8:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\WINNT\1.exe C:\WINNT\Web\default.htt ----- BITS: Possible infected sites ----- hxxp://ygsondheks.info . ((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 ))))))))))))))))))))))))))))))) . 2008-02-17 14:40 . 17.02.08 14:40 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_2cc.dat 2008-02-16 19:30 . 16.02.08 19:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-02-16 19:28 . 16.02.08 23:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-02-16 19:28 . 16.02.08 19:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com 2008-02-16 19:26 . 16.02.08 19:26 <DIR> d-------- C:\Program Files\Trend Micro 2008-02-16 19:16 . 18.02.07 10:55 376,901 --a------ C:\Program Files\Uninstall My Web Search.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-17 03:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-02-17 03:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime 2008-02-17 03:17 --------- d-----w C:\Program Files\SpeedFan 2008-02-17 03:16 --------- d-----w C:\Program Files\MSN Messenger 2008-02-17 03:16 --------- d-----w C:\Program Files\Common Files\Adobe 2008-02-17 02:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype 2005-11-20 23:45 271 ---h--w C:\Program Files\desktop.ini 2005-11-20 23:45 21,952 ---h--w C:\Program Files\folder.htt 1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys 2006-01-08 07:07 88,576 --sh--r C:\WINNT\system32\winhelp\smss.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98B822AD-6BE7-49BC-B773-97240B774080}] 12.08.07 10:02 419840 --a------ C:\WINNT\system32\AClient.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="ctfmon.exe" [20.02.01 13:09 8192 C:\WINNT\system32\CTFMON.EXE] "PK Guard 32"="C:\WINNT\system32\winhelp\smss.exe" [07.01.06 23:07 88576] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [21.06.07 14:06 1318912] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "PK Guard 32"="C:\WINNT\system32\winhelp\smss.exe" [07.01.06 23:07 88576] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe" [19.06.03 11:05 111376 C:\WINNT\system32\mobsync.exe] "Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [30.08.99 00:55 189952] "PK Guard 32"="C:\WINNT\system32\winhelp\smss.exe" [07.01.06 23:07 88576] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [10.11.05 12:03 36975] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "PK Guard 32"="C:\WINNT\system32\winhelp\smss.exe" [07.01.06 23:07 88576] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "internat.exe"="internat.exe" [07.12.99 04:00 20752 C:\WINNT\system32\internat.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [19.06.03 11:05 186640] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-11-24 20:35:32 122880] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20.12.06 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.07 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll R0 DiMaint;Eicon Maintenance Driver;C:\WINNT\system32\DRIVERS\disdn\dimaint.sys [12.10.99 06:34 ] R3 Diwan;Eicon Driver for all DIVA PnP cards;C:\WINNT\system32\DRIVERS\disdn\diwan.sys [08.11.99 08:48 ] R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys [24.09.99 15:55 ] S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINNT\system32\DRIVERS\NtApm.sys [25.09.99 02:36 ] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints\H] \Shell\AutoRun\command - H:\autoplay.exe . Contents of the 'Scheduled Tasks' folder "2006-10-23 00:00:01 C:\WINNT\Tasks\Backup Thor 1.job" - Z:\Thor_backup\backup\take_design_backup_Thor.cmd "2006-10-23 00:00:02 C:\WINNT\Tasks\Backup_Thor_regnskap.job" - Z:\Thor_backup\backup\take_backup_Thor_regnskap.cmd . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-17 14:42:44 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???z???????????? C?????Disc Detector?B???A???????A???????B???@?$?@?? C?????U?@?????????@?B???A???????A???????B???@?????P???$?@?????????Am?w??????????@?{?????????????????B???????????????????????????????????B scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 17.02.2008 14:44:15 ComboFix-quarantined-files.txt 2008-02-17 22:44:00 Endret 17. februar 2008 av r2d290 Lenke til kommentar
snippsat Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 den linken du ga meg, var vel ment til den andre dataen min? har lagt ut to innlegg (gammel data, og 3-4 uker gammelt virus) Nei var ment på denne posten. Vil at du kjører drweb. Når det er gjort en ny hjt-logg. Lenke til kommentar
r2d290 Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 (endret) hvilken path (plassering) er det jeg skal scanne? c-disken? edit: skulle jeg kjøre SDFix også? når jeg kjører den, får jeg "cannot import assosfix.reg: .rrpr opening the file. there may be a disk or file system error." trykkep på ok, så får vi se hva som skjer... Endret 17. februar 2008 av r2d290 Lenke til kommentar
r2d290 Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 (endret) dreweb logg: aclient.dll c:\winnt\system32 Trojan.BhoBot Deleted. smss.exe c:\winnt\system32\winhelp Win32.IRC.Bot.based Deleted. hjt: (se der ja... nå er ip-ene borte hvertfall Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:33:58, on 17.02.2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\CTSvcCDA.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\notepad.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.*sensurert*.org/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [PK Guard 32] C:\WINNT\system32\winhelp\smss.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\RunServices: [PK Guard 32] C:\WINNT\system32\winhelp\smss.exe O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm076YYNO O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe -- End of file - 4740 bytes Endret 25. februar 2008 av r2d290 Lenke til kommentar
snippsat Skrevet 18. februar 2008 Del Skrevet 18. februar 2008 (endret) Ja da begynner det og hjelpe. Fjerne smss.exe fra oppstart nå. Husk smss.exe skal kun ligge i C:\Windows\System32 alle andre steder er virus. Start Hijackthis finn disse linjene merk dem,så trykk fixed checked. O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKCU\..\Run: [PK Guard 32] C:\WINNT\system32\winhelp\smss.exe O4 - HKCU\..\RunServices: [PK Guard 32] C:\WINNT\system32\winhelp\smss.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm076YYNO CCleaner Kjør vanlig + register-renser. Restart og ny hjt-logg Endret 18. februar 2008 av SNIPPSAT Lenke til kommentar
r2d290 Skrevet 18. februar 2008 Forfatter Del Skrevet 18. februar 2008 må vente med det til vinterferien er over... men takk uansett Lenke til kommentar
r2d290 Skrevet 25. februar 2008 Forfatter Del Skrevet 25. februar 2008 jeg kommer med en ny logg hvert øyeblikk, men det er noe som har blitt helt rart etter at jeg startet denne tråden: når den starter, kommer det bare en blå skjerm+musa (som jeg kan flytte) Ellers er det INGENTING som fungerer: kan ikke høyre/venstreklikke med musa, kan ikke ta ctrl+alt+del eller noe sånt. Jeg venter i 15 min, og da slår skjermspareren inn, og først etter at jeg har opphevet skjermspareren, kommer det opp at jeg kan skrive inn passordet osv. er litt irriterende å vente 20 min hver gang jeg skal starte dataen. Noen forslag på hvordan jeg kan fikse dette? Lenke til kommentar
r2d290 Skrevet 25. februar 2008 Forfatter Del Skrevet 25. februar 2008 (endret) ny hjt-logg etter at jeg kjørte ccleaner, og restartet: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:38:23, on 25.02.2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\CTSvcCDA.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINNT\system32\regsvc.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Creative\ShareDLL\MediaDet.Exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\internet explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.*sensurert*.org/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe -- End of file - 4179 bytes Endret 25. februar 2008 av r2d290 Lenke til kommentar
snippsat Skrevet 25. februar 2008 Del Skrevet 25. februar 2008 Nå ser jo loggen fin ut. Du får se om probleme er bedere. Kan jo være noe hardeware trøbbel ettersom dette er en gammel pc. Kan gi noen tips om hardware test,viss det trengs. Får du den iorden må du gjøre dette. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Lenke til kommentar
r2d290 Skrevet 25. februar 2008 Forfatter Del Skrevet 25. februar 2008 jada, har merket at dataen er raskere... eneste problemet nå, er som sagt det med oppstarten. Hva går hardware-testen ut på? Lenke til kommentar
snippsat Skrevet 26. februar 2008 Del Skrevet 26. februar 2008 (endret) Ja da må du feilsøke litt rundt oppstart. Boot trykk f8 sikkerhetmodus,går det rask og greit her? Lag en ny bruker i sikkerhetmodus,logg deg på den går det greit? Start->kjør->msconfig Fane oppstart. Se litt her. Streng tatt trenger du bare antivirus i oppstart. Endret 26. februar 2008 av SNIPPSAT Lenke til kommentar
r2d290 Skrevet 26. februar 2008 Forfatter Del Skrevet 26. februar 2008 (endret) *starter opp i sikkerhetsmodus med nettverk* status: bruker lang tid på å starte opp. gidder ikke vente *starter opp i vanlig modus* status: bruker lang tid på "windows si starting up... *maskinen går i skjermsparemodus. jeg flytter på musa, og logger inn* *oppretter ny bruker* *prøver å fikse at datamaskinen ikke trenger passord, da dette ikke er nødvendig, og siden det virker som at dette er problemet* status: bruker fortsatt lang tid på å starte opp. *to be continued* *Start->kjør->msconfig* status: error, kan ikke finne msconfig. "make sure the path and filename are correct and that all requied liberies are available" (husk at jeg har windows2000) *laster ned windowsxp-versonen av msconfig, og legger den i winnt-mappa* *fjerner alt i msconfig, da jeg ikke har antivirus-program der* *restarter* *to be continued* Status: Fortsatt like treg. flere forslag? Endret 26. februar 2008 av r2d290 Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå