LeLiLa Skrevet 13. august 2008 Del Skrevet 13. august 2008 ComboFix ComboFix 08-08-12.01 - Bjerkeli 2008-08-13 17:00:53.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.777 [GMT 2:00] Running from: C:\Documents and Settings\Bjerkeli\Lokale innstillinger\Programdata\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf C:\WINDOWS\mrofinu1001186.exe C:\WINDOWS\system32\12520437v.exe C:\WINDOWS\system32\adsn.dll C:\WINDOWS\system32\drivers\Ryot72.sys F:\autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MSUPDATE -------\Legacy_RYOT72 -------\Legacy_VSSSCHEDULE -------\Service_Ryot72 -------\Service_VSSSchedule ((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 ))))))))))))))))))))))))))))))) . 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\3.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\2.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2F.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2E.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2D.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2C.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\2B.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\2A.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\29.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\28.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\27.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\26.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\23.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\22.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\21.tmp 2008-08-13 16:51 . 2008-08-13 16:51 <DIR> d-------- C:\Programfiler\Belkin 2008-08-13 16:51 . 2004-04-30 15:12 40,960 --a------ C:\WINDOWS\system32\F5D9050.dll 2008-08-13 16:51 . 2005-06-15 04:35 36,864 --a------ C:\WINDOWS\system32\ss.dll 2008-08-13 16:51 . 2008-08-13 16:51 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys 2008-08-13 16:51 . 2005-06-18 02:48 19,968 --a------ C:\WINDOWS\system32\drivers\ss.sys 2008-08-13 16:40 . 2005-11-09 00:26 49,152 --a------ C:\WINDOWS\system32\moveex.exe 2008-08-13 16:40 . 2008-08-13 16:40 0 --a------ C:\25.tmp 2008-08-13 16:40 . 2008-08-13 16:40 0 --a------ C:\24.tmp 2008-08-13 16:39 . 2008-08-13 16:39 <DIR> d-------- C:\Programfiler\Trend Micro 2008-08-13 16:14 . 2008-08-13 16:14 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-08-13 16:14 . 2008-08-13 16:14 <DIR> d-------- C:\Documents and Settings\Bjerkeli\Programdata\Malwarebytes 2008-08-13 16:14 . 2008-08-13 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-08-13 16:14 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-13 16:14 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-13 14:51 --------- d-----w C:\Programfiler\Fellesfiler\InstallShield 2008-08-10 15:16 3,727,360 --sha-r C:\WINDOWS\Mixa.exe 2008-08-10 14:16 3,727,360 --sha-r C:\WINDOWS\system32\systemio.exe 2008-08-10 14:16 3,727,360 --sha-r C:\Mixa_I.exe . ------- Sigcheck ------- 2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\dllcache\tcpip.sys 2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys 2004-08-04 01:03 1042944 dc39ebe26bbb98a3942e0700c3df117b C:\WINDOWS\explorer.exe 2004-08-04 01:03 1042944 ba74e435f1108333647c5726a2a54d6d C:\WINDOWS\system32\dllcache\explorer.exe 2004-08-04 01:03 58880 12cbed62f0c910e5cefd692bc68a6b24 C:\WINDOWS\system32\ctfmon.exe 2004-08-04 01:03 26112 dc26c74402c401843c877bfc52f8c7b5 C:\WINDOWS\system32\dllcache\ctfmon.exe 2004-08-04 01:03 68608 ad3b8e7ac4d71caddd241cbbc4dcbb09 C:\WINDOWS\system32\spoolsv.exe 2004-08-04 01:03 68608 11663c540061a6b7ae565b0a419dd03b C:\WINDOWS\system32\dllcache\spoolsv.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 58880] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Virus"="C:\WINDOWS\Mixa.exe" [2008-08-10 17:16 3727360] "F5D9050"="C:\Programfiler\Belkin\F5D9050\Belkinwcui.exe" [2006-02-14 14:19 1544192] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:03 58880] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\\WINDOWS\\system32\\systemio.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=WIKI.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pwc27.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48] S0 Pwc27;Pwc27;C:\WINDOWS\system32\Drivers\Pwc27.sys [] S3 BKNDIS5;BKNDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\F5D9050\BKNDIS5.SYS [2005-03-02 13:47] . . ------- Supplementary Scan ------- . R0 -: HKLM-Main,Start Page = about:blank ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-13 17:04:10 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-08-13 17:04:56 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-13 15:04:49 ComboFix2.txt 2008-08-13 14:40:45 Pre-Run: 155,072,360,448 byte ledig Post-Run: 155,014,787,072 byte ledig 125 HiJackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:06:20, on 13.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Mixa.exe C:\WINDOWS\system32\wscntfy.exe C:\Programfiler\Belkin\F5D9050\Belkinwcui.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\systemio.exe O4 - HKLM\..\Run: [Virus] C:\WINDOWS\Mixa.exe O4 - HKLM\..\Run: [F5D9050] C:\Programfiler\Belkin\F5D9050\Belkinwcui.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O20 - AppInit_DLLs: WIKI.DLL -- End of file - 2129 bytes Antivirus XP viruset har infisert igjen etter enda en clean formatering ! Lenke til kommentar
norbat Skrevet 13. august 2008 Del Skrevet 13. august 2008 Du er infisert med en orm. Datostemplingen på filene knyttet til infeksjonen er 10.aug. Var det da du reinstallerte? Kjørte du i såfall installeringen fra en backup eller brukte du orginalcd? Uansett - har du kjørt en scan med SuperAntispyware (SAS) eller Malwarebytes Anti-Malware (MBAM)? Hvis ikke, gjør du det (sjekk for oppdatering først). Kjør en ny runde med Combofix etterpå og post loggen sammen med logg fra SAS el. MBAM. Lenke til kommentar
LeLiLa Skrevet 13. august 2008 Forfatter Del Skrevet 13. august 2008 Jeg formaterte fra original cd, og har kjørt med Malwarebytes Anti-Malware (MBAM). Men det kommer tilbake for hver gang jeg rebooter. Jeg skanner og finner 3 virus, rebooter, og etter det kommer 5 til, hva skal jeg gjøre? Har formatert pcen flere ganger. Formaterte også idag morges. Lenke til kommentar
norbat Skrevet 13. august 2008 Del Skrevet 13. august 2008 Du trenger ikke å formatere pga. dette, men la oss kjøre en annen scanner for å se om den gjør jobben bedre: Last ned SAS, installer, oppdater og kjør en quick scan. La programmet restarte pc'n om det ber om det. Kjør deretter combofix igjen og post loggen sammen med loggen fra SAS (preferences->statistics). Lenke til kommentar
LeLiLa Skrevet 13. august 2008 Forfatter Del Skrevet 13. august 2008 Kan jeg legge deg til på msn? Nettverket på pcen sluttet plutselig og fungere.. Lenke til kommentar
norbat Skrevet 13. august 2008 Del Skrevet 13. august 2008 Restart pc'n og sjekk om du kommer på nett. Hvis du fortsatt ikke kommer på nett, så prøv følgende: Start SAS Velg arkfanen Preferences Velg arkfanen Repairs Klikk på Repair broken network connection Klikk Perform repair... Lenke til kommentar
LeLiLa Skrevet 13. august 2008 Forfatter Del Skrevet 13. august 2008 Får ikke lasta ned SAS, har bare den MBAM tingen for øyeblikket, nettet kobler seg til men gateway og sånt kommer ikke opp, ustabiliserer seg osv. Lenke til kommentar
norbat Skrevet 13. august 2008 Del Skrevet 13. august 2008 Ok, kunne du ha postet siste MBAM-logg (evt. kjør en rask scan og post loggen som kommer fram) Lenke til kommentar
LeLiLa Skrevet 13. august 2008 Forfatter Del Skrevet 13. august 2008 Hmm, tar litt tid, må skanne også overføre via usb også laste opp (: pcen har ik nett som sagt Lenke til kommentar
LeLiLa Skrevet 13. august 2008 Forfatter Del Skrevet 13. august 2008 Dette var før jeg kjørte Malwaregreia og reboota Malwarebytes' Anti-Malware 1.24 Database versjon: 1048 Windows 5.1.2600 Service Pack 2 21:29:34 13.08.2008 mbam-log-8-13-2008 (21-29-34).txt Skanntype: Rask Skann Objekter skannet: 37913 Tid tilbakelagt: 3 minute(s), 7 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 3 Registerverdier infisert: 6 Registerfiler infisert: 2 Mapper infisert: 1 Filer infisert: 7 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{69df1141-0ca3-4d7a-b6bf-830d4361f3c8} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69df1141-0ca3-4d7a-b6bf-830d4361f3c8} (Trojan.Agent) -> Quarantined and deleted successfully. Registerverdier infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully. Registerfiler infisert: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\systemio.