Cloud Skrevet 24. april 2008 Del Skrevet 24. april 2008 (endret) Fått virus på en pc på jobben. Får ikke kjørt SAS, men kjørt Comobix, CCleaner og HiJack This. Combifix Klikk for å se/fjerne innholdet nedenfor ComboFix 08-04-22.5 - Administrator 2008-04-24 16:17:08.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.227 [GMT 2:00] Running from: C:\Documents and Settings\Administrator.XXL\Skrivebord\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Programfiler\akl C:\Programfiler\akl\akl.dll C:\Programfiler\akl\akl.exe C:\Programfiler\akl\uninstall.exe C:\Programfiler\akl\unsetup.exe C:\Programfiler\Inet Delivery C:\Programfiler\Inet Delivery\inetdl.exe C:\Programfiler\Inet Delivery\intdel.exe C:\WINDOWS\a.bat C:\WINDOWS\base64.tmp C:\WINDOWS\bdn.com C:\WINDOWS\FVProtect.exe C:\WINDOWS\iTunesMusic.exe C:\WINDOWS\mslagent C:\WINDOWS\mslagent\2_mslagent.dll C:\WINDOWS\mslagent\mslagent.exe C:\WINDOWS\mslagent\uninstall.exe C:\WINDOWS\mssecu.exe C:\WINDOWS\system32\bsva-egihsg52.exe C:\WINDOWS\system32\emesx.dll C:\WINDOWS\userconfig9x.dll C:\WINDOWS\Web\def.htm C:\WINDOWS\winsystem.exe C:\WINDOWS\zip1.tmp C:\WINDOWS\zip2.tmp C:\WINDOWS\zip3.tmp C:\WINDOWS\zipped.tmp . ((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 ))))))))))))))))))))))))))))))) . 2008-04-24 16:15 . 2008-04-24 16:15 98,304 --a------ C:\WINDOWS\system32\dofcxcju.exe 2008-04-24 15:41 . 2008-04-24 15:41 <DIR> d-------- C:\Programfiler\CCleaner 2008-04-24 15:33 . 2008-04-24 15:33 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-04-24 15:32 . 2008-04-24 15:32 <DIR> d-------- C:\Programfiler\Opera 2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\TmpRecentIcons 2008-04-24 15:10 . 2008-04-23 20:46 7,168 --a------ C:\Documents and Settings\Administrator.XXL\cftmon.exe 2008-04-23 22:18 . 2008-04-23 22:18 <DIR> d-------- C:\Documents and Settings\geni\Programdata\TmpRecentIcons 2008-04-23 20:57 . 2008-04-23 20:46 7,168 --a------ C:\Documents and Settings\LocalService\cftmon.exe 2008-04-23 20:46 . 2008-04-23 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\ehkzovwl 2008-04-23 20:46 . 2008-04-23 20:46 7,168 --a------ C:\Documents and Settings\geni\cftmon.exe 2008-04-17 12:55 . 2008-04-17 12:55 <DIR> d-------- C:\Documents and Settings\geni\Programdata\DVMS 2008-04-17 12:53 . 2008-04-17 12:53 <DIR> d-------- C:\Programfiler\DVMS 2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\DVMS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-24 13:54 3,420 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP 2008-04-24 13:39 --------- d-----w C:\Programfiler\Trend Micro 2008-04-24 08:27 --------- d-----w C:\Programfiler\Google 2008-04-23 18:46 98,304 ----a-w C:\WINDOWS\system32\wledargv.exe 2008-04-23 18:46 65,536 ----a-w C:\epnhxax.exe 2008-04-23 18:46 61,874 ----a-w C:\WINDOWS\ydhqzop.sys 2008-04-23 12:19 94,208 ----a-w C:\WINDOWS\olgdqarf.exe 2008-04-23 12:19 81,920 ----a-w C:\WINDOWS\wxvgsdbq.exe 2008-04-23 12:19 217,088 ----a-w C:\WINDOWS\qnmargolewk.dll 2008-04-23 12:19 212,992 ----a-w C:\WINDOWS\wdpoefan.dll 2008-04-23 12:19 188,416 ----a-w C:\WINDOWS\vadokmxt.dll 2008-04-23 12:19 155,648 ----a-w C:\WINDOWS\dpevflbg.dll 2008-04-14 09:13 --------- d-----w C:\Documents and Settings\geni\Programdata\ICAClient 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-20 08:11 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-01 16:35 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:58 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:58 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 06:52 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll 2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-20 05:39 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll 2008-02-20 05:39 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll . ((((((((((((((((((((((((((((( snapshot@2008-04-24_16.16.13.94 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\hoproxy.dll + 2008-04-24 14:15:37 4,096 ----a-w C:\WINDOWS\system32\hoproxy.dll - 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\hxiwlgpm.dat + 2008-04-24 14:15:36 4,096 ----a-w C:\WINDOWS\system32\hxiwlgpm.dat - 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\hxiwlgpm.exe + 2008-04-24 14:15:36 4,096 ----a-w C:\WINDOWS\system32\hxiwlgpm.exe - 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\mwin32.exe + 2008-04-24 14:15:37 4,096 ----a-w C:\WINDOWS\system32\mwin32.exe - 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\sncntr.exe + 2008-04-24 14:15:37 4,096 ----a-w C:\WINDOWS\system32\sncntr.exe - 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\taack.dat + 2008-04-24 14:15:36 4,096 ----a-w C:\WINDOWS\system32\taack.dat - 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\taack.exe + 2008-04-24 14:15:36 4,096 ----a-w C:\WINDOWS\system32\taack.exe - 2008-04-23 18:46:18 4,096 ----a-w C:\WINDOWS\system32\winlogonpc.exe + 2008-04-24 14:15:38 4,096 ----a-w C:\WINDOWS\system32\winlogonpc.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2513A321-CB50-4C5F-91C5-80342AFACFB1}] C:\WINDOWS\system32\adobepnl.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62E2E094-F989-48C6-B947-6E79DA2294F9}] C:\WINDOWS\system32\winapi32.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}] 2008-04-23 14:19 217088 --a------ C:\WINDOWS\qnmargolewk.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CE66268D-0208-4D9E-8BC7-12D91072A34D}"= "C:\WINDOWS\dpevflbg.dll" [2008-04-23 14:19 155648] [HKEY_CLASSES_ROOT\clsid\{ce66268d-0208-4d9e-8bc7-12d91072a34d}] [HKEY_CLASSES_ROOT\dpevflbg.1] [HKEY_CLASSES_ROOT\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}] [HKEY_CLASSES_ROOT\dpevflbg] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00 15360] "bganywkl"="C:\WINDOWS\system32\dofcxcju.exe" [2008-04-24 16:15 98304] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 17:52 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 17:48 118784] "Smapp"="C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 10:08 143360] "SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-13 13:08 218240] "SetRefresh"="C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 10:00 143360] "OfficeScanNT Monitor"="C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-04-19 00:52 335872] "Transponder"="C:\WINDOWS\system32\susp.exe" [ ] "Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "SaVTXtKNcI"= C:\Documents and Settings\All Users\Programdata\ehkzovwl\cvshidcp.exe [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= file:///C:\WINDOWS\privacy_danger\index.htm FriendlyName= Privacy Protection [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "vadokmxt"= {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll [2008-04-23 14:19 188416] "wdpoefan"= {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll [2008-04-23 14:19 212992] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutndu] awtuTNDU.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "MSACM.CEGSM"= mobilev.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Microsoft ActiveSync\\wcescomm.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 S2 HZQBWMCX;HZQBWMCX;C:\WINDOWS\system32\hzqbwmcx.uvs [] . Contents of the 'Scheduled Tasks' folder "2008-04-22 00:19:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Programfiler\Windows Defender\MpCmdRun.exe "2008-04-23 18:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Programfiler\Symantec\LiveUpdate\NDetect.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-24 16:18:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HZQBWMCX] "ImagePath"="\??\C:\WINDOWS\system32\hzqbwmcx.uvs" . Completion time: 2008-04-24 16:19:04 ComboFix-quarantined-files.txt 2008-04-24 14:18:45 ComboFix2.txt 2008-04-24 14:16:28 Pre-Run: 31,359,721,472 byte ledig Post-Run: 31,352,070,144 byte ledig 181 --- E O F --- 2008-04-19 01:40:40 HiJack This Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:27, on 2008-04-24 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\All Users\Programdata\ehkzovwl\cvshidcp.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\system32\dofcxcju.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\explorer.exe C:\Programfiler\Java\jre1.6.0_01\bin\jucheck.exe C:\Programfiler\Opera\Opera.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-80342AFACFB1} - C:\WINDOWS\system32\adobepnl.dll (file missing) O2 - BHO: winapi32.MyBHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\system32\winapi32.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: DVA Gate - {AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3} - C:\WINDOWS\qnmargolewk.dll O3 - Toolbar: dpevflbg - {CE66268D-0208-4D9E-8BC7-12D91072A34D} - C:\WINDOWS\dpevflbg.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [bganywkl] C:\WINDOWS\system32\dofcxcju.exe O4 - HKLM\..\Policies\Explorer\Run: [saVTXtKNcI] C:\Documents and Settings\All Users\Programdata\ehkzovwl\cvshidcp.exe O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.bravida.no O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\Software\..\Telephony: DomainName = xxl.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxl.no O20 - Winlogon Notify: awtutndu - awtuTNDU.dll (file missing) O21 - SSODL: vadokmxt - {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll O21 - SSODL: wdpoefan - {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm -- End of file - 6815 bytes EDIT: Fått instalert SAS etter at combofix hadde gjort sitt. Kommer med update etter hvert. Endret 24. april 2008 av Cloud Lenke til kommentar
norbat Skrevet 24. april 2008 Del Skrevet 24. april 2008 Etter at du har kjørt SAS, er det fint om du lager ny combofix-logg + hjt-logg. (Du tar bare og bytter ut de du har lagt ut over) Lenke til kommentar
Cloud Skrevet 24. april 2008 Forfatter Del Skrevet 24. april 2008 HiJack this: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:59, on 2008-04-24 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\TEMP\ABB027.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\userinit.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: winapi32.MyBHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\system32\winapi32.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [wruwzyvo] C:\WINDOWS\system32\tcnsjkzw.exe O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.bravida.no O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\Software\..\Telephony: DomainName = xxl.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxl.no O20 - Winlogon Notify: !saswinlogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: awtutndu - awtuTNDU.dll (file missing) O21 - SSODL: vadokmxt - {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll (file missing) O21 - SSODL: wdpoefan - {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll (file missing) O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm -- End of file - 6628 bytes Combofix: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-04-22.5 - administrator 2008-04-24 17:00:22.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.204 [GMT 2:00] Running from: C:\Documents and Settings\Administrator.XXL\Skrivebord\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\rs.txt . ((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 ))))))))))))))))))))))))))))))) . 2008-04-24 16:36 . 2008-04-24 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-04-24 16:34 . 2008-04-24 16:34 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-04-24 16:34 . 2008-04-24 16:34 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\SUPERAntiSpyware.com 2008-04-24 15:41 . 2008-04-24 15:41 <DIR> d-------- C:\Programfiler\CCleaner 2008-04-24 15:33 . 2008-04-24 15:33 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-04-24 15:32 . 2008-04-24 15:32 <DIR> d-------- C:\Programfiler\Opera 2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\TmpRecentIcons 2008-04-23 22:18 . 2008-04-23 22:18 <DIR> d-------- C:\Documents and Settings\geni\Programdata\TmpRecentIcons 2008-04-23 20:46 . 2008-04-24 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\ehkzovwl 2008-04-23 20:46 . 2008-04-23 20:46 65,536 --a------ C:\epnhxax.exe 2008-04-23 20:46 . 2008-04-23 20:46 61,874 --a------ C:\WINDOWS\ydhqzop.sys 2008-04-23 20:46 . 2008-04-23 20:46 2 --a------ C:\871140395 2008-04-17 12:55 . 2008-04-17 12:55 <DIR> d-------- C:\Documents and Settings\geni\Programdata\DVMS 2008-04-17 12:53 . 2008-04-17 12:53 <DIR> d-------- C:\Programfiler\DVMS 2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\DVMS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-24 15:00 3,420 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP 2008-04-24 13:39 --------- d-----w C:\Programfiler\Trend Micro 2008-04-24 08:27 --------- d-----w C:\Programfiler\Google 2008-04-14 09:13 --------- d-----w C:\Documents and Settings\geni\Programdata\ICAClient 2008-03-20 08:11 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-20 08:11 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys 2008-03-01 16:35 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-02-29 08:58 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-02-29 08:58 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-02-22 10:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 06:52 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll 2008-02-20 05:39 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-20 05:39 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll 2008-02-20 05:39 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll 2008-02-15 05:44 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll . ((((((((((((((((((((((((((((( snapshot@2008-04-24_16.16.13.94 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-24 13:49:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-24 14:56:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-24 14:34:29 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{62E2E094-F989-48C6-B947-6E79DA2294F9}] C:\WINDOWS\system32\winapi32.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00 15360] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968] "wruwzyvo"="C:\WINDOWS\system32\tcnsjkzw.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 17:52 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 17:48 118784] "Smapp"="C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 10:08 143360] "SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-13 13:08 218240] "SetRefresh"="C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 10:00 143360] "OfficeScanNT Monitor"="C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-04-19 00:52 335872] "Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= file:///C:\WINDOWS\privacy_danger\index.htm FriendlyName= Privacy Protection [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "vadokmxt"= {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll [ ] "wdpoefan"= {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtutndu] awtuTNDU.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "MSACM.CEGSM"= mobilev.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Microsoft ActiveSync\\wcescomm.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 S2 HZQBWMCX;HZQBWMCX;C:\WINDOWS\system32\hzqbwmcx.uvs [] *Newly Created Service* - catchme . Contents of the 'Scheduled Tasks' folder "2008-04-22 00:19:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Programfiler\Windows Defender\MpCmdRun.exe "2008-04-23 18:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Programfiler\Symantec\LiveUpdate\NDetect.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-24 17:01:37 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\HZQBWMCX] "ImagePath"="\??\C:\WINDOWS\system32\hzqbwmcx.uvs" . Completion time: 2008-04-24 17:03:14 ComboFix-quarantined-files.txt 2008-04-24 15:03:03 ComboFix2.txt 2008-04-24 14:19:05 ComboFix3.txt 2008-04-24 14:16:28 Pre-Run: 31,282,667,520 byte ledig Post-Run: 31,277,428,736 byte ledig 129 --- E O F --- 2008-04-19 01:40:40 SAS fjernet ca 150 filer som ikke skulle være der.. Lenke til kommentar
norbat Skrevet 24. april 2008 Del Skrevet 24. april 2008 Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 O2 - BHO: winapi32.MyBHO - {62E2E094-F989-48C6-B947-6E79DA2294F9} - C:\WINDOWS\system32\winapi32.dll (file missing) O4 - HKCU\..\Run: [wruwzyvo] C:\WINDOWS\system32\tcnsjkzw.exe O20 - Winlogon Notify: awtutndu - awtuTNDU.dll (file missing) O21 - SSODL: vadokmxt - {8D77CD95-EA5C-4791-B87E-48310EA70B85} - C:\WINDOWS\vadokmxt.dll (file missing) O21 - SSODL: wdpoefan - {DA45875A-87F4-47A9-BB24-ABF3D98C68EE} - C:\WINDOWS\wdpoefan.dll (file missing) O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. Post loggen. File:: C:\epnhxax.exe C:\WINDOWS\ydhqzop.sys C:\WINDOWS\TEMP\ABB027.EXE Folder:: C:\Documents and Settings\All Users\Programdata\ehkzovwl C:\871140395 Driver:: HZQBWMCX Post combofix-loggen + ny hjt-logg. Ønsker også å se loggen fra SAS (preferences->statistics/logs) Lenke til kommentar
Cloud Skrevet 25. april 2008 Forfatter Del Skrevet 25. april 2008 Da var det gjort. Combofix: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-04-22.5 - administrator 2008-04-25 14:06:21.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.224 [GMT 2:00] Running from: C:\Documents and Settings\Administrator.XXL\Skrivebord\ComboFix.exe Command switches used :: C:\Documents and Settings\Administrator.XXL\Skrivebord\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\epnhxax.exe C:\WINDOWS\TEMP\ABB027.EXE C:\WINDOWS\ydhqzop.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\871140395\ C:\Documents and Settings\All Users\Programdata\ehkzovwl C:\epnhxax.exe C:\WINDOWS\ydhqzop.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_HZQBWMCX -------\Service_HZQBWMCX -------\Service_ydhqzop ((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 ))))))))))))))))))))))))))))))) . 2008-04-24 16:36 . 2008-04-24 16:36 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-04-24 16:34 . 2008-04-24 16:34 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-04-24 16:34 . 2008-04-24 16:34 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\SUPERAntiSpyware.com 2008-04-24 15:41 . 2008-04-24 15:41 <DIR> d-------- C:\Programfiler\CCleaner 2008-04-24 15:33 . 2008-04-24 15:33 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-04-24 15:32 . 2008-04-24 15:32 <DIR> d-------- C:\Programfiler\Opera 2008-04-24 15:23 . 2008-04-24 15:23 <DIR> d-------- C:\Documents and Settings\Administrator.XXL\Programdata\TmpRecentIcons 2008-04-23 22:18 . 2008-04-23 22:18 <DIR> d-------- C:\Documents and Settings\geni\Programdata\TmpRecentIcons 2008-04-23 20:46 . 2008-04-23 20:46 2 --a------ C:\871140395 2008-04-17 12:55 . 2008-04-17 12:55 <DIR> d-------- C:\Documents and Settings\geni\Programdata\DVMS 2008-04-17 12:53 . 2008-04-17 12:53 <DIR> d-------- C:\Programfiler\DVMS 2008-04-17 12:52 . 2008-04-17 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\DVMS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-24 13:39 --------- d-----w C:\Programfiler\Trend Micro 2008-04-24 08:27 --------- d-----w C:\Programfiler\Google 2008-04-14 09:13 --------- d-----w C:\Documents and Settings\geni\Programdata\ICAClient . ((((((((((((((((((((((((((((( snapshot@2008-04-24_16.16.13.94 ))))))))))))))))))))))))))))))))))))))))) . - 2008-04-24 13:49:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-25 12:09:35 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-04-24 14:34:29 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe + 2005-03-15 15:52:48 172,099 ----a-w C:\WINDOWS\TEMP\TLB027.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00 15360] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-05-06 17:52 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-05-06 17:48 118784] "Smapp"="C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 10:08 143360] "SSC_UserPrompt"="C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-09-13 13:08 218240] "SetRefresh"="C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 20:01 525824] "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 10:00 143360] "OfficeScanNT Monitor"="C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-04-19 00:52 335872] "Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-04-03 18:12 777424] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43 83608] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 10:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "MSACM.CEGSM"= mobilev.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Microsoft ActiveSync\\wcescomm.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . Contents of the 'Scheduled Tasks' folder "2008-04-22 00:19:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Programfiler\Windows Defender\MpCmdRun.exe "2008-04-23 18:56:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Programfiler\Symantec\LiveUpdate\NDetect.exe . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-25 14:11:30 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\TEMP\TLB027.EXE . ************************************************************************** . Completion time: 2008-04-25 14:16:21 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-25 12:16:16 ComboFix2.txt 2008-04-24 15:03:15 ComboFix3.txt 2008-04-24 14:19:05 ComboFix4.txt 2008-04-24 14:16:28 Pre-Run: 31,247,052,800 byte ledig Post-Run: 31,250,022,400 byte ledig 126 --- E O F --- 2008-04-19 01:40:40 HiJack This: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:17, on 2008-04-25 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Fellesfiler\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\TEMP\TLB027.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\notepad.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [smapp] C:\Programfiler\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [setRefresh] C:\Programfiler\Compaq\SetRefresh\SetRefresh.exe O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Programfiler\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Opprett mobil favoritt - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programfiler\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.bravida.no O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxl.no O17 - HKLM\Software\..\Telephony: DomainName = xxl.no O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxl.no O20 - Winlogon Notify: !saswinlogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\OfcPfwSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programfiler\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Programfiler\Trend Micro\OfficeScan Client\tmlisten.exe -- End of file - 6232 bytes SAS: (første scan) Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 04/24/2008 at 04:54 PM Application Version : 4.0.1154 Core Rules Database Version : 3446 Trace Rules Database Version: 1438 Scan type : Complete Scan Total Scan Time : 00:15:41 Memory items scanned : 340 Memory threats detected : 3 Registry items scanned : 4957 Registry threats detected : 47 File items scanned : 11451 File threats detected : 96 Trojan.Unclassified/Multi-Dropper (Packed) C:\DOCUMENTS AND SETTINGS\ALL USERS\PROGRAMDATA\EHKZOVWL\CVSHIDCP.EXE [saVTXtKNcI] C:\DOCUMENTS AND SETTINGS\ALL USERS\PROGRAMDATA\EHKZOVWL\CVSHIDCP.EXE C:\DOCUMENTS AND SETTINGS\ALL USERS\PROGRAMDATA\EHKZOVWL\CVSHIDCP.EXE C:\WINDOWS\Prefetch\CVSHIDCP.EXE-11BFA788.pf Adware.Vundo-Variant/J C:\WINDOWS\VADOKMXT.DLL C:\WINDOWS\VADOKMXT.DLL C:\WINDOWS\WDPOEFAN.DLL C:\WINDOWS\WDPOEFAN.DLL Trojan.Unclassified/Multi-Dropper [bganywkl] C:\WINDOWS\SYSTEM32\DOFCXCJU.EXE C:\WINDOWS\SYSTEM32\DOFCXCJU.EXE C:\WINDOWS\SYSTEM32\TCNSJKZW.EXE C:\WINDOWS\SYSTEM32\WLEDARGV.EXE C:\WINDOWS\Prefetch\WLEDARGV.EXE-03C67F4A.pf Unclassified.Unknown Origin HKLM\Software\Classes\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1} HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1} HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1} HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\Implemented Categories HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\InprocServer32 HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\InprocServer32#ThreadingModel HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\ProgID HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\Programmable HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\TypeLib HKCR\CLSID\{2513A321-CB50-4C5F-91C5-80342AFACFB1}\VERSION C:\WINDOWS\SYSTEM32\ADOBEPNL.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2513A321-CB50-4C5F-91C5-80342AFACFB1} Adware.SXGAdvisor-A HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3} HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3} HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3} HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\InprocServer32 HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\InprocServer32#ThreadingModel HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\ProgID HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\Programmable HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\TypeLib HKCR\CLSID\{AEAFB69D-EDE2-47C8-BDBA-D8938DE059D3}\VersionIndependentProgID C:\WINDOWS\QNMARGOLEWK.DLL Trojan.Unclassified/GTS HKLM\Software\Microsoft\Internet Explorer\Toolbar#{CE66268D-0208-4D9E-8BC7-12D91072A34D} HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D} HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D} HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\InprocServer32 HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\InprocServer32#ThreadingModel HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\ProgID HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\Programmable HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\TypeLib HKCR\CLSID\{CE66268D-0208-4D9E-8BC7-12D91072A34D}\VersionIndependentProgID HKCR\dpevflbg.1 HKCR\dpevflbg HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C} HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0 HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0 HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0\win32 HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0\FLAGS HKCR\TypeLib\{D9C28083-E28D-4AB3-B109-82758B1B484C}\1.0\HELPDIR C:\WINDOWS\DPEVFLBG.DLL Adware.Tracking Cookie C:\Documents and Settings\Administrator.XXL\Cookies\administrator@1071761544[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@tradedoubler[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@57028022[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@cgi-bin[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@gomyhit[3].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@atwola[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@doubleclick[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@systemerrorfixer[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@gomyhit[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][2].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@advertising[1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@hitbox[2].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\[email protected][1].txt C:\Documents and Settings\Administrator.XXL\Cookies\administrator@adnetserver[1].txt C:\Documents and Settings\geni\Cookies\[email protected][1].txt C:\Documents and Settings\geni\Cookies\[email protected][1].txt C:\Documents and Settings\geni\Cookies\[email protected][2].txt C:\Documents and Settings\oyha\Cookies\oyha@2o7[2].txt C:\Documents and Settings\oyha\Cookies\[email protected][1].txt C:\Documents and Settings\oyha\Cookies\oyha@doubleclick[2].txt C:\Documents and Settings\oyha\Cookies\oyha@mediaplex[2].txt C:\Documents and Settings\oyha\Cookies\[email protected][2].txt C:\Documents and Settings\oyha\Cookies\oyha@tradedoubler[2].txt Trojan.Painter HKCR\winapi32.MyBHO HKCR\winapi32.MyBHO\Clsid Trojan.Malware C:\WINDOWS\bg.gif Trojan.Unknown Origin C:\WINDOWS\system32\smp\msrc.exe C:\WINDOWS\system32\smp C:\WINDOWS\BG_BG.GIF Adware.Admess HKCR\AppId\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21} HKCR\AppId\WStart.DLL HKCR\AppId\WStart.DLL#WStart Browser Hijacker.Internet Explorer Settings Hijack HKU\s-1-5-21-583907252-1614895754-682003330-500\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ] Trojan.SUSP/Transponder HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Transponder [ C:\WINDOWS\system32\susp.exe ] Trojan.Unclassified/CFTMon-Fake C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR.XXL\CFTMON.EXE C:\DOCUMENTS AND SETTINGS\GENI\CFTMON.EXE C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\CFTMON.EXE C:\WINDOWS\Prefetch\CFTMON.EXE-28DDC928.pf Trojan.Unclassified/Dropper-Packed C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP569\A0101667.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP570\A0101698.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP570\A0102695.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP572\A0102725.EXE C:\SYSTEM VOLUME INFORMATION\_RESTORE{B443AFD0-89DD-4B1D-95CE-6B4A81A892B7}\RP572\A0102733.EXE Trojan.Downloader-Gen/Win C:\WINDOWS\OLGDQARF.EXE C:\WINDOWS\WXVGSDBQ.EXE Trojan.Laguna Media C:\WINDOWS\SPACER.GIF' Trojan.Fake-Drop/Gen C:\WINDOWS\SYSTEM32\AKTTZN.EXE C:\WINDOWS\SYSTEM32\ANTICIPATOR.DLL C:\WINDOWS\SYSTEM32\AWTOOLB.DLL C:\WINDOWS\SYSTEM32\BDN.COM C:\WINDOWS\SYSTEM32\CWS_IESTART.EXE C:\WINDOWS\SYSTEM32\H@TKEYSH@@K.DLL C:\WINDOWS\SYSTEM32\HOPROXY.DLL C:\WINDOWS\SYSTEM32\HXIWLGPM.DAT C:\WINDOWS\SYSTEM32\HXIWLGPM.EXE C:\WINDOWS\SYSTEM32\MEDUP012.DLL C:\WINDOWS\SYSTEM32\MEDUP020.DLL C:\WINDOWS\SYSTEM32\MSGP.EXE C:\WINDOWS\SYSTEM32\MSNBHO.DLL C:\WINDOWS\SYSTEM32\MSSECU.EXE C:\WINDOWS\SYSTEM32\MSVCHOST.EXE C:\WINDOWS\SYSTEM32\MTR2.EXE C:\WINDOWS\SYSTEM32\MWIN32.EXE C:\WINDOWS\SYSTEM32\NETODE.EXE C:\WINDOWS\SYSTEM32\NEWSD32.EXE C:\WINDOWS\SYSTEM32\PS1.EXE C:\WINDOWS\SYSTEM32\REGC64.DLL C:\WINDOWS\SYSTEM32\REGM64.DLL C:\WINDOWS\SYSTEM32\RUNDL1.EXE C:\WINDOWS\SYSTEM32\SSURF022.DLL C:\WINDOWS\SYSTEM32\SSVCHOST.COM C:\WINDOWS\SYSTEM32\SSVCHOST.EXE C:\WINDOWS\SYSTEM32\SYSREQ.EXE C:\WINDOWS\SYSTEM32\TAACK.DAT C:\WINDOWS\SYSTEM32\TAACK.EXE C:\WINDOWS\SYSTEM32\TEMP#01.EXE C:\WINDOWS\SYSTEM32\THUN.DLL C:\WINDOWS\SYSTEM32\THUN32.DLL C:\WINDOWS\SYSTEM32\VBIEWER.OCX C:\WINDOWS\SYSTEM32\VBSYS2.DLL C:\WINDOWS\SYSTEM32\VCATCHPI.DLL C:\WINDOWS\SYSTEM32\WINLOGONPC.EXE C:\WINDOWS\SYSTEM32\WINSYSTEM.EXE C:\WINDOWS\SYSTEM32\WINWGPX.EXE Dpcproxy C:\WINDOWS\SYSTEM32\DPCPROXY.EXE Adware.Mirar/NetNucleus C:\WINDOWS\SYSTEM32\MIRARSEARCH_TOOLBAR.EXE Unclassified.Unknown Origin/System C:\WINDOWS\SYSTEM32\PSOF1.EXE Adware.Pacer D C:\WINDOWS\SYSTEM32\PSOFT1.EXE Trojan.Dluca-I C:\WINDOWS\SYSTEM32\SNCNTR.EXE Lenke til kommentar
norbat Skrevet 25. april 2008 Del Skrevet 25. april 2008 Du har en prosess kjørende fra TEMP-mappa, C:\WINDOWS\TEMP\TLB027.EXE, som jeg ikke vet hva er. Du kunne ha sjekket fila på http://virusscan.jotti.org/. Ut over dette er det ikke noe særlig mer å fixe Du kan oppdatere Java: http://java.com/en/download/index.jsp Når alt kjøre ok, så kan du avinstallere Combofix ved å skrive combofix /u fra kjør-feltet (Start->Kjør). Dette fjerner programmet, karantenefilene + nullstiller systemgjenopprettingen slik at du ikke blir infisert ved en evt. systemgjenoppretting. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå