[LØST!] Har fått spyware =(

NatroN · 3. april 2008

Heisann! Jeg har fått spyware (tror jeg) på PCen, og har fulgt den lange guiden til Norbat (Takk:D) 3 ganger, men fikk dessverre ikke fjernet alt.

Først nektet den å åpne nettlesere, og la meg laste ned noe av virus programmer, så måtte gjøre dette via en annen datamaskin.

MEN, nå som det er borte, og alt fungerer mer eller mindre normalt, får jeg ca 1 gang hvert 15 minutt opp en melding om at PCen min er utsatt for risiko, og at jeg må trykke på denne linken for å kjøpe programmet som redder meg!

Dette er ekstremt frustrerende, for meldingen overstrider alle andre tasks som er oppe, så alt av fullskjerms programmer, som da film, spill osv, må gåes ut av, for så å close ruten, for så å gå inn igjen på spillet, filmen...

VELDIG frustrerende!

Fikk beskjed om å legge ut logger her, so here it goes!

Vel!

SAS

Klikk for å se/fjerne innholdet nedenfor

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 04/27/2008 at 08:44 PM

Application Version : 4.0.1154

Core Rules Database Version : 3426

Trace Rules Database Version: 1418

Scan type : Complete Scan

Total Scan Time : 00:15:54

Memory items scanned : 385

Memory threats detected : 7

Registry items scanned : 4695

Registry threats detected : 4

File items scanned : 13582

File threats detected : 17

Trojan.Downloader-Oreon-A/Resident

C:\WINDOWS\INSTALLER\{CD82B1A1-89F4-44BF-8BB4-2A744DB44389}\ROMSRV.DLL

Trojan.Net-VBG/NMC

C:\WINDOWS\VBGTORFD.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vbgtorfd [ {80C4375C-FD01-40E1-91E8-DEBC876C32C5} ]

Trojan.Downloader-AntiViirus

C:\PROGRAMFILER\ANTIVIIRUS.EXE

[antiviirus] C:\PROGRAMFILER\ANTIVIIRUS.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run#antiviirus [ C:\Programfiler\antiviirus.exe ]

C:\WINDOWS\Prefetch\ANTIVIIRUS.EXE-17878585.pf

Trojan.Unclassified/Tmp-Gen

C:\PROGRAMFILER\TMP0.EXE

C:\PROGRAMFILER\TMP1.EXE

C:\PROGRAMFILER\TMP2.EXE

C:\PROGRAMFILER\TMP3.EXE

C:\WINDOWS\Prefetch\TMP0.EXE-14FB0118.pf

C:\WINDOWS\Prefetch\TMP1.EXE-24D08D28.pf

C:\WINDOWS\Prefetch\TMP2.EXE-2A2E508A.pf

C:\WINDOWS\Prefetch\TMP3.EXE-0F9D3DB6.pf

Unclassified.Unknown Origin

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#zip [ {db375e04-87fd-4cdf-9a3a-cd49e3c3ac3d} ]

Desktop Hijacker.AboutYourPrivacy

C:\Documents and Settings\Evilpain\Favoritter\Error Cleaner.url

C:\Documents and Settings\Evilpain\Favoritter\Privacy Protector.url

C:\Documents and Settings\Evilpain\Favoritter\Spyware&Malware Protection.url

Adware.SXGAdvisor-A

C:\WINDOWS\KDFTLBOESWK.DLL

Trojan.Unclassified/GTS

C:\WINDOWS\QVDNTLMW.DLL

ComboFix

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-04-01.2 - Evilpain 2008-04-02 16:35:39.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.639 [GMT 2:00]

Running from: C:\Documents and Settings\Evilpain\Skrivebord\ComboFix.exe

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\dwnrpofk.dll

C:\WINDOWS\Installer\{cd82b1a1-89f4-44bf-8bb4-2a744db44389}\RomSrv.dll

C:\WINDOWS\norlatmx.exe

.

((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))

.

2008-04-28 19:39 . 2008-04-28 19:39 <DIR> d-------- C:\Documents and Settings\Evilpain\Logs

2008-04-28 13:55 . 2008-04-28 13:55 <DIR> d-------- C:\Logs

2008-04-27 20:25 . 2008-04-27 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-04-27 20:24 . 2008-04-29 14:01 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-04-27 20:24 . 2008-04-27 20:24 <DIR> d-------- C:\Documents and Settings\Evilpain\Programdata\SUPERAntiSpyware.com

2008-04-27 20:21 . 2008-04-02 16:13 <DIR> dr-h----- C:\Documents and Settings\Evilpain\Siste

2008-04-27 20:19 . 2008-04-27 20:19 <DIR> d-------- C:\Programfiler\CCleaner

2008-04-27 15:52 . 2008-04-27 15:55 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

2008-04-27 15:52 . 2008-04-27 15:55 299,392 --a------ C:\WINDOWS\system32\imon.dll

2008-04-27 15:52 . 2008-04-27 15:55 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

2008-04-27 15:50 . 2008-04-29 21:37 <DIR> d-------- C:\Programfiler\ESET

2008-04-27 14:32 . 2008-04-27 14:32 <DIR> d-------- C:\Programfiler\Webroot

2008-04-27 14:32 . 2008-04-27 14:32 <DIR> d-------- C:\Documents and Settings\LocalService\Programdata\Webroot

2008-04-27 14:32 . 2008-04-27 14:32 <DIR> d-------- C:\Documents and Settings\Evilpain\Programdata\Webroot

2008-04-27 14:32 . 2008-04-27 14:32 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Webroot

2008-04-27 14:32 . 2007-10-01 16:40 1,526,072 --a------ C:\WINDOWS\WRSetup.dll

2008-04-27 14:32 . 2007-10-01 16:24 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys

2008-04-27 14:32 . 2007-10-01 16:24 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys

2008-04-27 14:32 . 2007-10-01 16:24 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys

2008-04-27 14:32 . 2007-10-01 16:24 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys

2008-04-27 14:07 . 2008-04-27 14:07 <DIR> d---s---- C:\Documents and Settings\Evilpain\UserData

2008-04-26 21:47 . 2008-04-26 21:47 <DIR> d-------- C:\Programfiler\Lavasoft

2008-04-26 21:47 . 2008-04-26 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2008-03-27 21:31 . 2008-04-26 21:46 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP

2008-03-27 19:52 . 2008-03-27 19:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\pidwbibu

2008-03-27 19:52 . 2008-03-27 19:52 106,496 --a------ C:\WINDOWS\system32\pcvuberi.exe

2008-03-26 15:51 . 2008-04-30 16:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-03-26 15:51 . 2008-03-26 15:51 1,409 --a------ C:\WINDOWS\QTFont.for

2008-03-20 23:59 . 2008-03-20 23:59 <DIR> d--h----- C:\WINDOWS\PIF

2008-03-14 15:23 . 2008-03-14 15:23 <DIR> d-------- C:\Programfiler\Microsoft ActiveSync

2008-03-14 15:23 . 2008-03-14 15:23 382 --a------ C:\WINDOWS\ODBC.INI

2008-03-14 15:22 . 2008-03-14 15:22 <DIR> d-------- C:\WINDOWS\ShellNew

2008-03-13 00:11 . 2008-03-13 00:11 <DIR> d-------- C:\WINDOWS\CD95F661A5C444F5A6AAECDD91C240B5.TMP

2008-03-11 20:47 . 2008-03-13 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\WinZip

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-28 11:50 --------- d-----w C:\Programfiler\World of Warcraft

2008-04-27 18:24 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-04-27 13:13 --------- d-----w C:\Programfiler\Java

2008-04-02 14:31 --------- d-----w C:\Programfiler\Steam

2008-03-24 15:13 --------- d-----w C:\Documents and Settings\Evilpain\Programdata\LimeWire

2008-03-23 15:54 --------- d-----w C:\Documents and Settings\Evilpain\Programdata\Ventrilo

2008-03-20 22:18 --------- d-----w C:\Documents and Settings\Evilpain\Programdata\dvdcss

2008-02-26 17:29 --------- d-----w C:\Documents and Settings\Evilpain\Programdata\Apple Computer

2008-02-26 17:18 --------- d-----w C:\Programfiler\QuickTime

2008-02-26 17:18 --------- d-----w C:\Programfiler\Apple Software Update

2008-02-26 17:18 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple Computer

2008-02-26 17:18 --------- d-----w C:\Documents and Settings\All Users\Programdata\Apple

2008-02-18 17:22 --------- d-----w C:\Documents and Settings\Evilpain\Programdata\mIRC

2008-02-18 17:04 --------- d-----w C:\Programfiler\mIRC

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]

"Steam"="c:\programfiler\steam\steam.exe" [2008-04-27 14:06 1271032]

"dbyavmwv"="C:\WINDOWS\system32\pcvuberi.exe" [2008-03-27 19:52 106496]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-29 16:52 15360]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]

"ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-24 22:10 335872]

"razertra"="C:\Programfiler\Razer\razertra.exe" [2004-10-10 19:21 208896]

"WinampAgent"="C:\Programfiler\Winamp\wianmpa.exe" [ ]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-02-01 00:13 385024]

"nod32kui"="C:\Programfiler\Eset\nod32kui.exe" [2008-04-27 15:55 950664]

"Cmaudio8788"="cmicnfgp.cpl" []

"SpySweeper"="C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-29 16:52 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"tvA9QGHeW0"= C:\Documents and Settings\All Users\Programdata\pidwbibu\dkfspkve.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\MSN Messenger\\livecall.exe"=

"C:\\Programfiler\\LimeWire\\LimeWire.exe"=

"C:\\Programfiler\\mIRC\\mirc.exe"=

"C:\\Programfiler\\BitLord\\BitLord.exe"=

"C:\\Programfiler\\Steam\\steamapps\\major_fredde\\counter-strike\\hl.exe"=

"C:\\Programfiler\\Steam\\steamapps\\major_fredde\\half-life\\hl.exe"=

"C:\\Programfiler\\Steam\\Steam.exe"=

"C:\\Programfiler\\World of Warcraft\\BackgroundDownloader.exe"=

"C:\\Documents and Settings\\Evilpain\\Skrivebord\\Delta Force Black Hawk Down\\Delta Force Black Hawk Down NoCD CRACK.exe"=

"C:\\Documents and Settings\\Evilpain\\Skrivebord\\Battlefield 1942\\BF1942.exe"=

"C:\\Documents and Settings\\Evilpain\\Skrivebord\\Warcraft III\\Warcraft III.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 cmudaxp;Razer Barracuda AC-1 Gaming Interface;C:\WINDOWS\system32\drivers\cmudaxp.sys [2006-09-14 18:47]

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-02 16:38:34

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-02 16:39:14

ComboFix-quarantined-files.txt 2008-04-02 14:39:09

Pre-Run: 199,547,396,096 byte ledig

Post-Run: 199,542,124,544 byte ledig

.

2008-03-20 11:31:35 --- E O F ---

HijackThis

Klikk for å se/fjerne innholdet nedenfor

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:07:47, on 02.04.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Documents and Settings\All Users\Programdata\pidwbibu\dkfspkve.exe

C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe

C:\Programfiler\Eset\nod32kui.exe

C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Programfiler\MSN Messenger\MsnMsgr.Exe

C:\programfiler\steam\steam.exe

C:\WINDOWS\system32\pcvuberi.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Razer Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE

C:\Programfiler\Eset\nod32krn.exe

C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe

C:\Programfiler\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programfiler\Winamp\winamp.exe

C:\Programfiler\Webroot\Spy Sweeper\SSU.EXE

C:\WINDOWS\explorer.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Evilpain\Skrivebord\Ny mappe\Trend Micro\HijackThis\Test.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [razertra] C:\Programfiler\Razer\razertra.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\wianmpa.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [spySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [steam] "c:\programfiler\steam\steam.exe" -silent

O4 - HKCU\..\Run: [dbyavmwv] C:\WINDOWS\system32\pcvuberi.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKLM\..\Policies\Explorer\Run: [tvA9QGHeW0] C:\Documents and Settings\All Users\Programdata\pidwbibu\dkfspkve.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O21 - SSODL: RomSrv - {cd82b1a1-89f4-44bf-8bb4-2a744db44389} - (no file)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe

--

End of file - 5018 bytes

Vedlagt ligger et screenshot av meldinga!

Er ikke ekstremt redd for anonymiteten! Vil bare ha hjelp, om det er mulig! Takker for alle svar, uansett om de virker eller ikke!

MVH

NatroN

Uten_navn.bmp

Endret 4. april 2008 av NatroN

r2d290 · 3. april 2008

du så etter loggen til SAS i preferences->statestics and logs?

er det ingen logger der?

Endret 3. april 2008 av r2d290

NatroN · 3. april 2008

du så etter loggen til SAS i preferences->statestics and logs?

er det ingen logger der?

Redigert post! Takk for tipset

snippsat · 3. april 2008

Hei!

Kopiere fet tekst->lim inn i notisblokk.

Lagre på skrivebordet som CFScript.txt.

Gjør som på bildet,Post logg c:\combofix.txt

Folder::

C:\Documents and Settings\All Users\Programdata\pidwbibu

File::

C:\WINDOWS\system32\pcvuberi.exe

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"dbyavmwv"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

"tvA9QGHeW0"=-

Last ned kjør CCleaner

'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t.

Kjør register-renser og"svar ja til og reparere"

Restart og en ny HijackThis logg.

NatroN · 3. april 2008

Gjort! Logs inc!

ComboFix:

Klikk for å se/fjerne innholdet nedenfor

ComboFix 08-04-01.2 - Evilpain 2008-04-03 17:52:00.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.603 [GMT 2:00]

Running from: C:\Documents and Settings\Evilpain\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Evilpain\Skrivebord\CFscript.txt

* Created a new restore point

* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

C:\WINDOWS\system32\pcvuberi.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Programdata\pidwbibu

C:\Documents and Settings\All Users\Programdata\pidwbibu\dkfspkve.exe

C:\WINDOWS\system32\pcvuberi.exe

.

((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))

.

2008-04-28 19:39 . 2008-04-28 19:39 <DIR> d-------- C:\Documents and Settings\Evilpain\Logs

2008-04-28 13:55 . 2008-04-28 13:55 <DIR> d-------- C:\Logs

2008-04-27 20:25 . 2008-04-27 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-04-27 20:24 . 2008-04-29 14:01 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-04-27 20:24 . 2008-04-27 20:24 <DIR> d-------- C:\Documents and Settings\Evilpain\Programdata\SUPERAntiSpyware.com

2008-04-27 20:21 . 2008-04-03 17:48 <DIR> dr-h----- C:\Documents and Settings\Evilpain\Siste