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. Mapper infisert: C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot. Filer infisert: C:\WINDOWS\system32\drivers\Jqv84.sys (Rootkit.Agent) -> Delete on reboot. C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\mrofinu1001186.exe (Trojan.Agent) -> Delete on reboot. C:\31.tmp (Heuristics.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot. C:\WINDOWS\system32\blackbo.dll (Trojan.Agent) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.24 Database versjon: 1048 Windows 5.1.2600 Service Pack 2 22:18:07 13.08.2008 mbam-log-8-13-2008 (22-18-07).txt Skanntype: Rask Skann Objekter skannet: 37625 Tid tilbakelagt: 3 minute(s), 1 second(s) Minneprosesser infisert: 0 Minnemoduler infisert: 0 Registernøkler infisert: 0 Registerverdier infisert: 0 Registerfiler infisert: 0 Mapper infisert: 0 Filer infisert: 0 Minneprosesser infisert: (Ingen mistenkelige filer funnet) Minnemoduler infisert: (Ingen mistenkelige filer funnet) Registernøkler infisert: (Ingen mistenkelige filer funnet) Registerverdier infisert: (Ingen mistenkelige filer funnet) Registerfiler infisert: (Ingen mistenkelige filer funnet) Mapper infisert: (Ingen mistenkelige filer funnet) Filer infisert: (Ingen mistenkelige filer funnet) Etter rebooten uten og ha kobla til nettet. Lenke til kommentar
norbat Skrevet 13. august 2008 Del Skrevet 13. august 2008 Så kjører du combofix på nytt og poster loggen, så tar vi evt. resten ut fra hva loggen viser. Lenke til kommentar
LeLiLa Skrevet 13. august 2008 Forfatter Del Skrevet 13. august 2008 ComboFix logg ! ComboFix 08-08-12.01 - Bjerkeli 2008-08-13 22:47:55.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.798 [GMT 2:00] Running from: C:\Documents and Settings\Bjerkeli\Lokale innstillinger\Programdata\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\autorun.inf F:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 ))))))))))))))))))))))))))))))) . 2008-08-13 22:51 . 2008-08-13 22:51 0 --a------ C:\47.tmp 2008-08-13 22:51 . 2008-08-13 22:51 0 --a------ C:\46.tmp 2008-08-13 22:49 . 2008-08-13 22:49 0 --a------ C:\45.tmp 2008-08-13 22:49 . 2008-08-13 22:49 0 --a------ C:\44.tmp 2008-08-13 22:49 . 2008-08-13 22:49 0 --a------ C:\43.tmp 2008-08-13 22:49 . 2008-08-13 22:49 0 --a------ C:\42.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\41.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\40.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3F.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3E.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3D.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3C.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3B.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3A.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\39.tmp 2008-08-13 22:47 . 2008-08-13 22:47 0 --a------ C:\38.tmp 2008-08-13 22:46 . 2008-08-13 22:46 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\37.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\36.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\35.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\34.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\33.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\32.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\31.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\1F.tmp 2008-08-13 22:45 . 2008-08-13 22:45 0 --a------ C:\F.tmp 2008-08-13 22:45 . 2008-08-13 22:45 0 --a------ C:\E.tmp 2008-08-13 22:45 . 2008-08-13 22:45 0 --a------ C:\D.tmp 2008-08-13 22:43 . 2008-08-13 22:43 0 --a------ C:\1E.tmp 2008-08-13 22:43 . 2008-08-13 22:43 0 --a------ C:\1D.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\1C.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\1B.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\18.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\17.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\16.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\15.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\14.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\C.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\13.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\12.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\11.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\10.tmp 2008-08-13 19:57 . 2008-08-13 19:57 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys 2008-08-13 19:56 . 2008-08-13 19:56 <DIR> d-------- C:\Programfiler\Belkin 2008-08-13 19:56 . 2004-04-30 15:12 40,960 --a------ C:\WINDOWS\system32\F5D9050.dll 2008-08-13 19:56 . 2005-06-15 04:35 36,864 --a------ C:\WINDOWS\system32\ss.dll 2008-08-13 19:56 . 2005-06-18 02:48 19,968 --a------ C:\WINDOWS\system32\drivers\ss.sys 2008-08-13 17:09 . 2008-08-13 17:09 48,128 --a------ C:\19.tmp 2008-08-13 17:09 . 2008-08-13 17:09 44,032 --a------ C:\30.tmp 2008-08-13 17:09 . 2008-08-13 17:09 7,168 --a------ C:\1A.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\B.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\A.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\9.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\8.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\7.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\6.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\5.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\4.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\3.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\2.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2F.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2E.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2D.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2C.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\2B.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\2A.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\29.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\28.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\27.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\26.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\23.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\22.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\21.tmp 2008-08-13 17:00 . 2008-08-13 17:00 0 --a------ C:\20.tmp 2008-08-13 16:40 . 2005-11-09 00:26 49,152 --a------ C:\WINDOWS\system32\moveex.exe 2008-08-13 16:40 . 2008-08-13 16:40 0 --a------ C:\25.tmp 2008-08-13 16:40 . 2008-08-13 16:40 0 --a------ C:\24.tmp 2008-08-13 16:39 . 2008-08-13 16:39 <DIR> d-------- C:\Programfiler\Trend Micro 2008-08-13 16:14 . 2008-08-13 16:14 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-08-13 16:14 . 2008-08-13 16:14 <DIR> d-------- C:\Documents and Settings\Bjerkeli\Programdata\Malwarebytes 2008-08-13 16:14 . 2008-08-13 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-08-13 16:14 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-13 16:14 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-13 17:56 --------- d-----w C:\Programfiler\Fellesfiler\InstallShield 2008-08-10 15:16 3,727,360 --sha-r C:\WINDOWS\Mixa.exe 2008-08-10 14:16 3,727,360 --sha-r C:\WINDOWS\system32\systemio.exe 2008-08-10 14:16 3,727,360 --sha-r C:\Mixa_I.exe . ------- Sigcheck ------- 2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\dllcache\tcpip.sys 2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys 2004-08-04 01:03 1042944 dc39ebe26bbb98a3942e0700c3df117b C:\WINDOWS\explorer.exe 2004-08-04 01:03 1042944 ba74e435f1108333647c5726a2a54d6d C:\WINDOWS\system32\dllcache\explorer.exe 2004-08-04 01:03 58880 12cbed62f0c910e5cefd692bc68a6b24 C:\WINDOWS\system32\ctfmon.exe 2004-08-04 01:03 26112 dc26c74402c401843c877bfc52f8c7b5 C:\WINDOWS\system32\dllcache\ctfmon.exe 2004-08-04 01:03 68608 ad3b8e7ac4d71caddd241cbbc4dcbb09 C:\WINDOWS\system32\spoolsv.exe 2004-08-04 01:03 68608 11663c540061a6b7ae565b0a419dd03b C:\WINDOWS\system32\dllcache\spoolsv.exe . ((((((((((((((((((((((((((((( snapshot_2008-08-13_22.46.13.73 ))))))))))))))))))))))))))))))))))))))))) . - 2005-10-20 18:02:28 177,664 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE + 2005-10-20 18:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE - 2000-08-31 06:00:00 41,472 ----a-w C:\WINDOWS\nircmd.exe + 2000-08-31 06:00:00 41,984 ----a-w C:\WINDOWS\nircmd.exe - 2000-08-31 06:00:00 336,896 ----a-w C:\WINDOWS\swreg.exe + 2000-08-31 06:00:00 173,056 ----a-w C:\WINDOWS\swreg.exe - 2008-08-13 20:45:35 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-08-13 20:51:16 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-08-13 20:45:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat + 2008-08-13 20:51:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat - 2008-08-13 20:45:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat + 2008-08-13 20:51:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 58880] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Virus"="C:\WINDOWS\Mixa.exe" [2008-08-10 17:16 3727360] "F5D9050"="C:\Programfiler\Belkin\F5D9050\Belkinwcui.exe" [2006-02-14 14:19 1544192] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:03 58880] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="C:\\WINDOWS\\system32\\systemio.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=WIKI.DLL [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jqv84.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pwc27.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\1A.tmp"= R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48] S0 Jqv84;Jqv84;C:\WINDOWS\system32\Drivers\Jqv84.sys [] S0 Pwc27;Pwc27;C:\WINDOWS\system32\Drivers\Pwc27.sys [] . . ------- Supplementary Scan ------- . R0 -: HKLM-Main,Start Page = about:blank ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-13 22:51:33 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\47.tmp 0 bytes scan completed successfully hidden files: 1 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-08-13 22:52:19 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-13 20:52:12 ComboFix2.txt 2008-08-13 20:46:39 ComboFix3.txt 2008-08-13 15:04:58 ComboFix4.txt 2008-08-13 14:40:45 Pre-Run: 155,317,166,080 byte ledig Post-Run: 155,289,423,872 byte ledig 188 Lenke til kommentar
norbat Skrevet 13. august 2008 Del Skrevet 13. august 2008 Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. File:: C:\WINDOWS\Mixa.exe C:\WINDOWS\system32\systemio.exe C:\Mixa_I.exe C:\47.tmp Driver:: Jqv84 Pwc27 Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Virus"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"=- [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Jqv84.sys] [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Pwc27.sys] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\1A.tmp"=- Post loggen. Sjekk om du har fått nettforbindelsen tilbake. Lenke til kommentar
LeLiLa Skrevet 13. august 2008 Forfatter Del Skrevet 13. august 2008 Takk så meget for hjelpen, nettverket er tilbake ! Men er det noen måte å beskytte mot viruset på? Skal installere Avira nå, andre ting som kan hjelpe? Her kommer loggen: ComboFix 08-08-12.01 - Bjerkeli 2008-08-13 23:17:38.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1044.18.796 [GMT 2:00] Running from: C:\Documents and Settings\Bjerkeli\Lokale innstillinger\Programdata\Opera\Opera\profile\cache4\temporary_download\ComboFix.exe Command switches used :: F:\logg\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\47.tmp C:\Mixa_I.exe C:\WINDOWS\Mixa.exe C:\WINDOWS\system32\systemio.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\47.tmp C:\autorun.inf C:\Mixa_I.exe C:\WINDOWS\Mixa.exe C:\WINDOWS\system32\systemio.exe F:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_JQV84 -------\Legacy_PWC27 -------\Service_Jqv84 -------\Service_Pwc27 ((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 ))))))))))))))))))))))))))))))) . 2008-08-13 23:20 . 2008-08-13 23:20 0 --a------ C:\6E.tmp 2008-08-13 22:52 . 2008-08-13 22:52 0 --a------ C:\50.tmp 2008-08-13 22:52 . 2008-08-13 22:52 0 --a------ C:\4F.tmp 2008-08-13 22:52 . 2008-08-13 22:52 0 --a------ C:\4E.tmp 2008-08-13 22:52 . 2008-08-13 22:52 0 --a------ C:\4D.tmp 2008-08-13 22:51 . 2008-08-13 22:51 0 --a------ C:\4C.tmp 2008-08-13 22:51 . 2008-08-13 22:51 0 --a------ C:\4B.tmp 2008-08-13 22:51 . 2008-08-13 22:51 0 --a------ C:\4A.tmp 2008-08-13 22:51 . 2008-08-13 22:51 0 --a------ C:\49.tmp 2008-08-13 22:51 . 2008-08-13 22:51 0 --a------ C:\48.tmp 2008-08-13 22:51 . 2008-08-13 22:51 0 --a------ C:\46.tmp 2008-08-13 22:49 . 2008-08-13 22:49 0 --a------ C:\45.tmp 2008-08-13 22:49 . 2008-08-13 22:49 0 --a------ C:\44.tmp 2008-08-13 22:49 . 2008-08-13 22:49 0 --a------ C:\43.tmp 2008-08-13 22:49 . 2008-08-13 22:49 0 --a------ C:\42.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\41.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\40.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3F.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3E.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3D.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3C.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3B.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\3A.tmp 2008-08-13 22:48 . 2008-08-13 22:48 0 --a------ C:\39.tmp 2008-08-13 22:47 . 2008-08-13 22:47 0 --a------ C:\38.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\37.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\36.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\35.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\34.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\33.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\32.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\31.tmp 2008-08-13 22:46 . 2008-08-13 22:46 0 --a------ C:\1F.tmp 2008-08-13 22:45 . 2008-08-13 22:45 0 --a------ C:\F.tmp 2008-08-13 22:45 . 2008-08-13 22:45 0 --a------ C:\E.tmp 2008-08-13 22:45 . 2008-08-13 22:45 0 --a------ C:\D.tmp 2008-08-13 22:43 . 2008-08-13 22:43 0 --a------ C:\1E.tmp 2008-08-13 22:43 . 2008-08-13 22:43 0 --a------ C:\1D.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\1C.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\1B.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\18.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\17.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\16.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\15.tmp 2008-08-13 22:42 . 2008-08-13 22:42 0 --a------ C:\14.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\C.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\13.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\12.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\11.tmp 2008-08-13 22:41 . 2008-08-13 22:41 0 --a------ C:\10.tmp 2008-08-13 19:57 . 2008-08-13 19:57 20,747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys 2008-08-13 19:56 . 2008-08-13 19:56 <DIR> d-------- C:\Programfiler\Belkin 2008-08-13 19:56 . 2004-04-30 15:12 40,960 --a------ C:\WINDOWS\system32\F5D9050.dll 2008-08-13 19:56 . 2005-06-15 04:35 36,864 --a------ C:\WINDOWS\system32\ss.dll 2008-08-13 19:56 . 2005-06-18 02:48 19,968 --a------ C:\WINDOWS\system32\drivers\ss.sys 2008-08-13 17:09 . 2008-08-13 17:09 48,128 --a------ C:\19.tmp 2008-08-13 17:09 . 2008-08-13 17:09 44,032 --a------ C:\30.tmp 2008-08-13 17:09 . 2008-08-13 17:09 7,168 --a------ C:\1A.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\B.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\A.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\9.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\8.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\7.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\6.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\5.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\4.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\3.tmp 2008-08-13 17:04 . 2008-08-13 17:04 0 --a------ C:\2.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2F.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2E.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2D.tmp 2008-08-13 17:02 . 2008-08-13 17:02 0 --a------ C:\2C.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\2B.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\2A.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\29.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\28.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\27.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\26.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\23.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\22.tmp 2008-08-13 17:01 . 2008-08-13 17:01 0 --a------ C:\21.tmp 2008-08-13 17:00 . 2008-08-13 17:00 0 --a------ C:\20.tmp 2008-08-13 16:40 . 2005-11-09 00:26 49,152 --a------ C:\WINDOWS\system32\moveex.exe 2008-08-13 16:40 . 2008-08-13 16:40 0 --a------ C:\25.tmp 2008-08-13 16:40 . 2008-08-13 16:40 0 --a------ C:\24.tmp 2008-08-13 16:39 . 2008-08-13 16:39 <DIR> d-------- C:\Programfiler\Trend Micro 2008-08-13 16:14 . 2008-08-13 16:14 <DIR> d-------- C:\Programfiler\Malwarebytes' Anti-Malware 2008-08-13 16:14 . 2008-08-13 16:14 <DIR> d-------- C:\Documents and Settings\Bjerkeli\Programdata\Malwarebytes 2008-08-13 16:14 . 2008-08-13 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Malwarebytes 2008-08-13 16:14 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-13 16:14 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-13 17:56 --------- d-----w C:\Programfiler\Fellesfiler\InstallShield . ------- Sigcheck ------- 2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\dllcache\tcpip.sys 2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 C:\WINDOWS\system32\drivers\tcpip.sys 2004-08-04 01:03 1042944 dc39ebe26bbb98a3942e0700c3df117b C:\WINDOWS\explorer.exe 2004-08-04 01:03 1042944 ba74e435f1108333647c5726a2a54d6d C:\WINDOWS\system32\dllcache\explorer.exe 2004-08-04 01:03 58880 12cbed62f0c910e5cefd692bc68a6b24 C:\WINDOWS\system32\ctfmon.exe 2004-08-04 01:03 26112 dc26c74402c401843c877bfc52f8c7b5 C:\WINDOWS\system32\dllcache\ctfmon.exe 2004-08-04 01:03 68608 ad3b8e7ac4d71caddd241cbbc4dcbb09 C:\WINDOWS\system32\spoolsv.exe 2004-08-04 01:03 68608 11663c540061a6b7ae565b0a419dd03b C:\WINDOWS\system32\dllcache\spoolsv.exe . ((((((((((((((((((((((((((((( snapshot_2008-08-13_22.46.13.73 ))))))))))))))))))))))))))))))))))))))))) . - 2000-08-31 06:00:00 336,896 ----a-w C:\WINDOWS\swreg.exe + 2000-08-31 06:00:00 205,824 ----a-w C:\WINDOWS\swreg.exe - 2004-08-03 23:03:28 55,296 ----a-w C:\WINDOWS\system32\alg.exe + 2004-08-03 23:03:28 88,064 ----a-w C:\WINDOWS\system32\alg.exe - 2008-08-13 20:45:35 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-08-13 21:20:29 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-08-13 20:45:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat + 2008-08-13 21:20:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat - 2008-08-13 20:45:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat + 2008-08-13 21:20:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 58880] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "F5D9050"="C:\Programfiler\Belkin\F5D9050\Belkinwcui.exe" [2006-02-14 14:19 1544192] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:03 58880] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=WIKI.DLL [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-13 23:20:42 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwOpenFile scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\6E.tmp 0 bytes scan completed successfully hidden files: 1 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Completion time: 2008-08-13 23:21:27 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-13 21:21:21 ComboFix2.txt 2008-08-13 20:52:20 ComboFix3.txt 2008-08-13 20:46:39 ComboFix4.txt 2008-08-13 15:04:58 ComboFix5.txt 2008-08-13 21:17:18 Pre-Run: 155,275,694,080 byte ledig Post-Run: 155,236,507,648 byte ledig 195 Lenke til kommentar
LeLiLa Skrevet 13. august 2008 Forfatter Del Skrevet 13. august 2008 Omg, dette kommer opp hver gang jeg prøver å installere Avira på denne pcen. Hva er det som skjer? Hva skal jeg gjøre? Lenke til kommentar
norbat Skrevet 13. august 2008 Del Skrevet 13. august 2008 Punkt 1: Gå til nettstedet http://virusscan.jotti.org/ og last opp følgende fil for sjekk: C:\WINDOWS\system32\moveex.exe Bruk utforsker til å slette filene av typen: C:\6E.tmp C:\50.tmp ....... Punkt 2: Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'. Kjør også noen runder med 'Register'til det ikke finner flere feil. Punkt 3: Last ned SAS, installer, oppdater og kjør en full (Complete) scan. Punkt 4: Last ned Avira og legg installasjonsfila på skrivebordet. Kjør fila derfra. Gi tilbakemelding på om SAS fant noe annet en cookies og hvordan det går med Avira-installasjonen. Lenke til kommentar
LeLiLa Skrevet 13. august 2008 Forfatter Del Skrevet 13. august 2008 Denne feilen kommer på SAS, dermed kommer samme feilen på Avira install. Lenke til kommentar
norbat Skrevet 14. august 2008 Del Skrevet 14. august 2008 Sjekk om widows trenger oppdateringer (windows update) Hvis det fortsatt er probl., så forsøk å installere windows installer på nytt. Lenke til kommentar
LeLiLa Skrevet 14. august 2008 Forfatter Del Skrevet 14. august 2008 Jeg har piratkopi av windows, kan jeg ta og oppdatere? 0o Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå