[LØST] Hjelp: Har fått spyware- fra en kjip nettside

Annie_P · 26. juli 2008

Har installert og kjørt MBAM. Under er loggen. Prøve Hijack nå.

MBAM-logg:

Malwarebytes' Anti-Malware 1.23

Database versjon: 993

Windows 5.1.2600 Service Pack 2

09:12:36 26.07.2008

mbam-log-7-26-2008 (09-12-18).txt

Skanntype: Rask Skann

Objekter skannet: 40414

Tid tilbakelagt: 5 minute(s), 59 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 2

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 1

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_CLASSES_ROOT\fdkowvbp.bgrv (Trojan.FakeAlert) -> No action taken.

HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> No action taken.

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

C:\WINDOWS\grswptdl.exe (Trojan.FakeAlert) -> No action taken.

Annie_P · 26. juli 2008

Her kommer Hijack-loggen. Maskinen ser forøvrig ut til å fungere ok for øyeblikket. Får ikke opp alle sidene om kjøp av antivirusprogram, og ikononen jeg savnet i går er tilbake.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:17, on 26.07.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

C:\Programfiler\SweetIM\Messenger\SweetIM.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe

C:\HP\KBD\KBD.EXE

C:\Programfiler\Java\jre1.5.0_05\bin\jusched.exe

C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe

C:\Programfiler\Windows Live\Messenger\msnmsgr.exe

C:\Programfiler\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Programfiler\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe

c:\windows\system\hpsysdrv.exe

C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programfiler\AVG\AVG8\avgtoolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programfiler\AVG\AVG8\avgtoolbar.dll

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Programfiler\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe

O4 - HKLM\..\Run: [ANIWZCSService] C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe

O4 - HKLM\..\Run: [sweetIM] C:\Programfiler\SweetIM\Messenger\SweetIM.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.5.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot

O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programfiler\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Tilkoblingshjelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Tilkoblingshjelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://eurofoto.no/uploader/ImageUploader4.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 8573 bytes

norbat · 26. juli 2008

Du må la MBAM slette det den finner:

Det kommer en meldingsboks om at scannen er ferdig, klikk Ok

Klikk på Vis resultat-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet.

Post gjerne loggen.

Oppdater java'en: http://java.com/en/download/index.jsp

Sjekket du filene som ble nevnt på Virustotal? Hvis ikke, gjør det og gi tilbakemelding på om det blir funnet noe på dem. Det skulle holde å sjekke fila C:\WINDOWS\system32\mswmnnove.dll

Annie_P · 26. juli 2008

Du må la MBAM slette det den finner:

Det kommer en meldingsboks om at scannen er ferdig, klikk Ok

Klikk på Vis resultat-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet.

Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet.

Post gjerne loggen.

Oppdater java'en: http://java.com/en/download/index.jsp

Sjekket du filene som ble nevnt på Virustotal? Hvis ikke, gjør det og gi tilbakemelding på om det blir funnet noe på dem. Det skulle holde å sjekke fila C:\WINDOWS\system32\mswmnnove.dll

Jeg har opopdater java. Har også kjørt MBAM. Den fant to infiserte filer. Har postet loggen jeg fikk etter at jeg klikket på fhjerning. Har også kjørt Virustotal, det ser ikke ut som den fant noe. Prøver å lime inn rapporten derfra.

Her loggen etter fjerning:

Malwarebytes' Anti-Malware 1.23

Database versjon: 994

Windows 5.1.2600 Service Pack 2

19:55:19 26.07.2008

mbam-log-7-26-2008 (19-55-19).txt

Skanntype: Rask Skann

Objekter skannet: 40323

Tid tilbakelagt: 7 minute(s), 23 second(s)

Minneprosesser infisert: 0

Minnemoduler infisert: 0

Registernøkler infisert: 2

Registerverdier infisert: 0

Registerfiler infisert: 0

Mapper infisert: 0

Filer infisert: 0

Minneprosesser infisert:

(Ingen mistenkelige filer funnet)

Minnemoduler infisert:

(Ingen mistenkelige filer funnet)

Registernøkler infisert:

HKEY_CLASSES_ROOT\fdkowvbp.bgrv (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registerverdier infisert:

(Ingen mistenkelige filer funnet)

Registerfiler infisert:

(Ingen mistenkelige filer funnet)

Mapper infisert:

(Ingen mistenkelige filer funnet)

Filer infisert:

(Ingen mistenkelige filer funnet)

File mswmnnove.dll received on 07.26.2008 20:07:57 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/34 (0%)

Loading server information...

Your file is queued in position: 1.

Estimated start time is between 40 and 58 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Compact

Print results Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.7.26.0 2008.07.25 -

AntiVir 7.8.1.12 2008.07.25 -

Authentium 5.1.0.4 2008.07.26 -

Avast 4.8.1195.0 2008.07.26 -

AVG 8.0.0.130 2008.07.25 -

BitDefender 7.2 2008.07.26 -

CAT-QuickHeal 9.50 2008.07.25 -

ClamAV 0.93.1 2008.07.26 -

DrWeb 4.44.0.09170 2008.07.26 -

eSafe 7.0.17.0 2008.07.24 -

eTrust-Vet 31.6.5983 2008.07.26 -

Ewido 4.0 2008.07.26 -

F-Prot 4.4.4.56 2008.07.26 -

F-Secure 7.60.13501.0 2008.07.26 -

Fortinet 3.14.0.0 2008.07.26 -

GData 2.0.7306.1023 2008.07.26 -

Ikarus T3.1.1.34.0 2008.07.26 -

Kaspersky 7.0.0.125 2008.07.26 -

McAfee 5347 2008.07.25 -

Microsoft 1.3704 2008.07.26 -

NOD32v2 3300 2008.07.25 -

Norman 5.80.02 2008.07.25 -

Panda 9.0.0.4 2008.07.26 -

PCTools 4.4.2.0 2008.07.26 -

Rising 20.54.52.00 2008.07.26 -

Sophos 4.31.0 2008.07.26 -

Sunbelt 3.1.1536.1 2008.07.25 -

Symantec 10 2008.07.26 -

TheHacker 6.2.96.389 2008.07.25 -

TrendMicro 8.700.0.1004 2008.07.26 -

VBA32 3.12.8.1 2008.07.26 -

ViRobot 2008.7.26.1311 2008.07.26 -

VirusBuster 4.5.11.0 2008.07.26 -

Webwasher-Gateway 6.6.2 2008.07.26 -

Additional information

File size: 9844 bytes

MD5...: f8a067cf4e34668f3e1dedb6d51a6588

SHA1..: fc06e27d83685f3019be8f25ce53677bcd581301

SHA256: 03102a91f033953d619361c85aa596dadca44f953cfeb53468760fae7f5f2109

SHA512: 751cee5dac23c37f8f2a7c9c222b03f9a24db7c0c7e8d9cf0dfb730a7ad45e41

69e71c3de9ab4dfaa52951855c4c816a73450b5538a7d7ae9475fa2ee87a6ca1

PEiD..: -

PEInfo: -

Annie_P · 26. juli 2008

Nå fikk jeg opp en melding om infisert fil fra AVG Resident shiled alert. Det står at filen under er infisert.....Ser ut som om viruset heter Vundo. Noen som vet om dette er det samme som jeg har slitt med før?

norbat · 26. juli 2008

Ok,

Filene gir ingen treff på noen søkemotorer. Dette indikerer at filene kan tilhøre en eller annen infeksjon. Det du kunne ha gjort, er å høyreklikke på filene og byttet filnavn på de. Hvis alt kjører normalt og ingen programmer som du bruker fungerer greit, så kan du slette filene etter noen dager. Det gjelder altså filene:

C:\WINDOWS\system32\msrun9er-.dll -> høyreklikk og legg til filendelsen bak -> msrun9er-.dll.bak

C:\WINDOWS\system32\mswmnnove.dll -> høyreklikk og legg til filendelsen bak -> mswmnove.dll.bak

Ut over dette ser ting og tang bra ut.

Du kan fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør).

Behold gjerne SAS og/eller MBAM.

Edit: Hvilken fil er det du mener?

Endret 26. juli 2008 av norbat

raWrz · 26. juli 2008

han mener vundo

snippsat · 26. juli 2008

han mener vundo

Jøss vundo er en type infeksjon.

Denne kan lage 100vis av filer.

Derfor spør norbat,viss du hadde følgt med litt her så skjønner du kansje at han ikke skal ha noe hjelp innen dette feltet

Annie_P · 28. juli 2008

Ok,
Filene gir ingen treff på noen søkemotorer. Dette indikerer at filene kan tilhøre en eller annen infeksjon. Det du kunne ha gjort, er å høyreklikke på filene og byttet filnavn på de. Hvis alt kjører normalt og ingen programmer som du bruker fungerer greit, så kan du slette filene etter noen dager. Det gjelder altså filene:

C:\WINDOWS\system32\msrun9er-.dll -> høyreklikk og legg til filendelsen bak -> msrun9er-.dll.bak

C:\WINDOWS\system32\mswmnnove.dll -> høyreklikk og legg til filendelsen bak -> mswmnove.dll.bak

Ut over dette ser ting og tang bra ut.

Du kan fjerne combofix ved å skrive combofix /u i kjør-feltet (start->kjør).

Behold gjerne SAS og/eller MBAM.

Edit: Hvilken fil er det du mener?

Jeg finner ikke filene som skal ha ny filending. Har gått gjennom windows-mappen og brukt "søk" funksjonen. Kan disse filene være skjult? (Bruker XP, ikke Vista)

Annie_P · 28. juli 2008

Jeg får fremdeles opp ny virusvarsel. AVG gir melding om tre ulike virus:

Trojan Horse Clicker.OVI

Trojan Horse Clicker.OVG

Trojan Horse Clicker.OVF

Jeg klikker på "Remove threats", men etter en stund gåtr alarmen igjen.

Annie_P · 28. juli 2008

Hva med systemrestore, har du tilgang til det? Og rensing etterpå(gammel restore må vekk)...

Tror jeg har tilgang til system restore (hvis det er installsjonen slik den var dajeg kjøpte maskinen? Dette ligger på D). Vil helst prøve å løse problemet slik at jeg slipper å bruke restore.....er så mye drivere og oppdateringer at det blir utrolig tungvint å kjøre restore.

Nå tenkte jeg på systemgjenoppretting, ikke nyinstall. av OS..

Jeg er ikke helt inne i begrepene her.....Når jeg kjører systemgjenoppretting er det mye som endrer seg på maskinen selv om de gamle mappene ligger der.....vet ikke helt hva som skjer...det jeg har gjort tidliger er full formatering og ny installasjon. Det ser også ut som Compaq-maskinen lager noe som systegjenopprettingspunkt. Etter det jeg forstår skal det være mulig å gå tilbake til sist disse punktene og få et oppsett av maskinen som er identisk med det som var på "gjenopporettinsgstispunktet". Jeg greier imidlertid ikke å finne disse punktene. Når jeg følger manualen ender jeg bare opp med å nyinstallere Windows. Mulig jeg har misforstått dette med gjenopprettingspunkt...?

norbat · 28. juli 2008

Last ned ny combofix, kjør programmet og post loggen.

Annie_P · 28. juli 2008

Last ned ny combofix, kjør programmet og post loggen.

ComboFix 08-07-24.3 - Compaq_Eier 2008-07-28 23:03:24.4 - NTFSx86

Running from: C:\Documents and Settings\Compaq_Eier\Skrivebord\ComboFix.exe

.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-28 )))))))))))))))))))))))))))))))

.

2008-07-26 19:25 . 2008-07-26 19:25 <DIR> d-------- C:\Programfiler\Sun

2008-07-26 19:25 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-07-26 09:23 . 2008-07-28 19:29 <DIR> dr-h----- C:\Documents and Settings\Compaq_Eier\Siste

2008-07-26 09:17 . 2008-07-26 09:17 <DIR> d-------- C:\Programfiler\Trend Micro

2008-07-26 09:02 . 2008-07-26 09:02 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware

2008-07-26 09:02 . 2008-07-26 09:02 <DIR> d-------- C:\Documents and Settings\Compaq_Eier\Programdata\Malwarebytes

2008-07-26 09:02 . 2008-07-26 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes

2008-07-26 09:02 . 2008-07-23 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-07-26 09:02 . 2008-07-23 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-07-25 23:31 . 2006-01-03 05:40 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-07-25 23:31 . 2008-06-12 06:34 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny

2008-07-25 23:31 . 2005-10-20 23:51 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere

2008-07-25 23:31 . 2005-10-20 23:51 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord

2008-07-25 23:31 . 2008-06-12 06:34 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste

2008-07-25 23:31 . 2008-06-12 06:34 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata

2008-07-25 23:31 . 2008-06-12 06:34 <DIR> dr------- C:\Documents and Settings\Administrator\Mine dokumenter

2008-07-25 23:31 . 2005-10-27 04:33 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler

2008-07-25 23:31 . 2008-07-28 23:06 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger

2008-07-25 23:31 . 2008-06-11 22:48 <DIR> dr------- C:\Documents and Settings\Administrator\Favoritter

2008-07-25 23:31 . 2005-10-20 23:51 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask

2008-07-25 23:31 . 2008-07-25 23:31 <DIR> d-------- C:\Documents and Settings\Administrator

2008-07-25 22:16 . 2008-07-25 22:16 <DIR> d--hs---- C:\WINDOWS\ftpcache

2008-07-24 21:02 . 2008-07-24 21:02 <DIR> d-------- C:\Documents and Settings\Compaq_Eier\Programdata\AVS4YOU

2008-07-24 20:53 . 2008-07-24 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\AVS4YOU

2008-07-24 20:49 . 2008-07-24 20:53 <DIR> d-------- C:\Programfiler\Fellesfiler\AVSMedia

2008-07-24 20:42 . 2008-07-24 20:54 <DIR> d-------- C:\Programfiler\AVS4YOU

2008-07-24 20:32 . 2008-07-28 17:59 <DIR> d--h----- C:\$AVG8.VAULT$

2008-07-20 21:34 . 2008-07-20 21:34 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-07-20 21:34 . 2008-07-20 21:34 1,409 --a------ C:\WINDOWS\QTFont.for

2008-07-18 21:40 . 2004-08-04 01:03 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll

2008-07-18 21:40 . 2001-10-06 14:02 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll

2008-07-18 18:20 . 2008-07-18 18:20 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

2008-07-18 18:20 . 2008-07-18 18:20 0 --a------ C:\Documents and Settings\Compaq_Eier\jagex_runescape_preferences.dat

2008-07-18 17:49 . 2008-07-18 17:49 <DIR> d-------- C:\Programfiler\Guitar Pro 5

2008-07-18 16:07 . 2008-07-18 16:07 1,409 --a------ C:\WINDOWS\system32\tmpEE08F.FOT

2008-07-14 18:37 . 2008-07-16 22:13 <DIR> d-------- C:\Documents and Settings\Compaq_Eier\Programdata\U3

2008-07-13 22:02 . 2008-07-18 18:16 <DIR> d-------- C:\Documents and Settings\Compaq_Eier\Programdata\skypePM

2008-07-13 22:02 . 2008-07-13 22:02 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat

2008-07-13 21:51 . 2008-07-13 21:51 <DIR> d-------- C:\Programfiler\Skype

2008-07-13 21:51 . 2008-07-13 21:51 <DIR> d-------- C:\Programfiler\Fellesfiler\Skype

2008-07-13 21:51 . 2008-07-18 21:49 <DIR> d-------- C:\Documents and Settings\Compaq_Eier\Programdata\Skype

2008-07-13 21:51 . 2008-07-13 21:51 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Skype

2008-07-13 21:44 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys

2008-07-13 21:44 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\dllcache\usbaudio.sys

2008-07-13 21:44 . 2004-08-04 01:03 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2008-07-13 21:44 . 2004-08-04 01:03 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll

2008-07-13 21:44 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys

2008-07-13 21:44 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys

2008-07-13 21:04 . 2008-07-13 21:04 268 --ah----- C:\sqmdata00.sqm

2008-07-13 21:04 . 2008-07-13 21:04 244 --ah----- C:\sqmnoopt00.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-28 15:33 --------- d---a-w C:\Documents and Settings\All Users\Programdata\TEMP

2008-07-26 17:25 --------- d-----w C:\Programfiler\Java

2008-07-20 19:34 --------- d-----w C:\Programfiler\QuickTime

2008-07-19 07:44 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

2008-07-19 07:44 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys

2008-07-19 07:44 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll

2008-07-18 20:16 --------- d-----w C:\Documents and Settings\All Users\Programdata\Microsoft Help

2008-07-18 14:09 --------- d-----w C:\Programfiler\PonyGirl2

2008-07-13 19:38 --------- d-----w C:\Documents and Settings\Compaq_Eier\Programdata\HP

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll

2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 17:43 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys

2008-06-19 20:58 1,024 ----a-w C:\Documents and Settings\All Users\Programdata\pdfdoc2.dll

2008-06-18 20:44 --------- d-----w C:\Programfiler\CCleaner

2008-06-15 21:13 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller

2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\dllcache\bthport.sys

2008-06-14 09:17 --------- d-----w C:\Programfiler\MSBuild

2008-06-14 09:17 --------- d-----w C:\Programfiler\Microsoft Works

2008-06-14 09:16 --------- d-----w C:\Programfiler\Microsoft.NET

2008-06-14 05:40 --------- d-----w C:\Programfiler\Microsoft CAPICOM 2.1.0.2

2008-06-14 05:33 --------- d-----w C:\Programfiler\MSXML 4.0

2008-06-13 12:28 --------- d-----w C:\Documents and Settings\All Users\Programdata\QuickTime

2008-06-12 21:18 --------- d-----w C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-06-12 21:17 --------- d-----w C:\Programfiler\SUPERAntiSpyware

2008-06-12 21:17 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard

2008-06-12 21:17 --------- d-----w C:\Documents and Settings\Compaq_Eier\Programdata\SUPERAntiSpyware.com

2008-06-12 17:20 --------- d-----w C:\Programfiler\directx

2008-06-12 17:16 --------- d-----w C:\Programfiler\Eidos Interactive

2008-06-12 13:26 --------- d-----w C:\Programfiler\SweetIM

2008-06-12 13:25 --------- d-----w C:\Documents and Settings\Compaq_Eier\Programdata\AVGTOOLBAR

2008-06-12 13:15 --------- d-----w C:\Programfiler\AVG

2008-06-12 13:15 --------- d-----w C:\Documents and Settings\All Users\Programdata\avg8

2008-06-12 12:46 --------- d-----w C:\Documents and Settings\All Users\Programdata\SweetIM

2008-06-12 11:28 --------- d-----w C:\Programfiler\Windows Live

2008-06-12 11:27 --------- dcsh--w C:\Programfiler\Fellesfiler\WindowsLiveInstaller

2008-06-11 20:54 --------- d-----w C:\Programfiler\HP

2008-06-11 20:54 --------- d-----w C:\Documents and Settings\All Users\Programdata\HP

2008-06-11 20:51 --------- d-----w C:\Programfiler\Fellesfiler\Hewlett-Packard

2008-06-11 20:49 --------- d-----w C:\Documents and Settings\Compaq_Eier\Programdata\HPQ

2008-06-11 20:46 1,869 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_RF147AA-UUW SR1939SC EL630_YC_0Pres_QCZB630_E63NOheREA1_48_IAMETHYST-M_SMSI_V1.0_B3.48_T060324_WXH2_L414_M447_J160_7AMD_8Athlon 64_92.19_#060918_N10EC8139_Z_G10025954_OHL-DT-ST DVDRRW GSA-H21N_DLCD905A.MRK

2008-06-11 19:52 --------- d-----w C:\Programfiler\Google

2008-06-11 19:44 --------- d-----w C:\Programfiler\Fellesfiler\Adobe

2008-06-11 19:42 --------- d-----w C:\Documents and Settings\Compaq_Eier\Programdata\AdobeUM

2008-06-11 19:10 --------- d--h--w C:\Programfiler\InstallShield Installation Information

2008-06-11 19:10 --------- d-----w C:\Programfiler\D-Link

2008-06-11 19:10 --------- d-----w C:\Programfiler\Alpha Networks

2008-06-11 19:07 --------- d-----w C:\Programfiler\Fellesfiler\Symantec Shared

2008-06-11 19:07 --------- d-----w C:\Documents and Settings\All Users\Programdata\Symantec

2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys

2008-05-07 05:16 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll

2008-05-07 05:16 1,290,752 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll

.

((((((((((((((((((((((((((((( snapshot@2008-07-25_23.52.34.20 )))))))))))))))))))))))))))))))))))))))))

.

- 2005-08-26 21:55:46 49,248 ----a-w C:\WINDOWS\system32\java.exe

+ 2008-06-09 23:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe

- 2005-08-26 21:55:58 49,250 ----a-w C:\WINDOWS\system32\javaw.exe

+ 2008-06-09 23:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe

- 2005-08-27 00:14:46 127,078 ----a-w C:\WINDOWS\system32\javaws.exe

+ 2008-06-10 00:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe

- 2008-01-25 19:33:26 122,880 ----a-w C:\WINDOWS\system32\msrun9er-.dll

+ 2007-07-25 15:33:09 122,880 ----a-w C:\WINDOWS\system32\msrun9er-.dll

- 2007-01-30 20:32:01 9,844 ----a-w C:\WINDOWS\system32\mswmnnove.dll

+ 2006-06-05 21:40:23 9,844 ----a-w C:\WINDOWS\system32\mswmnnove.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-06-11 21:18 171448]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

"MsnMsgr"="C:\Programfiler\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

"9c7ce"="c:\programfiler\qtvxhhfjwzafh\uehjlvv.exe" [2006-03-15 00:15 1554066]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 23:14 237568]

"HPBootOp"="C:\Programfiler\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 23:34 249856]

"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]

"D-Link AirPlus Xtreme G"="C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 17:00 2502656]

"ANIWZCSService"="C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe" [2003-08-21 16:12 32768]

"SweetIM"="C:\Programfiler\SweetIM\Messenger\SweetIM.exe" [2008-03-27 19:31 111928]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-19 09:44 1232152]

"GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-07-20 21:34 413696]

"9c7ce"="c:\programfiler\qtvxhhfjwzafh\uehjlvv.exe" [2006-03-15 00:15 1554066]

"TkBellExe"="realsched.exe" [bU]

C:\Documents and Settings\Administrator\Start-meny\Programmer\Oppstart\

Pin.lnk - C:\hp\bin\CLOAKER.EXE [2006-01-03 05:07:26 27136]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Programfiler\\AVG\\AVG8\\avgupd.exe"=

"C:\\Programfiler\\AVG\\AVG8\\avgemc.exe"=

"C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Programfiler\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-19 09:44]

R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-19 09:44]

R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-19 09:44]

R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-19 09:44]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 15:27]

.

Contents of the 'Scheduled Tasks' folder

"2008-07-13 19:13:39 C:\WINDOWS\Tasks\Internett-tjenester.job"

- C:\Programfiler\Hewlett-Packard\SDP\HPSdpApp.exea/remind /LaunchPoint reminder /App C:\Programfiler\Hewlett-Packard\Internet Services\StartIS.aml

.

------- Supplementary Scan -------

.

R0 -: HKCU-Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=63&bd=PRESARIO&pf=desktop

R0 -: HKCU-Main,Default_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=63&bd=PRESARIO&pf=desktop

R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

R0 -: HKLM-Main,Search Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NB_NO&c=63&bd=PRESARIO&pf=desktop

R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NB_NO&c=63&bd=PRESARIO&pf=desktop

O8 -: E&ksporter til Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-28 23:06:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\msrun9er-.dll 122880 bytes executable

scan completed successfully

hidden files: 1

**************************************************************************

.

Completion time: 2008-07-28 23:07:48

ComboFix-quarantined-files.txt 2008-07-28 21:07:44

ComboFix2.txt 2008-07-26 17:36:36

ComboFix3.txt 2008-07-25 22:37:04

ComboFix4.txt 2008-07-25 21:54:21

Pre-Run: 135,822,139,392 byte ledig

Post-Run: 135,941,431,296 byte ledig

228 --- E O F --- 2008-07-22 07:20:29

snippsat · 29. juli 2008

Kopiere fet tekst under bildet->åpne notisblokk og lim inn.

Lagre på skrivebordet som CFScript.txt

Gjør som på bildet combofix vil starte,Post logg c:\combofix.txt

File::

C:\WINDOWS\system32\msrun9er-.dll

C:\WINDOWS\system32\mswmnnove.dll

Registry::

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"9c7ce"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"9c7ce"=-

---

Last ned kjør CCleaner

'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t.

Kjør og register-renser"svar ja til og reparere"-->backup svar ja når du blir spørt.

Kjør register-renser et par ganger til alle feil er borte.

---

I post #19 fikk du ikke CFCript.txt til og virke.

Post combofix loggen så vi ser det virker.

---

Restart

---

En runde med MBAM

---

Scann nå med AVG

Finner den noe nå må du ta med plassering,altså stien til filen.

Ikke hva det er som i post #30

Endret 29. juli 2008 av SNIPPSAT

Annie_P · 31. juli 2008

ComboFix 08-07-24.3 - Compaq_Eier 2008-07-31 9:38:37.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.135 [GMT 2:00]

Running from: C:\Documents and Settings\Compaq_Eier\Skrivebord\ComboFix.exe

Command switches used :: C:\Documents and Settings\Compaq_Eier\Skrivebord\CFScript.txt

* Created a new restore point

FILE ::

C:\WINDOWS\system32\msrun9er-.dll

C:\WINDOWS\system32\mswmnnove.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\msrun9er-.dll

C:\WINDOWS\system32\mswmnnove.dll

.

((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-31 )))))))))))))))))))))))))))))))

.

2008-07-31 09:31 . 2008-07-31 09:34 <DIR> dr-h----- C:\Documents and Settings\Compaq_Eier\Siste

2008-07-30 22:44 . 2008-07-30 22:44 268 --ah----- C:\sqmdata02.sqm

2008-07-30 22:44 . 2008-07-30 22:44 244 --ah----- C:\sqmnoopt02.sqm

2008-07-29 17:09 . 2008-07-29 17:20 <DIR> d-------- C:\Programfiler\ZC Video Converter

2008-07-29 16:33 . 2008-07-29 16:33 <DIR> d-------- C:\Programfiler\Red Kawa

2008-07-29 16:33 . 2008-07-29 16:33 <DIR> d-------- C:\Programfiler\AviSynth 2.5

2008-07-29 00:16 . 2008-07-29 00:16 268 --ah----- C:\sqmdata01.sqm

2008-07-29 00:16 . 2008-07-29 00:16 244 --ah----- C:\sqmnoopt01.sqm