M-J Skrevet 26. juni 2008 Del Skrevet 26. juni 2008 (endret) driver og prøver å rense en pc som var overfylt av trojaner spyware og dritt noen som kan sjekke igjennom loggene og se hva som er igjen? HJT logg: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:33:15, on 26.06.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\VirusScan\McShield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\ehome\RMSvc.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\WINDOWS\ehome\RMSysTry.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Helen\Desktop\hjt\TESTETEST.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dellsearchedit.myway.com/samisc/del...ebar.jhtml?p=EG R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: (no name) - {3833ba99-734a-4f25-a197-40b43a2b74f7} - C:\WINDOWS\system32\medxqfll.dll (file missing) O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: (no name) - {7AB9A136-D60D-479A-890F-F94895BAAC14} - C:\WINDOWS\system32\yayxxuRI.dll (file missing) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: (no name) - {C1A1B601-9E64-4598-8DF9-BADF60280F25} - C:\WINDOWS\system32\rqRHxxWp.dll (file missing) O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [siteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Ressursovervåking for Extender-enhet.lnk = C:\WINDOWS\ehome\RMSysTry.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - AppInit_DLLs: cbapusyh.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: awtuuSIC - awtuuSIC.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SiteAdvisor-service (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 10562 bytes SAS-logg: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 06/26/2008 at 04:46 PM Application Version : 4.15.1000 Core Rules Database Version : 3491 Trace Rules Database Version: 1482 Scan type : Complete Scan Total Scan Time : 00:50:18 Memory items scanned : 705 Memory threats detected : 3 Registry items scanned : 5793 Registry threats detected : 13 File items scanned : 25285 File threats detected : 173 Trojan.Downloader-NewJuan/VM C:\WINDOWS\SYSTEM32\CBAPUSYH.DLL C:\WINDOWS\SYSTEM32\CBAPUSYH.DLL C:\WINDOWS\SYSTEM32\MEDXQFLL.DLL C:\WINDOWS\SYSTEM32\MEDXQFLL.DLL Trojan.Vundo-Variant/Small C:\WINDOWS\SYSTEM32\XFGJJNHL.DLL C:\WINDOWS\SYSTEM32\XFGJJNHL.DLL C:\WINDOWS\SYSTEM32\ALDOSBVM.DLL C:\WINDOWS\SYSTEM32\AWTRRKED.DLL C:\WINDOWS\SYSTEM32\CDQDUMUL.DLL C:\WINDOWS\SYSTEM32\CVQFFWKU.DLL C:\WINDOWS\SYSTEM32\GEBUTKLM.DLL C:\WINDOWS\SYSTEM32\GHAKDAXM.DLL C:\WINDOWS\SYSTEM32\GNRCVIRI.DLL C:\WINDOWS\SYSTEM32\IIFFEXUV.DLL C:\WINDOWS\SYSTEM32\JYPMXSAQ.DLL C:\WINDOWS\SYSTEM32\KGBEUSCP.DLL C:\WINDOWS\SYSTEM32\KMVNAWFG.DLL C:\WINDOWS\SYSTEM32\LGKQJHAQ.DLL C:\WINDOWS\SYSTEM32\RHTYRRIV.DLL C:\WINDOWS\SYSTEM32\WASYAMDK.DLL C:\WINDOWS\SYSTEM32\WFBOSBPI.DLL C:\WINDOWS\SYSTEM32\WKWLNNQN.DLL C:\WINDOWS\SYSTEM32\XANQLBBX.DLL MyWay Search Assistant Computers HKLM\Software\Classes\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32 HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32#ThreadingModel HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\Programmable C:\PROGRAM FILES\MYWAYSA\SRCHASDE\DESRCAS.DLL HKU\S-1-5-21-1286288333-1029103634-3705034611-1005\Software\Microsoft\Internet Explorer\URLSearchHooks#{4D25F926-B9FE-4682-BF72-8AB8210D6D75} Adware.Tracking Cookie C:\Documents and Settings\Helen\Cookies\helen@clickbank[2].txt C:\Documents and Settings\Helen\Cookies\[email protected][2].txt C:\Documents and Settings\Helen\Cookies\helen@clickbank[1].txt C:\Documents and Settings\Helen\Cookies\helen@clickbank[4].txt C:\Documents and Settings\Helen\Cookies\helen@clickbank[5].txt C:\Documents and Settings\Helen\Cookies\helen@clickbank[3].txt C:\Documents and Settings\Nico\Cookies\nico@mtrack[1].txt C:\Documents and Settings\Nico\Cookies\[email protected][1].txt C:\Documents and Settings\Nico\Cookies\[email protected][2].txt C:\Documents and Settings\Nico\Cookies\nico@serving-sys[2].txt C:\Documents and Settings\Nico\Cookies\[email protected][2].txt C:\Documents and Settings\Nico\Cookies\nico@tradedoubler[1].txt C:\Documents and Settings\Nico\Cookies\[email protected][1].txt C:\Documents and Settings\Nico\Cookies\[email protected][2].txt C:\Documents and Settings\Nico\Cookies\nico@advertising[1].txt C:\Documents and Settings\Nico\Cookies\nico@statcounter[1].txt C:\Documents and Settings\Nico\Cookies\[email protected][2].txt C:\Documents and Settings\Nico\Cookies\[email protected][1].txt C:\Documents and Settings\Nico\Cookies\[email protected][1].txt C:\Documents and Settings\Nico\Cookies\nico@atdmt[1].txt C:\Documents and Settings\Nico\Cookies\nico@atwola[1].txt C:\Documents and Settings\Nico\Cookies\nico@bluestreak[1].txt C:\Documents and Settings\Nico\Cookies\nico@doubleclick[1].txt C:\Documents and Settings\Nico\Cookies\[email protected][2].txt C:\Documents and Settings\Nico\Cookies\[email protected][1].txt C:\Documents and Settings\Nico\Cookies\nico@fastclick[2].txt C:\Documents and Settings\Nico\Cookies\[email protected][2].txt C:\Documents and Settings\Nico\Cookies\nico@hitbox[1].txt C:\Documents and Settings\Nico\Cookies\nico@mediaplex[1].txt C:\Documents and Settings\Nico\Cookies\nico@revsci[2].txt C:\Documents and Settings\Nico\Cookies\[email protected][2].txt C:\Documents and Settings\Nico\Cookies\nico@tacoda[1].txt C:\Documents and Settings\Nico\Cookies\[email protected][1].txt C:\Documents and Settings\Nico\Cookies\nico@tribalfusion[1].txt C:\Documents and Settings\Nico\Cookies\[email protected][1].txt C:\Documents and Settings\Nico\Cookies\[email protected][2].txt C:\Documents and Settings\Nico\Cookies\nico@zedo[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\thijs@sexdating[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@casalemedia[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@fastclick[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@adultadworld[2].txt C:\Documents and Settings\Thijs\Cookies\thijs@tribalfusion[2].txt C:\Documents and Settings\Thijs\Cookies\thijs@adultfriendfinder[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@serving-sys[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@mediaplex[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@kontera[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\thijs@usenext[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@youporn[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@weborama[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@hitbox[2].txt C:\Documents and Settings\Thijs\Cookies\thijs@socialmedia[2].txt C:\Documents and Settings\Thijs\Cookies\thijs@doubleclick[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@accounts[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\thijs@bluestreak[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@adnetserver[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@indextools[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@adtech[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@smileycentral[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@azjmp[2].txt C:\Documents and Settings\Thijs\Cookies\thijs@atdmt[2].txt C:\Documents and Settings\Thijs\Cookies\thijs@adinterax[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\thijs@adultswim[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@pornhost[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@questionmarket[2].txt C:\Documents and Settings\Thijs\Cookies\thijs@insightexpressai[2].txt C:\Documents and Settings\Thijs\Cookies\thijs@statcounter[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@clicktorrent[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\thijs@specificclick[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@sexynatalie[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\thijs@tacoda[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@xiti[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@nextag[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@revsci[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@adbrite[1].txt C:\Documents and Settings\Thijs\Cookies\thijs@zedo[2].txt C:\Documents and Settings\Thijs\Cookies\thijs@burstnet[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@collegeteencreamers[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@advertising[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\thijs@partypoker[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@tradedoubler[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@teenhitchhikers[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\thijs@indexstats[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Cookies\thijs@atwola[2].txt C:\Documents and Settings\Thijs\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Cookies\thijs@hotpornotube08[1].txt C:\Documents and Settings\Thijs\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Local Settings\Temp\Cookies\[email protected][2].txt C:\Documents and Settings\Thijs\Local Settings\Temp\Cookies\thijs@weborama[1].txt C:\Documents and Settings\Thijs\Local Settings\Temp\Cookies\thijs@doubleclick[1].txt C:\Documents and Settings\Thijs\Local Settings\Temp\Cookies\[email protected][1].txt C:\Documents and Settings\Thijs\Local Settings\Temp\Cookies\thijs@statcounter[1].txt C:\Documents and Settings\Thijs\Local Settings\Temp\Cookies\[email protected][1].txt Trojan.Media-Codec HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#user32.dll [ C:\Program Files\Video Access ActiveX Object\isamntr.exe ] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#eitheror [ {2016a466-91a2-43c6-97d8-2fd380f065ef} ] Adware.Vundo Variant/Rel HKLM\SOFTWARE\Microsoft\aoprndtws HKLM\SOFTWARE\Microsoft\FCOVM HKLM\SOFTWARE\Microsoft\RemoveRP HKU\S-1-5-21-1286288333-1029103634-3705034611-1005\Software\Microsoft\rdfa Adware.Vundo Variant C:\SYSTEM VOLUME INFORMATION\_RESTORE{F4F887E8-C53C-4245-8F1D-9D2E60F8E217}\RP235\A0165991.DLL Trace.Known Threat Sources C:\Documents and Settings\Thijs\Local Settings\Temporary Internet Files\Content.IE5\6R0FWHGP\antispyshield[1].htm C:\Documents and Settings\Thijs\Local Settings\Temporary Internet Files\Content.IE5\KD6BOPIR\CAJMG37L.htm Combofiz-logg ComboFix 08-06-20.4 - Helen 2008-06-26 18:17:33.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.426 [GMT 2:00] Running from: C:\Documents and Settings\Helen\Desktop\ComboFix.exe * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMb3c3b8b3.xml C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\ipbsobfw.ini C:\WINDOWS\system32\IRuxxyay.ini C:\WINDOWS\system32\IRuxxyay.ini2 C:\WINDOWS\system32\jdpfmtgy.ini C:\WINDOWS\system32\koexbjfv.ini C:\WINDOWS\system32\lhnjjgfx.ini C:\WINDOWS\system32\nnvtllte.ini C:\WINDOWS\system32\onnecpfm.ini C:\WINDOWS\system32\pWxxHRqr.ini C:\WINDOWS\system32\pWxxHRqr.ini2 C:\WINDOWS\system32\rhmwgtsv.ini C:\WINDOWS\system32\uxrtacdq.ini C:\WINDOWS\system32\xcllihbq.ini . ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))) . 2008-06-26 17:08 . 2008-06-26 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-06-26 15:54 . 2008-06-26 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Documents and Settings\Helen\Application Data\SUPERAntiSpyware.com 2008-06-26 15:48 . 2008-06-26 15:49 <DIR> d-------- C:\Program Files\CCleaner 2008-06-25 23:03 . 2008-06-25 23:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-25 23:03 . 2008-06-26 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-25 22:52 . 2008-06-25 22:52 91,136 --a------ C:\WINDOWS\system32\oasaqqdf.dll 2008-06-25 21:49 . 2008-06-25 21:49 106,496 --a------ C:\WINDOWS\system32\amxvvfjb.dll 2008-06-24 01:03 . 2008-06-24 01:03 91,136 --a------ C:\WINDOWS\system32\lqheaqjh.dll 2008-06-22 00:25 . 2008-06-22 00:21 714 --ahs---- C:\WINDOWS\system32\xbblqnax.ini 2008-06-21 13:55 . 2008-06-22 00:21 714 ---hs---- C:\WINDOWS\system32\totkngja.ini 2008-06-19 23:56 . 2008-06-21 13:54 594 ---hs---- C:\WINDOWS\system32\jxriritq.ini 2008-06-19 23:08 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-19 23:08 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-19 16:55 . 2008-06-19 23:03 474 ---hs---- C:\WINDOWS\system32\hcnstskg.ini 2008-06-18 10:08 . 2008-06-19 16:54 1,246 ---hs---- C:\WINDOWS\system32\bxavchex.ini 2008-06-18 09:59 . 2008-06-18 10:03 1,126 ---hs---- C:\WINDOWS\system32\jorxcvwj.ini 2008-06-10 00:10 . 2008-06-18 09:57 1,006 ---hs---- C:\WINDOWS\system32\avukvjix.ini 2008-06-09 00:08 . 2008-06-10 00:09 654 ---hs---- C:\WINDOWS\system32\iscxfppd.ini 2008-06-08 23:10 . 2008-06-08 23:38 534 ---hs---- C:\WINDOWS\system32\idblhssp.ini 2008-06-06 23:46 . 2008-06-08 23:04 414 ---hs---- C:\WINDOWS\system32\yusjkojc.ini 2008-06-05 18:09 . 2008-06-06 23:45 2,986 ---hs---- C:\WINDOWS\system32\oefjaogn.ini 2008-06-04 15:41 . 2008-06-05 18:07 2,866 ---hs---- C:\WINDOWS\system32\vewgequk.ini 2008-06-03 08:07 . 2008-06-04 15:40 2,626 ---hs---- C:\WINDOWS\system32\itubvyij.ini 2008-06-02 08:02 . 2008-06-03 08:06 2,206 ---hs---- C:\WINDOWS\system32\dsyiawhy.ini 2008-05-31 23:10 . 2008-06-02 08:00 1,666 ---hs---- C:\WINDOWS\system32\yndwcank.ini 2008-05-30 22:25 . 2008-05-31 23:05 1,426 ---hs---- C:\WINDOWS\system32\cmpmicsg.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-26 13:48 --------- d-----w C:\Program Files\Yahoo! 2008-06-26 13:29 --------- d-----w C:\Program Files\McAfee 2008-06-23 20:43 --------- d-----w C:\Documents and Settings\Helen\Application Data\SiteAdvisor 2008-06-08 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-06-08 21:46 --------- d-----w C:\Documents and Settings\Helen\Application Data\McAfee 2008-05-29 11:47 --------- d-----w C:\Program Files\DivX 2008-05-26 21:26 --------- d-----w C:\Program Files\Google 2008-05-26 12:26 --------- d-----w C:\Program Files\Java 2008-05-23 21:22 --------- d-----w C:\Program Files\SiteAdvisor 2008-05-11 21:07 94,208 ----a-w C:\WINDOWS\DUMP92f9.tmp 2008-05-11 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ArtPlant 2008-05-11 10:37 --------- d-----w C:\Program Files\AGEIA Technologies 2008-05-11 10:34 --------- d-----w C:\Documents and Settings\Helen\Application Data\GetRightToGo 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-03-02 07:11 4,384,256 --sha-w C:\Program Files\ehthumbs.db 2008-01-05 19:17 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2007-07-12 20:00 80 -csh--r C:\WINDOWS\system32\6E162F84C2.dll 2008-03-09 20:35 88 --sh--r C:\WINDOWS\system32\C2842F166E.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3833ba99-734a-4f25-a197-40b43a2b74f7}] C:\WINDOWS\system32\medxqfll.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AB9A136-D60D-479A-890F-F94895BAAC14}] C:\WINDOWS\system32\yayxxuRI.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1A1B601-9E64-4598-8DF9-BADF60280F25}] C:\WINDOWS\system32\rqRHxxWp.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 397312 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 15:58 1032192] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43 45056] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56 602182] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-02-09 19:18 36904] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 06:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00 1724416] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-24 16:43:08 24576] Ressursoverv†king for Extender-enhet.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40 18432] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtuuSIC] awtuuSIC.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=cbapusyh.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\BitLord\\BitLord.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Documents and Settings\\Helen\\Desktop\\utorrent.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Ekstern Media Center-opplevelse R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55] S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 06:00] S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE . Contents of the 'Scheduled Tasks' folder "2008-02-15 01:13:55 C:\WINDOWS\Tasks\McDefragTask.job" - c:\program files\mcafee\mqc\QcConsol.exe' "2007-12-01 00:00:01 C:\WINDOWS\Tasks\McQcTask.job" - c:\program files\mcafee\mqc\QcConsol.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-26 18:25:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\Program Files\Dell\QuickSet\NicConfigSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\ehome\McrdSvc.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\ehome\ehmsas.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\WINDOWS\system32\imapi.exe . ************************************************************************** . Completion time: 2008-06-26 18:29:56 - machine was rebooted [Helen] ComboFix-quarantined-files.txt 2008-06-26 16:29:47 Pre-Run: 13,584,744,448 bytes free Post-Run: 16,121,892,864 bytes free 209 --- E O F --- 2008-06-26 13:22:17 på forhånd takk M-J Endret 26. juni 2008 av M-J Lenke til kommentar
r2d290 Skrevet 26. juni 2008 Del Skrevet 26. juni 2008 Start HijackThis Velg: Do a systemscan only Sett en hake i boksene foran disse linjene: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dellsearchedit.myway.com/samisc/del...ebar.jhtml?p=EG R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll O2 - BHO: (no name) - {3833ba99-734a-4f25-a197-40b43a2b74f7} - C:\WINDOWS\system32\medxqfll.dll (file missing) O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file) O2 - BHO: (no name) - {7AB9A136-D60D-479A-890F-F94895BAAC14} - C:\WINDOWS\system32\yayxxuRI.dll (file missing) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O2 - BHO: (no name) - {C1A1B601-9E64-4598-8DF9-BADF60280F25} - C:\WINDOWS\system32\rqRHxxWp.dll (file missing) O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) O20 - AppInit_DLLs: cbapusyh.dll O20 - Winlogon Notify: awtuuSIC - awtuuSIC.dll (file missing) Avslutt alle vinduer og nettlesere (også dette du leser fra), og trykk Fix checked. Merk: Hvis du blir spurt om å bekrefte å fikse en linje, bekrefter du dette. Deretter restarter du maskinen, og poster en Combofix-logg Lag også en fersk HijackThis-logg: Start HijackThis Velg: Do a systemscan, and save a logfile Post disse loggene i din neste post. Lenke til kommentar
M-J Skrevet 26. juni 2008 Forfatter Del Skrevet 26. juni 2008 takk takk Combofix: ComboFix 08-06-20.4 - Helen 2008-06-26 19:40:45.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.47.1033.18.445 [GMT 2:00] Running from: C:\Documents and Settings\Helen\Desktop\ComboFix.exe * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML . ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))) . 2008-06-26 17:08 . 2008-06-26 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-06-26 15:54 . 2008-06-26 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Documents and Settings\Helen\Application Data\SUPERAntiSpyware.com 2008-06-26 15:48 . 2008-06-26 15:49 <DIR> d-------- C:\Program Files\CCleaner 2008-06-25 23:03 . 2008-06-25 23:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-25 23:03 . 2008-06-26 15:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-25 22:52 . 2008-06-25 22:52 91,136 --a------ C:\WINDOWS\system32\oasaqqdf.dll 2008-06-25 21:49 . 2008-06-25 21:49 106,496 --a------ C:\WINDOWS\system32\amxvvfjb.dll 2008-06-24 01:03 . 2008-06-24 01:03 91,136 --a------ C:\WINDOWS\system32\lqheaqjh.dll 2008-06-22 00:25 . 2008-06-22 00:21 714 --ahs---- C:\WINDOWS\system32\xbblqnax.ini 2008-06-21 13:55 . 2008-06-22 00:21 714 ---hs---- C:\WINDOWS\system32\totkngja.ini 2008-06-19 23:56 . 2008-06-21 13:54 594 ---hs---- C:\WINDOWS\system32\jxriritq.ini 2008-06-19 23:08 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-19 23:08 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-19 16:55 . 2008-06-19 23:03 474 ---hs---- C:\WINDOWS\system32\hcnstskg.ini 2008-06-18 10:08 . 2008-06-19 16:54 1,246 ---hs---- C:\WINDOWS\system32\bxavchex.ini 2008-06-18 09:59 . 2008-06-18 10:03 1,126 ---hs---- C:\WINDOWS\system32\jorxcvwj.ini 2008-06-10 00:10 . 2008-06-18 09:57 1,006 ---hs---- C:\WINDOWS\system32\avukvjix.ini 2008-06-09 00:08 . 2008-06-10 00:09 654 ---hs---- C:\WINDOWS\system32\iscxfppd.ini 2008-06-08 23:10 . 2008-06-08 23:38 534 ---hs---- C:\WINDOWS\system32\idblhssp.ini 2008-06-06 23:46 . 2008-06-08 23:04 414 ---hs---- C:\WINDOWS\system32\yusjkojc.ini 2008-06-05 18:09 . 2008-06-06 23:45 2,986 ---hs---- C:\WINDOWS\system32\oefjaogn.ini 2008-06-04 15:41 . 2008-06-05 18:07 2,866 ---hs---- C:\WINDOWS\system32\vewgequk.ini 2008-06-03 08:07 . 2008-06-04 15:40 2,626 ---hs---- C:\WINDOWS\system32\itubvyij.ini 2008-06-02 08:02 . 2008-06-03 08:06 2,206 ---hs---- C:\WINDOWS\system32\dsyiawhy.ini 2008-05-31 23:10 . 2008-06-02 08:00 1,666 ---hs---- C:\WINDOWS\system32\yndwcank.ini 2008-05-30 22:25 . 2008-05-31 23:05 1,426 ---hs---- C:\WINDOWS\system32\cmpmicsg.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-26 13:48 --------- d-----w C:\Program Files\Yahoo! 2008-06-26 13:29 --------- d-----w C:\Program Files\McAfee 2008-06-23 20:43 --------- d-----w C:\Documents and Settings\Helen\Application Data\SiteAdvisor 2008-06-08 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-06-08 21:46 --------- d-----w C:\Documents and Settings\Helen\Application Data\McAfee 2008-05-29 11:47 --------- d-----w C:\Program Files\DivX 2008-05-26 21:26 --------- d-----w C:\Program Files\Google 2008-05-26 12:26 --------- d-----w C:\Program Files\Java 2008-05-23 21:22 --------- d-----w C:\Program Files\SiteAdvisor 2008-05-11 21:07 94,208 ----a-w C:\WINDOWS\DUMP92f9.tmp 2008-05-11 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ArtPlant 2008-05-11 10:37 --------- d-----w C:\Program Files\AGEIA Technologies 2008-05-11 10:34 --------- d-----w C:\Documents and Settings\Helen\Application Data\GetRightToGo 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-03-02 07:11 4,384,256 --sha-w C:\Program Files\ehthumbs.db 2008-01-05 19:17 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2007-07-12 20:00 80 -csh--r C:\WINDOWS\system32\6E162F84C2.dll 2008-03-09 20:35 88 --sh--r C:\WINDOWS\system32\C2842F166E.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-26_18.29.27.98 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-26 16:23:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-26 17:45:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-26 13:21:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-06-26 17:28:47 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-06-26 13:21:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-06-26 17:28:47 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-06-26 17:46:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_8b4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 397312 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 15:58 1032192] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43 45056] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56 602182] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-02-09 19:18 36904] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 06:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00 1724416] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-24 16:43:08 24576] Ressursoverv†king for Extender-enhet.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40 18432] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\BitLord\\BitLord.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Documents and Settings\\Helen\\Desktop\\utorrent.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Ekstern Media Center-opplevelse R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55] S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 06:00] S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE . Contents of the 'Scheduled Tasks' folder "2008-02-15 01:13:55 C:\WINDOWS\Tasks\McDefragTask.job" - c:\program files\mcafee\mqc\QcConsol.exe' "2007-12-01 00:00:01 C:\WINDOWS\Tasks\McQcTask.job" - c:\program files\mcafee\mqc\QcConsol.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-26 19:46:47 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\Program Files\Dell\QuickSet\NicConfigSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\ehome\McrdSvc.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehmsas.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe . ************************************************************************** . Completion time: 2008-06-26 19:51:11 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-26 17:51:02 ComboFix2.txt 2008-06-26 16:29:57 Pre-Run: 16,127,008,768 bytes free Post-Run: 16,116,568,064 bytes free 194 --- E O F --- 2008-06-26 13:22:17 HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:51:56, on 26.06.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\VirusScan\McShield.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\ehome\RMSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\CF10493.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\ehome\RMSysTry.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\regedit.exe C:\Documents and Settings\Helen\Desktop\hjt\TESTETEST.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [siteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Ressursovervåking for Extender-enhet.lnk = C:\WINDOWS\ehome\RMSysTry.exe O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SiteAdvisor-service (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 9816 bytes M-J Lenke til kommentar
r2d290 Skrevet 26. juni 2008 Del Skrevet 26. juni 2008 (endret) Du kan hvertfall gjøre følgende: Gjør et nytt forsøk med å fikse linja R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll Restart deretter maskinen, start HijackThis, velg Do a systemscan only og fortell om linja ble borte. Fortell hvis den ikke gjorde det. Du kan gjøre følgende: Start notisblokk, kopier det som står i fet skrift nedenfor, og lim det inn i notisblokken. File:: C:\WINDOWS\system32\oasaqqdf.dll C:\WINDOWS\system32\amxvvfjb.dll C:\WINDOWS\system32\lqheaqjh.dll C:\WINDOWS\system32\xbblqnax.ini C:\WINDOWS\system32\totkngja.ini C:\WINDOWS\system32\jxriritq.ini C:\WINDOWS\system32\hcnstskg.ini C:\WINDOWS\system32\bxavchex.ini C:\WINDOWS\system32\jorxcvwj.ini C:\WINDOWS\system32\avukvjix.ini C:\WINDOWS\system32\iscxfppd.ini C:\WINDOWS\system32\idblhssp.ini C:\WINDOWS\system32\yusjkojc.ini C:\WINDOWS\system32\oefjaogn.ini C:\WINDOWS\system32\vewgequk.ini C:\WINDOWS\system32\itubvyij.ini C:\WINDOWS\system32\dsyiawhy.ini C:\WINDOWS\system32\yndwcank.ini C:\WINDOWS\system32\cmpmicsg.ini Lagre fila på skrivebordet som CFScript Dra CFScript-dokumentet over combofix-ikonet, og Combofix vil starte igjen. Post loggen som combofix lager (c:\combofix.txt) Endret 26. juni 2008 av r2d290 Lenke til kommentar
M-J Skrevet 26. juni 2008 Forfatter Del Skrevet 26. juni 2008 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll ble borte Combofix: ComboFix 08-06-20.4 - Helen 2008-06-26 21:39:01.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.472 [GMT 2:00] Running from: C:\Documents and Settings\Helen\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Helen\Desktop\CFScript.txt * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))) . 2008-06-26 17:08 . 2008-06-26 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-06-26 15:54 . 2008-06-26 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Documents and Settings\Helen\Application Data\SUPERAntiSpyware.com 2008-06-26 15:48 . 2008-06-26 15:49 <DIR> d-------- C:\Program Files\CCleaner 2008-06-25 23:03 . 2008-06-26 21:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-25 23:03 . 2008-06-26 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-25 22:52 . 2008-06-25 22:52 91,136 --a------ C:\WINDOWS\system32\oasaqqdf.dll 2008-06-25 21:49 . 2008-06-25 21:49 106,496 --a------ C:\WINDOWS\system32\amxvvfjb.dll 2008-06-24 01:03 . 2008-06-24 01:03 91,136 --a------ C:\WINDOWS\system32\lqheaqjh.dll 2008-06-22 00:25 . 2008-06-22 00:21 714 --ahs---- C:\WINDOWS\system32\xbblqnax.ini 2008-06-21 13:55 . 2008-06-22 00:21 714 ---hs---- C:\WINDOWS\system32\totkngja.ini 2008-06-19 23:56 . 2008-06-21 13:54 594 ---hs---- C:\WINDOWS\system32\jxriritq.ini 2008-06-19 23:08 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-19 23:08 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-19 16:55 . 2008-06-19 23:03 474 ---hs---- C:\WINDOWS\system32\hcnstskg.ini 2008-06-18 10:08 . 2008-06-19 16:54 1,246 ---hs---- C:\WINDOWS\system32\bxavchex.ini 2008-06-18 09:59 . 2008-06-18 10:03 1,126 ---hs---- C:\WINDOWS\system32\jorxcvwj.ini 2008-06-10 00:10 . 2008-06-18 09:57 1,006 ---hs---- C:\WINDOWS\system32\avukvjix.ini 2008-06-09 00:08 . 2008-06-10 00:09 654 ---hs---- C:\WINDOWS\system32\iscxfppd.ini 2008-06-08 23:10 . 2008-06-08 23:38 534 ---hs---- C:\WINDOWS\system32\idblhssp.ini 2008-06-06 23:46 . 2008-06-08 23:04 414 ---hs---- C:\WINDOWS\system32\yusjkojc.ini 2008-06-05 18:09 . 2008-06-06 23:45 2,986 ---hs---- C:\WINDOWS\system32\oefjaogn.ini 2008-06-04 15:41 . 2008-06-05 18:07 2,866 ---hs---- C:\WINDOWS\system32\vewgequk.ini 2008-06-03 08:07 . 2008-06-04 15:40 2,626 ---hs---- C:\WINDOWS\system32\itubvyij.ini 2008-06-02 08:02 . 2008-06-03 08:06 2,206 ---hs---- C:\WINDOWS\system32\dsyiawhy.ini 2008-05-31 23:10 . 2008-06-02 08:00 1,666 ---hs---- C:\WINDOWS\system32\yndwcank.ini 2008-05-30 22:25 . 2008-05-31 23:05 1,426 ---hs---- C:\WINDOWS\system32\cmpmicsg.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-26 13:48 --------- d-----w C:\Program Files\Yahoo! 2008-06-26 13:29 --------- d-----w C:\Program Files\McAfee 2008-06-23 20:43 --------- d-----w C:\Documents and Settings\Helen\Application Data\SiteAdvisor 2008-06-08 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-06-08 21:46 --------- d-----w C:\Documents and Settings\Helen\Application Data\McAfee 2008-05-29 11:47 --------- d-----w C:\Program Files\DivX 2008-05-26 21:26 --------- d-----w C:\Program Files\Google 2008-05-26 12:26 --------- d-----w C:\Program Files\Java 2008-05-23 21:22 --------- d-----w C:\Program Files\SiteAdvisor 2008-05-11 21:07 94,208 ----a-w C:\WINDOWS\DUMP92f9.tmp 2008-05-11 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ArtPlant 2008-05-11 10:37 --------- d-----w C:\Program Files\AGEIA Technologies 2008-05-11 10:34 --------- d-----w C:\Documents and Settings\Helen\Application Data\GetRightToGo 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-03-02 07:11 4,384,256 --sha-w C:\Program Files\ehthumbs.db 2008-01-05 19:17 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2007-07-12 20:00 80 -csh--r C:\WINDOWS\system32\6E162F84C2.dll 2008-03-09 20:35 88 --sh--r C:\WINDOWS\system32\C2842F166E.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-26_18.29.27.98 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-26 16:23:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-26 19:43:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-26 13:21:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-06-26 17:28:47 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-06-26 13:21:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-06-26 17:28:47 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-06-26 19:44:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_460.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 397312 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 15:58 1032192] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43 45056] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56 602182] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-02-09 19:18 36904] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 06:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00 1724416] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-24 16:43:08 24576] Ressursoverv†king for Extender-enhet.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40 18432] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\BitLord\\BitLord.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Documents and Settings\\Helen\\Desktop\\utorrent.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Ekstern Media Center-opplevelse R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55] S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 06:00] S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE . Contents of the 'Scheduled Tasks' folder "2008-02-15 01:13:55 C:\WINDOWS\Tasks\McDefragTask.job" - c:\program files\mcafee\mqc\QcConsol.exe' "2007-12-01 00:00:01 C:\WINDOWS\Tasks\McQcTask.job" - c:\program files\mcafee\mqc\QcConsol.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-26 21:44:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\Program Files\Dell\QuickSet\NicConfigSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\ehome\McrdSvc.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\ehome\ehmsas.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\PROGRA~1\McAfee\MSC\mcuimgr.exe . ************************************************************************** . Completion time: 2008-06-26 21:49:12 - machine was rebooted [Helen] ComboFix-quarantined-files.txt 2008-06-26 19:49:04 ComboFix2.txt 2008-06-26 17:51:12 ComboFix3.txt 2008-06-26 16:29:57 Pre-Run: 16,090,480,640 bytes free Post-Run: 16,081,752,064 bytes free 192 --- E O F --- 2008-06-26 13:22:17 Lenke til kommentar
r2d290 Skrevet 26. juni 2008 Del Skrevet 26. juni 2008 Hva gjorde du nå? Lagret du CFScript-fila, og dro den over combofix slik bildet viser? Jeg synes det ser ut til at du bare kjørte combofix på vanlig måte jeg... Lenke til kommentar
M-J Skrevet 26. juni 2008 Forfatter Del Skrevet 26. juni 2008 (endret) gjorde det men glemte og kopiere inn file:: først men nå skulle det være i orden. ComboFix 08-06-20.4 - Helen 2008-06-26 22:01:47.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.492 [GMT 2:00] Running from: C:\Documents and Settings\Helen\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Helen\Desktop\CFScript.txt * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\system32\amxvvfjb.dll C:\WINDOWS\system32\avukvjix.ini C:\WINDOWS\system32\bxavchex.ini C:\WINDOWS\system32\cmpmicsg.ini C:\WINDOWS\system32\dsyiawhy.ini C:\WINDOWS\system32\hcnstskg.ini C:\WINDOWS\system32\idblhssp.ini C:\WINDOWS\system32\iscxfppd.ini C:\WINDOWS\system32\itubvyij.ini C:\WINDOWS\system32\jorxcvwj.ini C:\WINDOWS\system32\jxriritq.ini C:\WINDOWS\system32\lqheaqjh.dll C:\WINDOWS\system32\oasaqqdf.dll C:\WINDOWS\system32\oefjaogn.ini C:\WINDOWS\system32\totkngja.ini C:\WINDOWS\system32\vewgequk.ini C:\WINDOWS\system32\xbblqnax.ini C:\WINDOWS\system32\yndwcank.ini C:\WINDOWS\system32\yusjkojc.ini . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\amxvvfjb.dll C:\WINDOWS\system32\avukvjix.ini C:\WINDOWS\system32\bxavchex.ini C:\WINDOWS\system32\cmpmicsg.ini C:\WINDOWS\system32\dsyiawhy.ini C:\WINDOWS\system32\hcnstskg.ini C:\WINDOWS\system32\idblhssp.ini C:\WINDOWS\system32\iscxfppd.ini C:\WINDOWS\system32\itubvyij.ini C:\WINDOWS\system32\jorxcvwj.ini C:\WINDOWS\system32\jxriritq.ini C:\WINDOWS\system32\lqheaqjh.dll C:\WINDOWS\system32\oasaqqdf.dll C:\WINDOWS\system32\oefjaogn.ini C:\WINDOWS\system32\totkngja.ini C:\WINDOWS\system32\vewgequk.ini C:\WINDOWS\system32\xbblqnax.ini C:\WINDOWS\system32\yndwcank.ini C:\WINDOWS\system32\yusjkojc.ini . ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))) . 2008-06-26 17:08 . 2008-06-26 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-06-26 15:54 . 2008-06-26 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-26 15:53 . 2008-06-26 15:53 <DIR> d-------- C:\Documents and Settings\Helen\Application Data\SUPERAntiSpyware.com 2008-06-26 15:48 . 2008-06-26 15:49 <DIR> d-------- C:\Program Files\CCleaner 2008-06-25 23:03 . 2008-06-26 21:30 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-25 23:03 . 2008-06-26 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-19 23:08 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-19 23:08 . 2008-06-13 15:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-26 13:48 --------- d-----w C:\Program Files\Yahoo! 2008-06-26 13:29 --------- d-----w C:\Program Files\McAfee 2008-06-23 20:43 --------- d-----w C:\Documents and Settings\Helen\Application Data\SiteAdvisor 2008-06-08 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-06-08 21:46 --------- d-----w C:\Documents and Settings\Helen\Application Data\McAfee 2008-05-29 11:47 --------- d-----w C:\Program Files\DivX 2008-05-26 21:26 --------- d-----w C:\Program Files\Google 2008-05-26 12:26 --------- d-----w C:\Program Files\Java 2008-05-23 21:22 --------- d-----w C:\Program Files\SiteAdvisor 2008-05-11 21:07 94,208 ----a-w C:\WINDOWS\DUMP92f9.tmp 2008-05-11 10:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\ArtPlant 2008-05-11 10:37 --------- d-----w C:\Program Files\AGEIA Technologies 2008-05-11 10:34 --------- d-----w C:\Documents and Settings\Helen\Application Data\GetRightToGo 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-03-02 07:11 4,384,256 --sha-w C:\Program Files\ehthumbs.db 2008-01-05 19:17 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2007-07-12 20:00 80 -csh--r C:\WINDOWS\system32\6E162F84C2.dll 2008-03-09 20:35 88 --sh--r C:\WINDOWS\system32\C2842F166E.sys . ((((((((((((((((((((((((((((( snapshot@2008-06-26_18.29.27.98 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-26 16:23:52 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-26 20:05:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-06-26 13:21:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-06-26 17:28:47 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-06-26 13:21:55 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-06-26 17:28:47 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2008-06-26 20:05:48 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4b4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24 20480] "msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 22:35 397312 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-04-06 15:58 1032192] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 15:43 45056] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56 602182] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-02-09 19:18 36904] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 06:00 15360] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 18:46:00 1724416] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-24 16:43:08 24576] Ressursoverv†king for Extender-enhet.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18:55:40 18432] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\BitLord\\BitLord.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Documents and Settings\\Helen\\Desktop\\utorrent.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Ekstern Media Center-opplevelse R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 18:55] S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2004-08-10 06:00] S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE . Contents of the 'Scheduled Tasks' folder "2008-02-15 01:13:55 C:\WINDOWS\Tasks\McDefragTask.job" - c:\program files\mcafee\mqc\QcConsol.exe' "2007-12-01 00:00:01 C:\WINDOWS\Tasks\McQcTask.job" - c:\program files\mcafee\mqc\QcConsol.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-26 22:06:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\Program Files\Dell\QuickSet\NicConfigSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\ehome\McrdSvc.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\ehome\ehmsas.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\PROGRA~1\McAfee\MSC\mcuimgr.exe . ************************************************************************** . Completion time: 2008-06-26 22:10:51 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-26 20:10:44 ComboFix2.txt 2008-06-26 19:49:13 ComboFix3.txt 2008-06-26 17:51:12 ComboFix4.txt 2008-06-26 16:29:57 Pre-Run: 16,063,471,616 bytes free Post-Run: 16,051,580,928 bytes free 216 --- E O F --- 2008-06-26 13:22:17 Endret 26. juni 2008 av M-J Lenke til kommentar
r2d290 Skrevet 26. juni 2008 Del Skrevet 26. juni 2008 Du kan bruke windows utforsker til å fjerne følgende linje: C:\WINDOWS\DUMP92f9.tmp Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'. Kjør også noen runder med 'Register'til det ikke finner flere feil. Si ja til å lage backup når du blir spurt om det. CCleaner skulle tømme ut cookies etc. så det er det lurt å kjøre (inkl registerrensen). Gå til http://virusscan.jotti.org , trykk på Browse, og last opp følgende fil til analyse: C:\WINDOWS\system32\6E162F84C2.dll C:\WINDOWS\system32\C2842F166E.sys Deretter trykker du på Submit. Godta at filen blir scannet. Til slutt kopierer du resultatet, og limer det inn i din neste post, så jeg kan se på den, og vurdere hva som må gjøres videre. Loggen ser forøvrig ok ut Lenke til kommentar
M-J Skrevet 26. juni 2008 Forfatter Del Skrevet 26. juni 2008 Found nothing på alle punkter på begge 2. Lenke til kommentar
r2d290 Skrevet 26. juni 2008 Del Skrevet 26. juni 2008 Hvis du nå kjører Ccleaner, burde maskinen være god som ny (eller?) Dersom du mener at problemet med maskinen din er løst, kan du endre emnetittelen din, ved å trykke på i førsteposten din, og velge full endring. Øverst der emnetittelen din er, skriver du: [LØST] foran emnetittelen din. Eks: [LØST] Har fått virus på maskinen Dette vil være med på å holde forumet mer oversiktlig for supporterne, samt at nye folk som får samme problemet lettere vil finne en passende tråd å se i. -Surf trygt- Lenke til kommentar
M-J Skrevet 26. juni 2008 Forfatter Del Skrevet 26. juni 2008 CCleaner er kjørt. Nå blir vennia til modern glad. hehe skjønner ikke at det er mulig å få så mye dritt på pcn jeg. tenke før man klikker er noe dritt. Tusen takk for hjelpa fint at du tar deg tid. M-J Lenke til kommentar
r2d290 Skrevet 26. juni 2008 Del Skrevet 26. juni 2008 Alltid hyggelig å være til hjelp Lenke til kommentar
r2d290 Skrevet 26. juni 2008 Del Skrevet 26. juni 2008 (endret) Ops, glemte en ting... Combofix må avinstalleres. Gå til Start > Kjør Skriv følgende i boksen: combofix /uPS: legg merke til mellomrommet mellom X og /u Trykk Enter. Denne kommandoen vil: Fjerne følgende:ComboFix og dets tilhørende filer og mapper. VundoFix backups, hvis de eksisterer. The C:\Deckard mappe, hvis den eksisterer The C:_OtMoveIt mappe, hvis den eksisterer [*] Nullstille klokke-instillingene. [*] Skjule filetternavn hvis det er nødvendig. [*] Skjule System/Skjulte filer og mapper hvis det er nødvendig. [*] Nullstille systemgjennoprettingspunkter. Du kan avinstallere HijackThis: Start HijackThis, velg None of the above, just start the program. Så trykker du på Config>>Misc Tools>>Uninstall HijackThis & exit>>Ja/Yes. Programmet er nå avinstallert. Ellers kan du beholde SUPERAntiSpyware hvis du ønsker det. Hold det isåfall oppdatert, og scan maskinen din av og til... Hvis du vil avinstallere det, kan du gjøre det fra legg til/fjern programmer. Endret 26. juni 2008 av r2d290 Lenke til kommentar
M-J Skrevet 26. juni 2008 Forfatter Del Skrevet 26. juni 2008 Fjernet alle spor etter meg jeg er ikke noe vits at hun som eier pcn som har 0 peiling skal ha disse programmene da de aldri kommer til å bli brukt eller oppdatert. igjen takk Lenke til kommentar
r2d290 Skrevet 26. juni 2008 Del Skrevet 26. juni 2008 Eller eventuelt gi henne et kurs? Lenke til kommentar
M-J Skrevet 26. juni 2008 Forfatter Del Skrevet 26. juni 2008 det tror jeg er dødfødt det blir nok såfall en heltdisjobb! hehe. får heller ta inn pcn hennes en gang i halvåret når den ikke går rundt lenger. hehe Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå