elZiko Skrevet 27. mars 2008 Del Skrevet 27. mars 2008 Legger ut logger fra Combofix, SAS og HJT. Combofix: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-03-26.1 - Freddeh 2008-03-27 18:12:58.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.668 [GMT 1:00] Running from: C:\Documents and Settings\Freddeh\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\rs.txt . ((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 ))))))))))))))))))))))))))))))) . 2008-03-27 17:48 . 2008-03-27 17:48 <DIR> d-------- C:\Documents and Settings\Freddeh\Application Data\InstallShield 2008-03-27 17:29 . 2008-03-27 17:29 98,304 --a------ C:\WINDOWS\system32\xurgbixa.exe 2008-03-27 17:24 . 2008-03-27 17:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-27 17:20 . 2008-03-27 17:20 <DIR> d-------- C:\Documents and Settings\Freddeh\Application Data\SUPERAntiSpyware.com 2008-03-27 17:00 . 2008-03-27 18:11 <DIR> d-------- C:\Documents and Settings\Freddeh\Application Data\.purple 2008-03-27 16:41 . 2008-03-27 16:41 <DIR> d-------- C:\Documents and Settings\Freddeh\Application Data\AVG7 2008-03-27 15:53 . 2008-03-27 16:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-03-27 15:53 . 2008-03-27 15:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-03-27 15:53 . 2008-03-27 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-03-27 15:30 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2008-03-27 09:00 . 2008-03-27 09:00 94,208 --a------ C:\WINDOWS\system32\udajwhub.exe 2008-03-27 01:43 . 2008-03-27 01:43 <DIR> d-------- C:\Program Files\Yahoo! 2008-03-27 01:43 . 2008-03-27 01:43 <DIR> d-------- C:\Program Files\CCleaner 2008-03-27 01:43 . 2008-03-27 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-03-27 01:39 . 2008-03-27 01:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-03-27 01:39 . 2008-03-27 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-27 01:39 . 2008-03-27 08:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-03-27 01:39 . 2008-03-27 01:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2008-03-27 01:38 . 2008-03-27 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\arwbyron 2008-03-27 01:38 . 2008-03-27 01:38 94,208 --a------ C:\WINDOWS\system32\ebidonwt.exe 2008-03-27 01:38 . 2008-03-26 17:28 81,920 --a------ C:\WINDOWS\norlatmx.exe 2008-03-27 01:36 . 2008-03-27 01:36 <DIR> d-------- C:\Program Files\Stardock 2008-03-26 20:47 . 2008-03-26 20:47 <DIR> d-------- C:\Program Files\Common Files\Thraex Software 2008-03-26 20:22 . 2008-03-27 01:32 <DIR> d-------- C:\Program Files\Bit Che 2008-03-26 20:22 . 2004-03-09 00:00 1,081,616 --a------ C:\WINDOWS\system32\mscomctl.OCX 2008-03-26 20:22 . 2004-03-09 00:00 152,848 --a------ C:\WINDOWS\system32\comdlg32.OCX 2008-03-26 20:22 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\mswinsck.ocx 2008-03-26 20:00 . 2008-03-26 20:00 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-03-26 19:27 . 2008-03-26 19:54 <DIR> d-------- C:\Program Files\Winamp 2008-03-26 19:25 . 2008-03-27 05:49 <DIR> d-------- C:\Program Files\uTorrent 2008-03-26 18:15 . 2008-03-27 16:35 <DIR> d-------- C:\Program Files\Steam 2008-03-26 18:12 . 2008-03-27 16:10 <DIR> d-------- C:\Program Files\Windows Live 2008-03-26 18:12 . 2008-03-26 18:14 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-26 18:12 . 2008-03-26 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-26 17:53 . 2008-03-26 17:53 <DIR> d-------- C:\Program Files\Pidgin 2008-03-26 17:52 . 2008-03-26 17:52 <DIR> d-------- C:\Program Files\Common Files\GTK 2008-03-26 17:23 . 2008-03-26 15:02 211 --ahs---- C:\BOOT.BKK 2008-03-26 17:15 . 2008-03-26 17:15 <DIR> d-------- C:\Program Files\TGTSoft 2008-03-26 17:08 . 2008-03-26 17:08 <DIR> d-------- C:\Program Files\K-Lite Codec Pack 2008-03-26 17:08 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll 2008-03-26 17:01 . 2008-03-26 17:01 1,167 --a------ C:\WINDOWS\mozver.dat 2008-03-26 17:00 . 2008-03-26 17:00 <DIR> d--h----- C:\WINDOWS\PIF 2008-03-26 16:43 . 2008-03-26 16:43 0 --a------ C:\WINDOWS\nsreg.dat 2008-03-26 16:42 . 2008-03-26 18:26 <DIR> d-------- C:\Program Files\Miranda IM 2008-03-26 16:36 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll 2008-03-26 16:36 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui 2008-03-26 16:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui 2008-03-26 16:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2008-03-26 16:36 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui 2008-03-26 16:35 . 2008-03-26 18:15 <DIR> d-------- C:\Program Files\Mozilla Thunderbird 2008-03-26 16:15 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2008-03-26 16:15 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys 2008-03-26 16:15 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-03-26 16:15 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2008-03-26 16:15 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2008-03-26 16:15 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-27 17:11 --------- d-----w C:\Documents and Settings\Freddeh\Application Data\.purple 2008-03-27 15:30 --------- d-----w C:\Program Files\Hewlett-Packard 2008-03-26 15:06 822,272 ----a-w C:\WINDOWS\system32\drivers\BCMWL5.SYS 2008-03-26 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-03-26 14:48 --------- d-----w C:\Program Files\CONEXANT 2008-03-26 14:47 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-26 14:47 --------- d-----w C:\Program Files\HP 1.3MP Webcam 2008-03-26 14:47 --------- d-----w C:\Program Files\DIFX 2008-03-26 14:46 --------- d-----w C:\Program Files\Synaptics 2008-03-26 14:46 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-03-26 14:46 --------- d-----w C:\Program Files\Broadcom 2008-03-26 14:39 --------- d-----w C:\Program Files\microsoft frontpage . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6B9885D-B686-49A0-806B-062D4D3B9091}] C:\WINDOWS\kdftlboedsb.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{66D17C3E-C589-4E86-B772-B03D50846900}"= "C:\WINDOWS\qvdntlmw.dll" [ ] [HKEY_CLASSES_ROOT\clsid\{66d17c3e-c589-4e86-b772-b03d50846900}] [HKEY_CLASSES_ROOT\qvdntlmw.1] [HKEY_CLASSES_ROOT\TypeLib\{B0E61956-7218-44D4-B218-2EE4F6776C73}] [HKEY_CLASSES_ROOT\qvdntlmw] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 19:31 1372160] "sxcbnekx"="C:\WINDOWS\system32\xurgbixa.exe" [2008-03-27 17:29 98304] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 20:58 7581696] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 20:58 86016] "nwiz"="nwiz.exe" [2006-07-20 20:58 1519616 C:\WINDOWS\system32\nwiz.exe] "SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 19:29 102400] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 14:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 23:54 37376] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-27 01:39 579072] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 15:13 472776] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-27 01:39 219136] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "UpsjDpLTPP"= C:\Documents and Settings\All Users\Application Data\arwbyron\ancfytmd.exe [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Steam\\steamapps\\frd_hgn\\counter-strike source\\hl2.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 23:49] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-27 18:13:40 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-27 18:13:54 ComboFix-quarantined-files.txt 2008-03-27 17:13:52 Pre-Run: 49,002,610,688 bytes free Post-Run: 49,000,349,696 bytes free SAS: Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Loghttp://www.superantispyware.com Generated 03/27/2008 at 06:27 PM Application Version : 4.0.1154 Core Rules Database Version : 3426 Trace Rules Database Version: 1418 Scan type : Complete Scan Total Scan Time : 00:10:30 Memory items scanned : 449 Memory threats detected : 0 Registry items scanned : 3188 Registry threats detected : 0 File items scanned : 9046 File threats detected : 0 HijackThis: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:21:05, on 27.03.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Documents and Settings\All Users\Application Data\arwbyron\ancfytmd.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe C:\WINDOWS\system32\xurgbixa.exe C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE C:\Program Files\Pidgin\pidgin.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\MOZILL~2\FIREFOX.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O2 - BHO: GNX Bingo - {C6B9885D-B686-49A0-806B-062D4D3B9091} - C:\WINDOWS\kdftlboedsb.dll (file missing) O3 - Toolbar: qvdntlmw - {66D17C3E-C589-4E86-B772-B03D50846900} - C:\WINDOWS\qvdntlmw.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [sxcbnekx] C:\WINDOWS\system32\xurgbixa.exe O4 - HKLM\..\Policies\Explorer\Run: [upsjDpLTPP] C:\Documents and Settings\All Users\Application Data\arwbyron\ancfytmd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206545745479 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe -- End of file - 5261 bytes Noen som kan sjekke disse? Lenke til kommentar
r2d290 Skrevet 27. mars 2008 Del Skrevet 27. mars 2008 (endret) Hei Start hijackthis, Velg "do a systemscan only" hak av foran følgende linjer, og trykk "fix checked": O2 - BHO: GNX Bingo - {C6B9885D-B686-49A0-806B-062D4D3B9091} - C:\WINDOWS\kdftlboedsb.dll (file missing) O3 - Toolbar: qvdntlmw - {66D17C3E-C589-4E86-B772-B03D50846900} - C:\WINDOWS\qvdntlmw.dll (file missing) O4 - HKCU\..\Run: [sxcbnekx] C:\WINDOWS\system32\xurgbixa.exe O4 - HKLM\..\Policies\Explorer\Run: [upsjDpLTPP] C:\Documents and Settings\All Users\Application Data\arwbyron\ancfytmd.exe du må sikkert gjøre noe med combofix, men det får noen andre ta seg av... Endret 27. mars 2008 av r2d290 Lenke til kommentar
elZiko Skrevet 27. mars 2008 Forfatter Del Skrevet 27. mars 2008 du må sikkert gjøre noe med combofix, men det får noen andre ta seg av... Sånn, da har jeg fjernet det du skrev: ) Tusen takk, Bra at folk tar seg tid til å hjelpe "noobs" : p Nå får vi bare vente på at noen kommer med noe om ComboFix Lenke til kommentar
snippsat Skrevet 27. mars 2008 Del Skrevet 27. mars 2008 Ja jeg tar litt med combofix Bare ta de linjene som r2d90 har funnet. Er nok med i CFScript,men da er vi sikker. Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post logg c:\combofix File:: C:\WINDOWS\system32\xurgbixa.exe C:\WINDOWS\system32\udajwhub.exe C:\WINDOWS\system32\ebidonwt.exe C:\WINDOWS\norlatmx.exe Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6B9885D-B686-49A0-806B-062D4D3B9091} C:\WINDOWS\kdftlboedsb] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar "{66D17C3E-C589-4E86-B772-B03D50846900}"= "C:\WINDOWS\qvdntlmw] [-HKEY_CLASSES_ROOT\clsid\{66d17c3e-c589-4e86-b772-b03d50846900}] [-HKEY_CLASSES_ROOT\qvdntlmw.1] [-HKEY_CLASSES_ROOT\TypeLib\{B0E61956-7218-44D4-B218-2EE4F6776C73}] [-HKEY_CLASSES_ROOT\qvdntlmw] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "sxcbnekx"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "UpsjDpLTPP"= - Last ned kjør CCleaner Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør register-renser og"svar ja til og reparere" Restart og en ny HijackThis logg. Lenke til kommentar
elZiko Skrevet 27. mars 2008 Forfatter Del Skrevet 27. mars 2008 Klikk for å se/fjerne innholdet nedenfor Ja jeg tar litt med combofix Bare ta de linjene som r2d90 har funnet. Er nok med i CFScript,men da er vi sikker. Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post logg c:\combofix File:: C:\WINDOWS\system32\xurgbixa.exe C:\WINDOWS\system32\udajwhub.exe C:\WINDOWS\system32\ebidonwt.exe C:\WINDOWS\norlatmx.exe Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C6B9885D-B686-49A0-806B-062D4D3B9091} C:\WINDOWS\kdftlboedsb] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar "{66D17C3E-C589-4E86-B772-B03D50846900}"= "C:\WINDOWS\qvdntlmw] [-HKEY_CLASSES_ROOT\clsid\{66d17c3e-c589-4e86-b772-b03d50846900}] [-HKEY_CLASSES_ROOT\qvdntlmw.1] [-HKEY_CLASSES_ROOT\TypeLib\{B0E61956-7218-44D4-B218-2EE4F6776C73}] [-HKEY_CLASSES_ROOT\qvdntlmw] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "sxcbnekx"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "UpsjDpLTPP"= - Last ned kjør CCleaner Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør register-renser og"svar ja til og reparere" Restart og en ny HijackThis logg. ComboFix vil ikke starte. Lenke til kommentar
r2d290 Skrevet 27. mars 2008 Del Skrevet 27. mars 2008 Prøv restart. Fungerer det ikke, opprett en ny bruker, og prøv der... Lenke til kommentar
snippsat Skrevet 27. mars 2008 Del Skrevet 27. mars 2008 (endret) Hmm dette er utgagspunket. Disable antivirus. Last Combofix ned ,legg på skrivebordet. Ikke klikk på vindu mens programet kjører. post logg C:\combofix.txt Da ligger combofix og CFScript.txt på skrivebordet. Gjør som på bildet. Starter combofix alene? Endret 27. mars 2008 av SNIPPSAT Lenke til kommentar
elZiko Skrevet 27. mars 2008 Forfatter Del Skrevet 27. mars 2008 Restartet pc og da funket det:) Ny ComboFix logg: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-03-26.1 - Freddeh 2008-03-27 19:28:55.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.726 [GMT 1:00] Running from: C:\Documents and Settings\Freddeh\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Freddeh\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\norlatmx.exe C:\WINDOWS\system32\ebidonwt.exe C:\WINDOWS\system32\udajwhub.exe C:\WINDOWS\system32\xurgbixa.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\norlatmx.exe C:\WINDOWS\system32\ebidonwt.exe C:\WINDOWS\system32\udajwhub.exe C:\WINDOWS\system32\xurgbixa.exe . ((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 ))))))))))))))))))))))))))))))) . 2008-03-27 19:03 . 2008-03-27 19:03 <DIR> d---s---- C:\Documents and Settings\Freddeh\UserData 2008-03-27 18:37 . 2008-03-27 18:37 106,496 --a------ C:\WINDOWS\system32\qncjqpev.exe 2008-03-27 17:48 . 2008-03-27 17:48 <DIR> d-------- C:\Documents and Settings\Freddeh\Application Data\InstallShield 2008-03-27 17:24 . 2008-03-27 17:24 <DIR> d-------- C:\Program Files\Trend Micro 2008-03-27 17:20 . 2008-03-27 17:20 <DIR> d-------- C:\Documents and Settings\Freddeh\Application Data\SUPERAntiSpyware.com 2008-03-27 17:00 . 2008-03-27 19:26 <DIR> d-------- C:\Documents and Settings\Freddeh\Application Data\.purple 2008-03-27 16:41 . 2008-03-27 16:41 <DIR> d-------- C:\Documents and Settings\Freddeh\Application Data\AVG7 2008-03-27 15:53 . 2008-03-27 16:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-03-27 15:53 . 2008-03-27 15:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-03-27 15:53 . 2008-03-27 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-03-27 15:30 . 2007-01-18 13:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2008-03-27 01:43 . 2008-03-27 01:43 <DIR> d-------- C:\Program Files\Yahoo! 2008-03-27 01:43 . 2008-03-27 01:43 <DIR> d-------- C:\Program Files\CCleaner 2008-03-27 01:43 . 2008-03-27 01:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-03-27 01:39 . 2008-03-27 01:39 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2008-03-27 01:39 . 2008-03-27 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2008-03-27 01:39 . 2008-03-27 08:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2008-03-27 01:39 . 2008-03-27 01:39 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll 2008-03-27 01:38 . 2008-03-27 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\arwbyron 2008-03-27 01:36 . 2008-03-27 01:36 <DIR> d-------- C:\Program Files\Stardock 2008-03-26 20:47 . 2008-03-26 20:47 <DIR> d-------- C:\Program Files\Common Files\Thraex Software 2008-03-26 20:22 . 2008-03-27 01:32 <DIR> d-------- C:\Program Files\Bit Che 2008-03-26 20:22 . 2004-03-09 00:00 1,081,616 --a------ C:\WINDOWS\system32\mscomctl.OCX 2008-03-26 20:22 . 2004-03-09 00:00 152,848 --a------ C:\WINDOWS\system32\comdlg32.OCX 2008-03-26 20:22 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\mswinsck.ocx 2008-03-26 20:00 . 2008-03-26 20:00 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-03-26 19:27 . 2008-03-26 19:54 <DIR> d-------- C:\Program Files\Winamp 2008-03-26 19:25 . 2008-03-27 05:49 <DIR> d-------- C:\Program Files\uTorrent 2008-03-26 18:15 . 2008-03-27 19:18 <DIR> d-------- C:\Program Files\Steam 2008-03-26 18:12 . 2008-03-27 16:10 <DIR> d-------- C:\Program Files\Windows Live 2008-03-26 18:12 . 2008-03-26 18:14 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-03-26 18:12 . 2008-03-26 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-03-26 17:53 . 2008-03-26 17:53 <DIR> d-------- C:\Program Files\Pidgin 2008-03-26 17:52 . 2008-03-26 17:52 <DIR> d-------- C:\Program Files\Common Files\GTK 2008-03-26 17:23 . 2008-03-26 15:02 211 --ahs---- C:\BOOT.BKK 2008-03-26 17:15 . 2008-03-26 17:15 <DIR> d-------- C:\Program Files\TGTSoft 2008-03-26 17:08 . 2008-03-26 17:08 <DIR> d-------- C:\Program Files\K-Lite Codec Pack 2008-03-26 17:08 . 2007-09-04 17:56 164,352 --a------ C:\WINDOWS\system32\unrar.dll 2008-03-26 17:01 . 2008-03-26 17:01 1,167 --a------ C:\WINDOWS\mozver.dat 2008-03-26 17:00 . 2008-03-26 17:00 <DIR> d--h----- C:\WINDOWS\PIF 2008-03-26 16:43 . 2008-03-26 16:43 0 --a------ C:\WINDOWS\nsreg.dat 2008-03-26 16:42 . 2008-03-26 18:26 <DIR> d-------- C:\Program Files\Miranda IM 2008-03-26 16:36 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll 2008-03-26 16:36 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui 2008-03-26 16:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui 2008-03-26 16:36 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2008-03-26 16:36 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui 2008-03-26 16:35 . 2008-03-26 18:15 <DIR> d-------- C:\Program Files\Mozilla Thunderbird 2008-03-26 16:15 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys 2008-03-26 16:15 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys 2008-03-26 16:15 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys 2008-03-26 16:15 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys 2008-03-26 16:15 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2008-03-26 16:15 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-03-27 18:26 --------- d-----w C:\Documents and Settings\Freddeh\Application Data\.purple 2008-03-27 15:30 --------- d-----w C:\Program Files\Hewlett-Packard 2008-03-26 15:06 822,272 ----a-w C:\WINDOWS\system32\drivers\BCMWL5.SYS 2008-03-26 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles 2008-03-26 14:48 --------- d-----w C:\Program Files\CONEXANT 2008-03-26 14:47 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-03-26 14:47 --------- d-----w C:\Program Files\HP 1.3MP Webcam 2008-03-26 14:47 --------- d-----w C:\Program Files\DIFX 2008-03-26 14:46 --------- d-----w C:\Program Files\Synaptics 2008-03-26 14:46 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-03-26 14:46 --------- d-----w C:\Program Files\Broadcom 2008-03-26 14:39 --------- d-----w C:\Program Files\microsoft frontpage . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360] "STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 19:31 1372160] "uvhfbhmz"="C:\WINDOWS\system32\qncjqpev.exe" [2008-03-27 18:37 106496] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-20 20:58 7581696] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-20 20:58 86016] "nwiz"="nwiz.exe" [2006-07-20 20:58 1519616 C:\WINDOWS\system32\nwiz.exe] "SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 19:29 102400] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 14:44 61952 C:\WINDOWS\system32\CHDAudPropShortcut.exe] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 23:54 37376] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-27 01:39 579072] "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-01-10 15:13 472776] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-27 01:39 219136] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Steam\\steamapps\\frd_hgn\\counter-strike source\\hl2.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-05 23:49] . ************************************************************************** catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-03-27 19:29:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-03-27 19:29:53 ComboFix-quarantined-files.txt 2008-03-27 18:29:51 ComboFix2.txt 2008-03-27 17:13:55 Pre-Run: 48,959,152,128 bytes free Post-Run: 48,954,273,792 bytes free Ny HijackThis logg: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:43:09, on 27.03.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\qncjqpev.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE C:\PROGRA~1\MOZILL~2\FIREFOX.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispyware-reviews.biz/?wmid=4663&...bmid=R3n1c2Bg8A R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [uvhfbhmz] C:\WINDOWS\system32\qncjqpev.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206545745479 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe -- End of file - 5040 bytes Lenke til kommentar
snippsat Skrevet 27. mars 2008 Del Skrevet 27. mars 2008 (endret) Hmm glemte en fil. Lag et CFScript.txt med denne filen,samme som over. File:: C:\WINDOWS\system32\qncjqpev.exe Restart og en ny HijackThis logg. Endret 27. mars 2008 av SNIPPSAT Lenke til kommentar
elZiko Skrevet 27. mars 2008 Forfatter Del Skrevet 27. mars 2008 hjt-logg Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:02:40, on 27.03.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\CCleaner\CCleaner.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\PROGRA~1\MOZILL~2\FIREFOX.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispyware-reviews.biz/?wmid=4663&...bmid=R3n1c2Bg8A R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [uvhfbhmz] C:\WINDOWS\system32\qncjqpev.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206545745479 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe -- End of file - 4678 bytes Lenke til kommentar
snippsat Skrevet 27. mars 2008 Del Skrevet 27. mars 2008 Kjør kun hjt. Start HijackThis "scan" finn disse linjene merk dem,så trykk fix checked. R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispyware-reviews.biz/?wmid=4663&...bmid=R3n1c2Bg8A O4 - HKCU\..\Run: [uvhfbhmz] C:\WINDOWS\system32\qncjqpev.exe Restart og en ny HijackThis logg. Lenke til kommentar
elZiko Skrevet 27. mars 2008 Forfatter Del Skrevet 27. mars 2008 Ny HjT-logg. Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:17:39, on 27.03.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206545745479 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe -- End of file - 4379 bytes[/skjul Lenke til kommentar
snippsat Skrevet 27. mars 2008 Del Skrevet 27. mars 2008 Da er loggen fin Bruk pcen litt,kjører den grei kan du gjøre dette. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Defragmering kan være greit og gjøre. Auslogics Disk Defrag + Free Registry Defrag SAS og ccleaner bruker du engang iblant. Vil du forbedere sikkerhet,bør du tenke på en bra og gratis brannvegg som comodo Surf trygt. Lenke til kommentar
elZiko Skrevet 27. mars 2008 Forfatter Del Skrevet 27. mars 2008 Da er loggen fin Bruk pcen litt,kjører den grei kan du gjøre dette. Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Defragmering kan være greit og gjøre. Auslogics Disk Defrag + Free Registry Defrag SAS og ccleaner bruker du engang iblant. Vil du forbedere sikkerhet,bør du tenke på en bra og gratis brannvegg som comodo Surf trygt. Takk for det Lenke til kommentar
snippsat Skrevet 27. mars 2008 Del Skrevet 27. mars 2008 Hei igjen du kan slette denne mappen C:\Documents and Settings\All Users\Application Data\arwbyron Lenke til kommentar
elZiko Skrevet 27. mars 2008 Forfatter Del Skrevet 27. mars 2008 Hei igjen du kan slette denne mappen C:\Documents and Settings\All Users\Application Data\arwbyron done Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå