Carl Sagan Skrevet 16. februar 2008 Del Skrevet 16. februar 2008 (endret) Heisann! Sitter på LAN, og skulle lage en liten Hack And Mess Up server så jeg kunne kødde litt med kameraten min. Endte opp med å trykke på den selv, og hva enn jeg gjør klarer jeg ikke å fjerne det: -Har slettet alle svchost.exe filene (unlocker og sikkerhetsmodus) -DLL filene er slettet Men kommer fortsatt ikke innpå taskmanager. Har selvfølgelig brukt Process Eplorer til å slutte svchost'ene, men funker ikke. "Oppgavebehandling er deaktivert av administratoren" kommer det opp ved ctrl-alt-del. Har prøvd alt av antivirus programmer osv. Endret 17. februar 2008 av todda7 Lenke til kommentar
Thorsen Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 Selveid er veldeid. Er vel til pass for deg når du bruker et system uten å ha kjennskap til hvordan det virker. dessverre er jeg ikke kjent med det omtalte produktet og kan derfor ikke hjelpe deg Lenke til kommentar
Carl Sagan Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 Selveid er veldeid. Er vel til pass for deg når du bruker et system uten å ha kjennskap til hvordan det virker. dessverre er jeg ikke kjent med det omtalte produktet og kan derfor ikke hjelpe deg Hehe, har brukt HAMU i årevis, men har det har aldri blokkert taskmgr uten at client' har bedt om det. DVS har aldri hatt behov for å fjerne det. Lenke til kommentar
kaeksen Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 Heller bare krype til korset og snakke med nettverks ansvarlig og ta det fra der.. Men dere må mest sannsynelig legge inn OS på nytt begge to. Lenke til kommentar
snippsat Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 (endret) Last ned HijackThis legg i egen mappe på skrivebordet. Start programmet og velg "Do a system scan and save a logfile" . Loggfilen kopierer du og limer inn i posten din. Problemer boot sikkerhetmodus,lag en ny bruker logg deg på den så hijackthis -Har slettet alle svchost.exe filene (unlocker og sikkerhetsmodus)-DLL filene er slettet svchost.exe skal ikke slettes,kun renses viss kapret av virus. Dll hvem dll filer er slettet. Endret 17. februar 2008 av SNIPPSAT Lenke til kommentar
Carl Sagan Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:17:02, on 17.02.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\RTHDCPL.EXE D:\Programfiler\Eset\nod32kui.exe D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE D:\Programfiler\Eset\nod32krn.exe D:\WINDOWS\system32\oodag.exe D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\WINDOWS\System32\alg.exe D:\Programfiler\Steam\Steam.exe d:\programfiler\steam\steamapps\pg_xee\counter-strike\hl.exe D:\Programfiler\Steam\GameOverlayUI.exe D:\Programfiler\uTorrent\utorrent.exe D:\Programfiler\Mozilla Firefox\firefox.exe D:\WINDOWS\system32\svchost.exe D:\Programfiler\Trend Micro\HijackThis\HijackThis.exe D:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [startCCC] "D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [nod32kui] "D:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Programfiler\RivaTuner v2.06\RivaTuner.exe" /S O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Programfiler\Eset\nod32krn.exe O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe -- End of file - 4206 bytes Om noen kunne lastet opp svchost.exe og lsass.exe tror jeg det ville fikset problemet.. Finnes ikke på google:S! Det er forresten kun jeg som har problemet. Lenke til kommentar
snippsat Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 (endret) Hent Smitfraudfix, legg det på skrivebordet Restart i sikker modus (tapp F8 under oppstart, velg sikker modus) Kjør Smitfraudfix, velg valg 2. Post loggen, C:\rapport.txt, sammen med ny hjt-logg. Om noen kunne lastet opp svchost.exe og lsass.exe tror jeg det ville fikset problemet..Finnes ikke på google:S! Dem er på systemet ditt følg det over. Endret 17. februar 2008 av SNIPPSAT Lenke til kommentar
Skagen Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 Tråden var feilpostet og har blitt flyttet til riktig kategori. (Vennligst ikke kommenter dette innlegget. Reaksjoner på moderering gjøres via PM/melding) Lenke til kommentar
Carl Sagan Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 (endret) Klikk for å se/fjerne innholdet nedenfor SmitFraudFix v2.290 Scan done at 2:36:22,01, 17.02.2008 Run from C:\Desktop\SmitfraudFix OS: Microsoft Windows XP [Versjon 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» VACFix VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix S!Ri's WS2Fix: LSP not Found. »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» IEDFix IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C480AAA-3D13-4450-B92E-4C9983B825B6}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{3C480AAA-3D13-4450-B92E-4C9983B825B6}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{3C480AAA-3D13-4450-B92E-4C9983B825B6}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{3C480AAA-3D13-4450-B92E-4C9983B825B6}: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End HTJ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:37:46, on 17.02.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Safe mode Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\explorer.exe D:\WINDOWS\NOTEPAD.EXE D:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [startCCC] "D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [nod32kui] "D:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Programfiler\RivaTuner v2.06\RivaTuner.exe" /S O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE O4 - HKCU\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 O4 - HKCU\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Programfiler\Eset\nod32krn.exe O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe -- End of file - 3004 bytes Endret 17. februar 2008 av todda7 Lenke til kommentar
snippsat Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 (endret) I normalmodus. Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programet kjører. post logg C:\combofix.txt Og en ny hjt-logg. Endret 17. februar 2008 av SNIPPSAT Lenke til kommentar
Carl Sagan Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 Combofix: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-02-17.2 - Todda 2008-02-17 2:56:40.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.1089 [GMT 1:00] Running from: C:\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-01-17 to 2008-02-17 ))))))))))))))))))))))))))))))) . 2008-02-17 02:41 . 2008-02-17 02:41 <DIR> d-------- D:\Documents and Settings\Todda\Programdata\PC Tools 2008-02-17 02:16 . 2008-02-17 02:16 <DIR> d-------- D:\Programfiler\Trend Micro 2008-02-17 02:05 . 2004-08-04 01:03 7,278 --a--c--- D:\WINDOWS\system32\dllcache\svchost.exe 2008-02-17 02:02 . 2004-08-04 01:03 7,278 --a------ D:\WINDOWS\system32\SVCHOST.EX_ 2008-02-17 01:46 . 2008-02-17 01:46 <DIR> d-------- D:\Programfiler\uTorrent 2008-02-17 01:46 . 2008-02-17 02:33 <DIR> d-------- D:\Documents and Settings\Todda\Programdata\uTorrent 2008-02-17 01:28 . 2008-02-17 02:45 461 --a------ D:\WINDOWS\win.tmp 2008-02-17 01:28 . 2008-02-17 02:45 227 --a------ D:\WINDOWS\system.tmp 2008-02-17 01:26 . 2008-02-17 01:27 <DIR> d-------- D:\Programfiler\Spyware Doctor 2008-02-17 01:26 . 2008-02-17 01:26 <DIR> d-------- D:\Documents and Settings\Administrator\Programdata\PC Tools 2008-02-17 01:26 . 2006-03-07 13:28 51,456 --a------ D:\WINDOWS\system32\drivers\ikhlayer.sys 2008-02-17 01:26 . 2006-03-30 16:15 30,688 --a------ D:\WINDOWS\system32\drivers\ikhfile.sys 2008-02-17 01:12 . 2008-02-17 01:12 0 --a------ D:\WINDOWS\nsreg.dat 2008-02-17 01:02 . 2008-02-17 01:02 <DIR> d--h----- D:\WINDOWS\PIF 2008-02-17 00:43 . 2008-02-17 00:43 <DIR> d---s---- D:\Documents and Settings\Todda\UserData 2008-02-17 00:31 . 2008-02-17 01:24 <DIR> dr------- D:\Documents and Settings\Administrator\Start-meny 2008-02-17 00:31 . 2008-02-15 20:08 <DIR> d--h----- D:\Documents and Settings\Administrator\Skrivere 2008-02-17 00:31 . 2008-02-17 02:37 <DIR> d-------- D:\Documents and Settings\Administrator\Skrivebord 2008-02-17 00:31 . 2008-02-15 20:08 <DIR> d--h----- D:\Documents and Settings\Administrator\Siste 2008-02-17 00:31 . 2008-02-17 01:26 <DIR> dr-h----- D:\Documents and Settings\Administrator\Programdata 2008-02-17 00:31 . 2008-02-15 20:08 <DIR> d-------- D:\Documents and Settings\Administrator\Mine dokumenter 2008-02-17 00:31 . 2008-02-15 19:16 <DIR> d--h----- D:\Documents and Settings\Administrator\Maler 2008-02-17 00:31 . 2008-02-15 20:08 <DIR> d--h----- D:\Documents and Settings\Administrator\Lokale innstillinger 2008-02-17 00:31 . 2008-02-15 20:08 <DIR> d-------- D:\Documents and Settings\Administrator\Favoritter 2008-02-17 00:31 . 2008-02-15 20:08 <DIR> d--h----- D:\Documents and Settings\Administrator\AndrMask 2008-02-16 23:57 . 2008-02-16 23:57 <DIR> d-------- D:\Programfiler\Windows Live Safety Center 2008-02-16 23:49 . 2008-02-16 23:49 <DIR> d-------- D:\Documents and Settings\Todda\Programdata\AdobeUM 2008-02-16 23:48 . 2008-02-16 23:48 <DIR> d-------- D:\Programfiler\Fellesfiler\Adobe 2008-02-16 23:28 . 2008-02-17 00:03 4,096 --a------ D:\WINDOWS\system32\crash 2008-02-16 22:59 . 2008-02-16 22:59 <DIR> d-------- D:\Programfiler\Aspyr 2008-02-16 22:58 . 2007-07-19 18:14 3,727,720 --a------ D:\WINDOWS\system32\d3dx9_35.dll 2008-02-16 22:58 . 2007-04-04 18:53 81,768 --a------ D:\WINDOWS\system32\xinput1_3.dll 2008-02-16 20:27 . 2008-02-16 20:27 <DIR> d-------- D:\Programfiler\Ventrilo 2008-02-16 20:27 . 2008-02-16 20:27 <DIR> d-------- D:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-02-16 20:26 . 2008-02-16 20:27 <DIR> d-------- D:\Documents and Settings\Todda\Programdata\Ventrilo 2008-02-16 19:15 . 2004-08-03 23:08 26,496 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys 2008-02-16 16:49 . 2008-02-16 16:49 <DIR> d-a------ D:\Documents and Settings\All Users\Programdata\TEMP 2008-02-16 16:38 . 2008-02-16 16:38 <DIR> d-------- D:\Programfiler\Cheat Engine 2008-02-16 16:38 . 2006-09-04 19:16 1,970,176 --a------ D:\WINDOWS\system32\d3dx9.dll 2008-02-16 16:38 . 2006-09-04 19:16 679,936 --a------ D:\WINDOWS\system32\D3DX81ab.dll 2008-02-16 15:20 . 2008-02-16 15:20 <DIR> d-------- D:\Programfiler\OCCT 2008-02-16 11:55 . 2008-02-16 11:55 <DIR> d-------- D:\Programfiler\MSXML 6.0 2008-02-16 11:55 . 2008-02-16 11:55 1,374 --a------ D:\WINDOWS\imsins.BAK 2008-02-15 23:59 . 2008-02-16 23:59 <DIR> d-------- D:\Programfiler\DC++ 2008-02-15 22:08 . 2008-02-17 02:40 <DIR> dr-h----- D:\Documents and Settings\Todda\Siste 2008-02-15 22:06 . 2008-02-15 22:06 <DIR> d-------- D:\Programfiler\CCleaner 2008-02-15 21:49 . 2008-02-15 21:50 <DIR> d-------- D:\Programfiler\Disk Cleaner 2008-02-15 21:40 . 2008-02-15 21:40 <DIR> d-------- D:\WINDOWS\Downloaded Program Files 2008-02-15 21:39 . 2008-02-15 21:39 <DIR> d-------- D:\Programfiler\K-Lite Codec Pack 2008-02-15 21:39 . 2004-01-11 23:00 348,160 --a------ D:\WINDOWS\system32\msvcr71.dll 2008-02-15 21:39 . 2007-09-04 17:56 164,352 --a------ D:\WINDOWS\system32\unrar.dll 2008-02-15 21:39 . 2007-12-24 13:49 7,680 --a------ D:\WINDOWS\system32\ff_vfw.dll 2008-02-15 21:39 . 2007-07-10 17:10 547 --a------ D:\WINDOWS\system32\ff_vfw.dll.manifest 2008-02-15 21:38 . 2008-02-15 21:38 <DIR> d-------- D:\Documents and Settings\Todda\Programdata\Media Player Classic 2008-02-15 21:28 . 2008-02-15 21:28 360,064 --a------ D:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL 2008-02-15 21:24 . 2008-02-15 21:24 25,992 --a------ D:\WINDOWS\system32\pgdfgsvc.exe 2008-02-15 21:15 . 2008-02-15 00:05 <DIR> d-------- D:\Documents and Settings\Todda\Contacts 2008-02-15 21:12 . 2008-02-15 21:12 <DIR> d-------- D:\Documents and Settings\Todda\Programdata\ATI 2008-02-15 21:12 . 2008-02-15 21:12 <DIR> d-------- D:\Documents and Settings\All Users\Programdata\ATI 2008-02-15 21:12 . 2008-02-15 21:12 0 --a------ D:\WINDOWS\ativpsrm.bin 2008-02-15 20:55 . 2008-02-15 20:55 <DIR> d-------- D:\Documents and Settings\Todda\dwhelper 2008-02-15 20:49 . 2008-02-17 00:16 <DIR> d-------- D:\Programfiler\ESET 2008-02-15 20:49 . 2008-02-15 20:49 512,096 --a------ D:\WINDOWS\system32\drivers\amon.sys 2008-02-15 20:49 . 2008-02-15 20:49 299,392 --a------ D:\WINDOWS\system32\imon.dll 2008-02-15 20:49 . 2008-02-15 20:49 15,424 --a------ D:\WINDOWS\system32\drivers\nod32drv.sys 2008-02-15 20:47 . 2008-02-15 20:49 <DIR> d-------- D:\Programfiler\ATI Technologies 2008-02-15 20:47 . 2008-01-22 14:42 593,920 --------- D:\WINDOWS\system32\ati2sgag.exe 2008-02-15 20:44 . 2008-02-15 20:44 <DIR> d-------- D:\WINDOWS\system32\nb-NO 2008-02-15 20:44 . 2008-02-15 20:44 <DIR> d-------- D:\Programfiler\MSBuild 2008-02-15 20:43 . 2003-06-25 16:05 266,360 --a------ D:\WINDOWS\system32\TweakUI.exe 2008-02-15 20:43 . 2002-06-21 15:09 160,217 --a------ D:\WINDOWS\system32\PowerToysLicense.rtf 2008-02-15 20:42 . 2008-02-15 20:44 <DIR> d-------- D:\WINDOWS\system32\XPSViewer 2008-02-15 20:42 . 2008-02-15 20:42 <DIR> d-------- D:\Programfiler\Reference Assemblies 2008-02-15 20:42 . 2006-06-29 13:07 14,048 --------- D:\WINDOWS\system32\spmsg2.dll 2008-02-15 20:39 . 2008-02-15 20:39 664 --a------ D:\WINDOWS\system32\d3d9caps.dat 2008-02-15 20:19 . 2007-07-30 19:19 271,224 --a------ D:\WINDOWS\system32\mucltui.dll 2008-02-15 20:19 . 2007-07-30 19:19 207,736 --a------ D:\WINDOWS\system32\muweb.dll 2008-02-15 20:19 . 2007-07-30 19:18 30,072 --a------ D:\WINDOWS\system32\mucltui.dll.mui 2008-02-15 20:16 . 2008-02-17 02:04 <DIR> d-------- D:\Programfiler\Unlocker 2008-02-15 20:10 . 2008-02-15 20:10 <DIR> d-------- D:\Documents and Settings\Todda\Programdata\vlc 2008-02-15 20:10 . 2004-08-04 01:54 57,344 --a------ D:\WINDOWS\system32\drivers\redbook.sys 2008-02-15 20:10 . 2001-08-17 22:59 3,072 --a------ D:\WINDOWS\system32\drivers\audstub.sys 2008-02-15 20:09 . 2008-02-17 00:44 <DIR> d--hs---- D:\WINDOWS\Installer 2008-02-15 20:09 . 2008-02-17 02:16 <DIR> dr------- D:\Programfiler 2008-02-15 20:09 . 2008-02-15 21:22 1,011,618 --a------ D:\WINDOWS\system32\PerfStringBackup.INI 2008-02-15 20:09 . 2004-08-04 01:03 74,240 --a------ D:\WINDOWS\system32\usbui.dll 2008-02-15 20:09 . 2004-08-04 01:03 74,240 --a--c--- D:\WINDOWS\system32\dllcache\usbui.dll 2008-02-15 20:09 . 2001-08-17 22:46 6,400 --a------ D:\WINDOWS\system32\drivers\enum1394.sys 2008-02-15 20:09 . 2008-02-15 19:18 4,249 --a------ D:\WINDOWS\ODBCINST.INI 2008-02-15 20:09 . 2008-02-16 23:42 116 --a------ D:\WINDOWS\NeroDigital.ini 2008-02-15 20:08 . 2008-02-15 20:08 <DIR> dr------- D:\Documents and Settings\Default User\Start-meny 2008-02-15 20:08 . 2008-02-15 20:08 <DIR> d--h----- D:\Documents and Settings\Default User\Skrivere 2008-02-15 20:08 . 2008-02-15 20:08 <DIR> d-------- D:\Documents and Settings\Default User\Skrivebord 2008-02-15 20:08 . 2008-02-15 20:08 <DIR> d--h----- D:\Documents and Settings\Default User\Siste 2008-02-15 20:08 . 2008-02-15 20:08 <DIR> dr-h----- D:\Documents and Settings\Default User\Programdata 2008-02-15 20:08 . 2008-02-15 20:08 <DIR> d-------- D:\Documents and Settings\Default User\Mine dokumenter 2008-02-15 20:08 . 2008-02-15 19:16 <DIR> d--h----- D:\Documents and Settings\Default User\Maler 2008-02-15 20:08 . 2008-02-15 20:08 <DIR> dr-h----- D:\Documents and Settings\Default User\Lokale innstillinger 2008-02-15 20:08 . 2008-02-15 20:08 <DIR> d-------- D:\Documents and Settings\Default User\Favoritter 2008-02-15 20:08 . 2008-02-15 20:08 <DIR> d--h----- D:\Documents and Settings\Default User\AndrMask . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-02-17 00:45 --------- d-----w D:\Programfiler\Steam 2008-02-16 23:18 --------- d-----w D:\Documents and Settings\All Users\Programdata\Microsoft Help 2008-02-15 20:28 360,064 ----a-w D:\WINDOWS\system32\drivers\TCPIP.SYS 2008-02-15 19:48 --------- d--h--w D:\Programfiler\InstallShield Installation Information 2008-02-15 19:40 --------- d-----w D:\Programfiler\Clue 2008-02-15 18:53 --------- d-----w D:\Programfiler\Microsoft Works 2008-02-15 18:46 --------- d-----w D:\Programfiler\Windows Live 2008-02-15 18:45 --------- dcsh--w D:\Programfiler\Fellesfiler\WindowsLiveInstaller 2008-02-15 18:43 --------- d-----w D:\Documents and Settings\All Users\Programdata\WLInstaller 2008-02-15 18:37 --------- d-----w D:\Programfiler\Marvell 2008-02-15 18:37 --------- d-----w D:\Programfiler\Fellesfiler\InstallShield 2008-02-15 18:37 --------- d-----w D:\Programfiler\DAEMON Tools Lite 2008-02-15 18:37 --------- d-----w D:\Documents and Settings\Todda\Programdata\DAEMON Tools 2008-02-15 18:36 --------- d-----w D:\Documents and Settings\Todda\Programdata\TMP 2008-02-15 18:32 --------- d-----w D:\Programfiler\VideoLAN 2008-02-15 18:31 --------- d-----w D:\Programfiler\ToniArts 2008-02-15 18:30 --------- d-----w D:\Programfiler\Futuremark 2008-02-15 18:29 --------- d-----w D:\Programfiler\RivaTuner v2.06 2008-02-15 18:29 --------- d-----w D:\Programfiler\OO Software 2008-02-15 18:28 --------- d-----w D:\Programfiler\Lavalys 2008-02-15 18:28 --------- d-----w D:\Programfiler\Fellesfiler\Ahead 2008-02-15 18:28 --------- d-----w D:\Programfiler\Ahead 2008-02-15 18:26 315,392 ----a-w D:\WINDOWS\HideWin.exe 2008-02-15 18:26 --------- d-----w D:\Programfiler\Realtek 2008-02-15 18:25 --------- d-----w D:\Programfiler\Intel 2008-02-15 18:25 --------- d-----w D:\Programfiler\ABIT 2008-02-15 18:24 715,248 ----a-w D:\WINDOWS\system32\drivers\sptd.sys 2008-02-15 18:18 --------- d-----w D:\Programfiler\microsoft frontpage 2007-12-28 14:33 58,112 ----a-w D:\WINDOWS\system32\drivers\vdmindvd.sys 2007-12-28 14:33 51,712 ----a-w D:\WINDOWS\system32\drivers\tosdvd.sys 2007-12-28 14:33 262,528 ----a-w D:\WINDOWS\system32\drivers\cinemst2.sys 2007-12-28 14:33 23,936 ----a-w D:\WINDOWS\system32\drivers\usbcamd2.sys 2007-12-28 14:33 23,808 ----a-w D:\WINDOWS\system32\drivers\usbcamd.sys 2007-12-28 14:33 21,376 ----a-w D:\WINDOWS\system32\drivers\tsbvcap.sys 2007-12-28 14:33 18,688 ----a-w D:\WINDOWS\system32\drivers\cdaudio.sys 2007-12-28 14:33 12,160 ----a-w D:\WINDOWS\system32\drivers\mouhid.sys 2007-12-28 14:33 12,160 ----a-w D:\WINDOWS\system32\drivers\fsvga.sys 2007-12-28 14:33 12,032 ----a-w D:\WINDOWS\system32\drivers\riodrv.sys 2007-12-28 14:33 12,032 ----a-w D:\WINDOWS\system32\drivers\rio8drv.sys 2007-12-28 14:33 12,032 ----a-w D:\WINDOWS\system32\drivers\nikedrv.sys 2007-12-28 14:33 11,776 ----a-w D:\WINDOWS\system32\drivers\cpqdap01.sys 2007-12-27 15:01 142,976 ----a-w D:\WINDOWS\system32\drivers\usbport.sys 2007-12-18 09:51 179,584 ----a-w D:\WINDOWS\system32\drivers\mrxdav.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2007-10-16 18:30 16855552 D:\WINDOWS\RTHDCPL.exe] "StartCCC"="D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112] "nod32kui"="D:\Programfiler\Eset\nod32kui.exe" [2008-02-15 20:49 950664] "RivaTunerStartupDaemon"="D:\Programfiler\RivaTuner v2.06\RivaTuner.exe" [2007-10-30 19:05 2650112] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:03 15360] "Spyware Doctor"="" [] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "nltide_2"="regsvr32 /s /n /i:U shell32" [] "nltide_3"="advpack.dll" [2004-08-04 00:03 100352 D:\WINDOWS\system32\advpack.dll] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoResolveSearch"= 1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoInternetIcon"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "NoResolveSearch"= 1 (0x1) [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders schannel.dll, digest.dll [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start-meny^Programmer^Oppstart^Adobe Reader Speed Launch.lnk] path=D:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\Adobe Reader Speed Launch.lnk backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABIT uGuruIII] --a------ 2006-02-22 17:55 417792 D:\Programfiler\ABIT\ABITEQ\ABITEQ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] --a------ 2007-12-29 13:05 486856 D:\Programfiler\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2008-02-15 19:54 5724184 D:\Programfiler\Windows Live\Messenger\MsnMsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 D:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray] --a------ 2007-05-11 02:08 2512392 D:\WINDOWS\system32\oodtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam] --a------ 2008-02-15 19:40 1266936 D:\Programfiler\Steam\Steam.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "idsvc"=3 (0x3) "WLSetupSvc"=3 (0x3) R0 ABIT-IO;ABIT-IO;D:\WINDOWS\system32\Drivers\ABIT-IO.sys [2005-12-08 14:53] R2 NwSapAgent;SAP Agent;D:\WINDOWS\system32\svchost.exe [2004-08-04 00:03] S3 EverestDriver;Lavalys EVEREST Kernel Driver;D:\Programfiler\Lavalys\EVEREST Corporate + Ultimate Edition\kerneld.wnt [2007-12-14 02:09] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-02-17 02:59:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\Ati2evxx.exe D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE D:\Programfiler\Eset\nod32krn.exe D:\WINDOWS\system32\oodag.exe D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe . ************************************************************************** . Completion time: 2008-02-17 3:00:06 - machine was rebooted ComboFix-quarantined-files.txt 2008-02-17 02:00:04 . 2008-02-16 10:55:11 --- E O F --- HJT Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 03:00:58, on 17.02.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\Ati2evxx.exe D:\WINDOWS\RTHDCPL.EXE D:\Programfiler\Eset\nod32kui.exe D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE D:\Programfiler\Eset\nod32krn.exe D:\WINDOWS\explorer.exe D:\WINDOWS\system32\oodag.exe D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe D:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\WINDOWS\system32\wuauclt.exe D:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [startCCC] "D:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [nod32kui] "D:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "D:\Programfiler\RivaTuner v2.06\RivaTuner.exe" /S O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Programfiler\Eset\nod32krn.exe O23 - Service: O&O Defrag - O&O Software GmbH - D:\WINDOWS\system32\oodag.exe -- End of file - 3503 bytes Lenke til kommentar
snippsat Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 (endret) Start hjt finn disse linjene merk,så trykk fixed checked O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user') O13 - DefaultPrefix: O13 - WWW Prefix: O13 - Home Prefix: O13 - Mosaic Prefix: O13 - FTP Prefix: O13 - Gopher Prefix: Etter dette får du se åssen pcen kjører. Ser mye bedere ut nå. Endret 17. februar 2008 av SNIPPSAT Lenke til kommentar
Carl Sagan Skrevet 17. februar 2008 Forfatter Del Skrevet 17. februar 2008 Har bare en ting å si SNIPPSAT... How do you do it? Tusen takk for all hjelp! Lenke til kommentar
tommy007 Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 nice ;D- SNIPPSAT har tydligvis erfaring med sånn type "shiit" problemer, bra at det ordna seg ;D Lenke til kommentar
snippsat Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 (endret) Har bare en ting å si SNIPPSAT... How do you do it? Tusen takk for all hjelp! Alt for mye tid foran pcen Endret 17. februar 2008 av SNIPPSAT Lenke til kommentar
snippsat Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 (endret) Bruk pcen litt fungerer alt som det skal,gjøre dette. Fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Endret 17. februar 2008 av SNIPPSAT Lenke til kommentar
r2d290 Skrevet 17. februar 2008 Del Skrevet 17. februar 2008 og hvis alt fungerer som det skal, skriver du "[LØST]" i starten av emnetittelen (trykk edit på første innlegg, og trykk på fulstendig endring) Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå