ed9 Skrevet 21. april 2008 Del Skrevet 21. april 2008 (endret) Hei. Bestemte meg for ikke å fornye lisensen min på Norman Internet Control denne gang. Etter å ha lest litt på dette forumet gikk jeg for denne pakken: Antivirus: Avira Brannmur: Comodo Antispyware: SuperANTISpyware og AdAware AntiRootkit: F-Secure Blacklight Opprydding: CCleaner Før jeg avinstallerte Norman oppdaterte jeg og scannet, fant ingen infeksjoner. Installerte overnevnte pakke og kjørte enn scan med Avira, fant da denne: TR/Exploit.Bytverify.B Derfor lurte jeg på om noen her kunne sjekke loggene mine slik at jeg kan bli kvitt eventuelle andre ulumskheter. SAS-logg: Klikk for å se/fjerne innholdet nedenfor <SUPERAntiSpyware Scan Loghttp://www.superantispyware.com Generated 04/21/2008 at 09:51 PM Application Version : 4.0.1154 Core Rules Database Version : 3443 Trace Rules Database Version: 1435 Scan type : Complete Scan Total Scan Time : 00:34:27 Memory items scanned : 520 Memory threats detected : 0 Registry items scanned : 6496 Registry threats detected : 0 File items scanned : 24386 File threats detected : 1 Adware.Tracking Cookie C:\Documents and Settings\aaa\Cookies\aaa@adtech[1].txt> Combofix-logg: Klikk for å se/fjerne innholdet nedenfor <ComboFix 08-04-20.5 - aaa 2008-04-21 22:01:50.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.952 [GMT 2:00] Running from: C:\Documents and Settings\aaa\Skrivebord\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\wl.exe . ((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 ))))))))))))))))))))))))))))))) . 2008-04-21 21:11 . 2008-04-21 21:56 <DIR> dr-h----- C:\Documents and Settings\aaa\Siste 2008-04-21 20:44 . 2008-04-21 20:44 <DIR> d-------- C:\Programfiler\CCleaner 2008-04-21 20:40 . 2008-04-21 20:40 <DIR> d-------- C:\WINDOWS\LastGood 2008-04-20 22:34 . 2008-04-20 22:34 <DIR> d-------- C:\Programfiler\Avira 2008-04-20 22:34 . 2008-04-20 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Avira 2008-04-20 22:05 . 2008-04-20 22:05 <DIR> d-------- C:\Programfiler\COMODO 2008-04-20 22:05 . 2008-04-20 22:05 <DIR> d-------- C:\Documents and Settings\aaa\Programdata\Comodo 2008-04-20 22:05 . 2008-04-20 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\comodo 2008-04-20 22:05 . 2008-04-20 22:05 139,008 --a------ C:\WINDOWS\system32\guard32.dll 2008-04-20 22:05 . 2008-04-20 22:05 87,312 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys 2008-04-20 22:05 . 2008-04-20 22:05 23,824 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys 2008-04-20 21:54 . 2008-04-20 21:44 22,917 --a------ C:\WINDOWS\NPFFILE.NDF_B 2008-04-20 20:52 . 2008-04-20 21:44 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-04-20 20:52 . 2008-04-20 20:52 <DIR> d-------- C:\Documents and Settings\aaa\Programdata\SUPERAntiSpyware.com 2008-04-20 20:52 . 2008-04-20 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-04-10 00:47 . 2008-04-10 00:49 11 --a------ C:\shut.bat 2008-03-30 14:17 . 2008-04-06 19:00 <DIR> d-------- C:\PANDORA 2008-03-30 14:13 . 2008-04-06 22:48 <DIR> d-------- C:\Programfiler\DOSBox-0.72 2008-03-30 13:14 . 2008-03-03 20:11 436,784 --a------ C:\WINDOWS\system32\vnetlib.dll 2008-03-30 13:14 . 2008-03-03 20:12 150,064 --a------ C:\WINDOWS\system32\vmnat.exe 2008-03-30 13:14 . 2008-03-03 20:13 121,392 --a------ C:\WINDOWS\system32\vmnetdhcp.exe 2008-03-30 13:14 . 2008-03-03 20:10 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll 2008-03-30 13:14 . 2008-03-03 20:10 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys 2008-03-30 13:14 . 2008-03-03 20:14 25,136 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys 2008-03-30 13:14 . 2008-03-03 20:13 20,912 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys 2008-03-30 13:14 . 2008-03-03 20:10 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys 2008-03-30 13:14 . 2008-03-03 20:10 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys 2008-03-30 13:14 . 2008-03-03 20:10 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll 2008-03-30 13:13 . 2008-03-30 13:13 <DIR> d-------- C:\Programfiler\Fellesfiler\VMware 2008-03-29 22:10 . 2008-04-20 21:42 <DIR> d-------- C:\Documents and Settings\aaa\Programdata\VMware 2008-03-29 22:07 . 2008-04-21 20:40 <DIR> d-------- C:\Documents and Settings\LocalService\Programdata\VMware 2008-03-29 22:06 . 2008-03-30 13:14 1,024 --a------ C:\.rnd 2008-03-29 22:05 . 2008-03-30 13:13 <DIR> d-------- C:\Programfiler\VMware 2008-03-29 22:05 . 2008-04-21 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\VMware . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-21 18:37 --------- d-----w C:\Programfiler\Fellesfiler\Adobe 2008-04-21 18:26 --------- d-----w C:\Programfiler\Steam 2008-04-21 18:20 --------- d-----w C:\Documents and Settings\aaa\Programdata\BitTorrent 2008-04-20 18:51 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-04-17 16:53 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-04-17 12:41 --------- d-----w C:\Programfiler\Hewlett-Packard 2008-04-09 20:21 --------- d-----w C:\Programfiler\BitTorrent 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-13 09:37 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-03-13 09:37 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe 2008-03-03 18:14 925,104 ----a-w C:\WINDOWS\system32\drivers\vmx86.sys 2008-03-03 18:14 34,864 ----a-w C:\WINDOWS\system32\drivers\hcmon.sys 2008-03-03 18:11 15,920 ----a-w C:\WINDOWS\system32\drivers\vmparport.sys 2008-03-03 16:50 219,696 ----a-w C:\WINDOWS\system32\vmnc.dll 2008-03-01 13:05 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2007-12-24 21:57 22,328 ----a-w C:\Documents and Settings\aaa\Programdata\PnkBstrK.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 21:00 15360] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "RocketDock"="C:\Programfiler\RocketDock\RocketDock.exe" [2006-08-16 08:00 364544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" [2004-12-01 09:54 77824 C:\WINDOWS\SOUNDMAN.EXE] "NVIDIA nTune"="C:\Programfiler\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 12:06 532480] "ATIPTA"="C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 21:10 344064] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03 36975] "Control Center"="C:\Programfiler\ASUS\WLAN Card Utilities\Center.exe" [2004-11-01 21:16 1569280] "DAEMON Tools-1033"="C:\Programfiler\D-Tools\daemon.exe" [2003-12-27 20:43 81920] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe] "StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112] "COMODO Firewall Pro"="C:\Programfiler\COMODO\Firewall\cfp.exe" [2008-04-20 22:05 1572608] "avgnt"="C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 21:00 15360] "DWQueuedReporting"="c:\PROGRA~1\FELLES~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 17:38 39264] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ CoreCenter.lnk - C:\Programfiler\MSI\Core Center\CoreCenter.exe [2005-11-05 02:57:11 840704] DigiCell.lnk - C:\Programfiler\MSI\DigiCell\DigiCell.exe [2004-12-08 16:53:50 1288704] Logitech SetPoint.lnk - C:\Programfiler\Logitech\SetPoint\SetPoint.exe [2007-06-17 13:31:28 692224] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= "C:\\Programfiler\\BitTorrent\\bittorrent.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\Programfiler\\Telenor\\Online Start\\Telenor.exe"= "C:\\Programfiler\\BitTorrent_DNA\\dna.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "C:\\Programfiler\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23224:TCP"= 23224:TCP:BitComet 23224 TCP "23224:UDP"= 23224:UDP:BitComet 23224 UDP R0 d344bus;d344bus;C:\WINDOWS\system32\DRIVERS\d344bus.sys [2003-12-27 20:42] R0 d344prt;d344prt;C:\WINDOWS\system32\Drivers\d344prt.sys [2003-12-27 02:38] R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-04-20 22:05] R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-04-20 22:05] R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 19:54] R3 PCAlertDriver;PCAlertDriver;C:\Programfiler\MSI\Core Center\NTGLM7X.sys [2004-11-16 09:27] R3 RushTopDevice;RushTopDevice;C:\Programfiler\MSI\Core Center\RushTop.sys [2004-11-16 11:54] S3 SQLWriter;SQL Server VSS Writer;"c:\Programfiler\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53] S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Programfiler\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e725cf1-0441-11da-a8bf-806d6172696f}] \Shell\AutoRun\command - D:\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3e725cf2-0441-11da-a8bf-806d6172696f}] \Shell\AutoRun\command - E:\SETUP.EXE . Contents of the 'Scheduled Tasks' folder "2008-04-16 22:42:01 C:\WINDOWS\Tasks\shut.job" - C:\shut.bat . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 22:04:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\guard32.dll PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\system32\guard32.dll . Completion time: 2008-04-21 22:06:18 ComboFix-quarantined-files.txt 2008-04-21 20:06:11 Pre-Run: 33,686,507,520 byte ledig Post-Run: 33,706,455,040 byte ledig 167 --- E O F --- 2008-04-15 18:15:34> HiJackThis logg: Klikk for å se/fjerne innholdet nedenfor <Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:23:37, on 21.04.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programfiler\COMODO\Firewall\cmdagent.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programfiler\Fellesfiler\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Programfiler\VMware\VMware Workstation\vmware-authd.exe C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe C:\Programfiler\ASUS\WLAN Card Utilities\Center.exe C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\RocketDock\RocketDock.exe C:\Programfiler\MSI\Core Center\CoreCenter.exe C:\Programfiler\MSI\DigiCell\DigiCell.exe C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Programfiler\MSN Messenger\usnsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\aaa\Skrivebord\testing\testing.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.online.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Programfiler\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Online Start Plugin - {DB87CDE1-EF9C-44EB-A42F-6D0B3C72C516} - C:\Programfiler\Telenor\Online Start\IEFixItNowPlugin.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Programfiler\NVIDIA Corporation\nTune\\nTune.exe" clear O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Control Center] C:\Programfiler\ASUS\WLAN Card Utilities\Center.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programfiler\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [startCCC] "C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programfiler\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [avgnt] "C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [RocketDock] "C:\Programfiler\RocketDock\RocketDock.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: CoreCenter.lnk = C:\Programfiler\MSI\Core Center\CoreCenter.exe O4 - Global Startup: DigiCell.lnk = C:\Programfiler\MSI\DigiCell\DigiCell.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Programfiler\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download with GetRight - C:\Programfiler\GetRight\GRdownload.htm O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Programfiler\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.euchannels.net/update/KooPlayer.ocx O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvkoo.com/update/KooPlayer.ocx O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://www.icanal.no/spill/commerce/catalo...es/ExentCtl.ocx O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://aaa.spaces.live.com/PhotoUpload/MsnPUpld.cab O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.tvkoo.com/update/UKooPlayer.ocx O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programfiler\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programfiler\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Programfiler\COMODO\Firewall\cmdagent.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Programfiler\VMware\VMware Workstation\vmware-ufad.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Programfiler\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Programfiler\Fellesfiler\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe -- End of file - 9176 bytes > På forhånd takk! Mvh ed9 Endret 22. april 2008 av ed9 Lenke til kommentar
snippsat Skrevet 22. april 2008 Del Skrevet 22. april 2008 (endret) Kjenner du ikke til disse filer finn dem og slett. C:\shut.bat C:\WINDOWS\Tasks\shut.job Kjørt ccleaner som dette. Last ned kjør CCleaner 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør register-renser og"svar ja til og reparere" Scann igjen med avira. Finner den noe nå må du ta med hvor den finner det. Trykk på report fil under report for mer detalier. Endret 22. april 2008 av SNIPPSAT Lenke til kommentar
ed9 Skrevet 22. april 2008 Forfatter Del Skrevet 22. april 2008 Takk for svar! shut.bat er bare et script for å avslutte maskinen som jeg har lagt til selv. shut.job kommer vel av at jeg har den lagt til i planlagte oppgaver. Skal kjøre en scan med avira når jeg kommer hjem fra skolen og poste om jeg finner noe. Lenke til kommentar
ed9 Skrevet 22. april 2008 Forfatter Del Skrevet 22. april 2008 (endret) Fant ingenting da jeg scannet på nytt. Her er avira loggen fra da jeg fant trojaneren: Klikk for å se/fjerne innholdet nedenfor <Avira AntiVir PersonalReport file date: 20. april 2008 22:42 Scanning for 1219327 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: aaa Version information: BUILD.DAT : 8.1.00.295 16479 Bytes 09.04.2008 16:24:00 AVSCAN.EXE : 8.1.2.12 311553 Bytes 18.03.2008 09:02:56 AVSCAN.DLL : 8.1.1.0 53505 Bytes 07.02.2008 08:43:37 LUKE.DLL : 8.1.2.9 151809 Bytes 28.02.2008 08:41:23 LUKERES.DLL : 8.1.2.1 12033 Bytes 21.02.2008 08:28:40 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18.07.2007 10:33:34 ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07.03.2008 13:08:58 ANTIVIR2.VDF : 7.0.3.156 795136 Bytes 11.04.2008 20:37:58 ANTIVIR3.VDF : 7.0.3.189 352256 Bytes 20.04.2008 20:38:01 Engineversion : 8.1.0.32 AEVDF.DLL : 8.1.0.5 102772 Bytes 25.02.2008 09:58:21 AESCRIPT.DLL : 8.1.0.26 233850 Bytes 20.04.2008 20:39:18 AESCN.DLL : 8.1.0.14 119156 Bytes 20.04.2008 20:39:17 AERDL.DLL : 8.1.0.19 418164 Bytes 07.04.2008 15:34:44 AEPACK.DLL : 8.1.1.2 364917 Bytes 20.04.2008 20:39:16 AEOFFICE.DLL : 8.1.0.18 192890 Bytes 20.04.2008 20:39:15 AEHEUR.DLL : 8.1.0.18 1167735 Bytes 20.04.2008 20:39:14 AEHELP.DLL : 8.1.0.14 115063 Bytes 20.04.2008 20:39:10 AEGEN.DLL : 8.1.0.17 299380 Bytes 20.04.2008 20:39:10 AEEMU.DLL : 8.1.0.5 430450 Bytes 07.04.2008 15:34:43 AECORE.DLL : 8.1.0.27 168310 Bytes 20.04.2008 20:39:08 AVWINLL.DLL : 1.0.0.7 14593 Bytes 23.01.2008 17:07:53 AVPREF.DLL : 8.0.0.1 25857 Bytes 18.02.2008 10:37:50 AVREP.DLL : 7.0.0.1 155688 Bytes 16.04.2007 13:26:47 AVREG.DLL : 8.0.0.0 30977 Bytes 23.01.2008 17:07:49 AVARKT.DLL : 1.0.0.23 307457 Bytes 12.02.2008 08:29:23 AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28.02.2008 08:31:31 SQLITE3.DLL : 3.3.17.1 339968 Bytes 22.01.2008 17:28:02 SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23.01.2008 17:08:39 NETNT.DLL : 8.0.0.1 7937 Bytes 25.01.2008 12:05:10 RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10.03.2008 14:37:25 RCTEXT.DLL : 8.0.32.0 86273 Bytes 06.03.2008 12:02:11 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\programfiler\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: 20. april 2008 22:42 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'usnsvc.exe' - '1' Module(s) have been scanned Scan process 'CCC.exe' - '1' Module(s) have been scanned Scan process 'DigiCell.exe' - '1' Module(s) have been scanned Scan process 'CoreCenter.exe' - '1' Module(s) have been scanned Scan process 'RocketDock.exe' - '1' Module(s) have been scanned Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'MOM.exe' - '1' Module(s) have been scanned Scan process 'cfp.exe' - '1' Module(s) have been scanned Scan process 'Center.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'vmware-authd.exe' - '1' Module(s) have been scanned Scan process 'vmnetdhcp.exe' - '1' Module(s) have been scanned Scan process 'vmnat.exe' - '1' Module(s) have been scanned Scan process 'vmount2.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned Scan process 'cmdagent.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 42 processes with 42 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Starting to scan the registry. The registry was scanned ( '39' files ). Starting the file scan: Begin scan in 'C:\' <aaa> C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Documents and Settings\aaa\Programdata\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-42e05065-7cc3403d.zip [0] Archive type: ZIP --> BnnnnBaa.class [DETECTION] Is the Trojan horse TR/Java.Downloader.Gen --> VaannnaaBaa.class [DETECTION] Is the Trojan horse TR/ClassLoader --> Dnnny.class [DETECTION] Contains detection pattern of the Java virus JAVA/Exploit.Bytverify.5 --> Bnnnnn.class [DETECTION] Is the Trojan horse TR/Java.ClassLoader.AS --> Den.class [DETECTION] Is the Trojan horse TR/Exploit.Bytverify --> Din.class [DETECTION] Is the Trojan horse TR/Exploit.Bytverify.A --> Dun.class [DETECTION] Is the Trojan horse TR/Exploit.Bytverify.B [NOTE] The file was moved to '487bad4d.qua'! End of the scan: 20. april 2008 23:47 Used time: 1:05:08 min The scan has been done completely. 12006 Scanning directories 337076 Files were scanned 6 viruses and/or unwanted programs were found 1 Files were classified as suspicious: 0 files were deleted 0 files were repaired 1 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 337070 Files not concerned 8075 Archives were scanned 2 Warnings 1 Notes > Her er den nye loggen: Klikk for å se/fjerne innholdet nedenfor <Avira AntiVir PersonalReport file date: 22. april 2008 19:14 Scanning for 1227832 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: aaa Version information: BUILD.DAT : 8.1.00.295 16479 Bytes 09.04.2008 16:24:00 AVSCAN.EXE : 8.1.2.12 311553 Bytes 18.03.2008 09:02:56 AVSCAN.DLL : 8.1.1.0 53505 Bytes 07.02.2008 08:43:37 LUKE.DLL : 8.1.2.9 151809 Bytes 28.02.2008 08:41:23 LUKERES.DLL : 8.1.2.1 12033 Bytes 21.02.2008 08:28:40 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18.07.2007 10:33:34 ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 07.03.2008 13:08:58 ANTIVIR2.VDF : 7.0.3.156 795136 Bytes 11.04.2008 20:37:58 ANTIVIR3.VDF : 7.0.3.195 472576 Bytes 21.04.2008 20:35:15 Engineversion : 8.1.0.32 AEVDF.DLL : 8.1.0.5 102772 Bytes 25.02.2008 09:58:21 AESCRIPT.DLL : 8.1.0.26 233850 Bytes 20.04.2008 20:39:18 AESCN.DLL : 8.1.0.14 119156 Bytes 20.04.2008 20:39:17 AERDL.DLL : 8.1.0.19 418164 Bytes 07.04.2008 15:34:44 AEPACK.DLL : 8.1.1.2 364917 Bytes 20.04.2008 20:39:16 AEOFFICE.DLL : 8.1.0.18 192890 Bytes 20.04.2008 20:39:15 AEHEUR.DLL : 8.1.0.18 1167735 Bytes 20.04.2008 20:39:14 AEHELP.DLL : 8.1.0.14 115063 Bytes 20.04.2008 20:39:10 AEGEN.DLL : 8.1.0.17 299380 Bytes 20.04.2008 20:39:10 AEEMU.DLL : 8.1.0.5 430450 Bytes 07.04.2008 15:34:43 AECORE.DLL : 8.1.0.27 168310 Bytes 20.04.2008 20:39:08 AVWINLL.DLL : 1.0.0.7 14593 Bytes 23.01.2008 17:07:53 AVPREF.DLL : 8.0.0.1 25857 Bytes 18.02.2008 10:37:50 AVREP.DLL : 7.0.0.1 155688 Bytes 16.04.2007 13:26:47 AVREG.DLL : 8.0.0.0 30977 Bytes 23.01.2008 17:07:49 AVARKT.DLL : 1.0.0.23 307457 Bytes 12.02.2008 08:29:23 AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28.02.2008 08:31:31 SQLITE3.DLL : 3.3.17.1 339968 Bytes 22.01.2008 17:28:02 SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23.01.2008 17:08:39 NETNT.DLL : 8.0.0.1 7937 Bytes 25.01.2008 12:05:10 RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10.03.2008 14:37:25 RCTEXT.DLL : 8.0.32.0 86273 Bytes 06.03.2008 12:02:11 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\programfiler\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: All files Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: 22. april 2008 19:14 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'usnsvc.exe' - '1' Module(s) have been scanned Scan process 'CCC.exe' - '1' Module(s) have been scanned Scan process 'DigiCell.exe' - '1' Module(s) have been scanned Scan process 'CoreCenter.exe' - '1' Module(s) have been scanned Scan process 'RocketDock.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'cfp.exe' - '1' Module(s) have been scanned Scan process 'MOM.exe' - '1' Module(s) have been scanned Scan process 'Center.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'atiptaxx.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'vmware-authd.exe' - '1' Module(s) have been scanned Scan process 'vmnetdhcp.exe' - '1' Module(s) have been scanned Scan process 'vmnat.exe' - '1' Module(s) have been scanned Scan process 'vmount2.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned Scan process 'cmdagent.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 42 processes with 42 modules were scanned Starting master boot sector scan: Master boot sector HD0 [iNFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [iNFO] No virus was found! Starting to scan the registry. The registry was scanned ( '39' files ). Starting the file scan: Begin scan in 'C:\' <aaa> C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! End of the scan: 22. april 2008 20:40 Used time: 1:26:23 min The scan has been done completely. 11788 Scanning directories 335271 Files were scanned 0 viruses and/or unwanted programs were found 0 Files were classified as suspicious: 0 files were deleted 0 files were repaired 0 files were moved to quarantine 0 files were renamed 2 Files cannot be scanned 335271 Files not concerned 8020 Archives were scanned 2 Warnings 0 Notes> Endret 22. april 2008 av ed9 Lenke til kommentar
snippsat Skrevet 22. april 2008 Del Skrevet 22. april 2008 Da er det greit Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc. Surf Trygt. Lenke til kommentar
ed9 Skrevet 22. april 2008 Forfatter Del Skrevet 22. april 2008 Høres bra ut Takk for hjelpen! Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå