Gjest Slettet+41234586 Skrevet 13. august 2008 Del Skrevet 13. august 2008 Har fått en trojansk hest som popper opp "love calculator" nettsider annethvert minutt... Har gått gjennom alle punktene i post en, her er loggene: Combofix: Klikk for å se/fjerne innholdet nedenfor ComboFix 08-08-12.01 - Emily 2008-08-13 21:51:00.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.156 [GMT 2:00] Running from: C:\Program Files\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\__c002521A.dat C:\WINDOWS\system32\__c00FF459.dat C:\xcrashdump.dat . ((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 ))))))))))))))))))))))))))))))) . 2008-08-13 21:26 . 2008-08-13 21:26 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-08-13 21:26 . 2008-08-13 21:26 <DIR> d-------- C:\Documents and Settings\Emily\Programdata\SUPERAntiSpyware.com 2008-08-13 21:26 . 2008-08-13 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-08-13 21:25 . 2008-08-13 21:25 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-08-13 21:22 . 2008-08-13 21:22 <DIR> dr-h----- C:\Documents and Settings\Emily\Siste 2008-08-13 21:19 . 2008-08-13 21:19 <DIR> d-------- C:\Programfiler\CCleaner 2008-08-12 19:22 . 2008-08-12 21:32 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-07-22 21:44 . 2008-07-22 21:44 <DIR> d-------- C:\Documents and Settings\Emily\Programdata\Sony 2008-07-22 21:44 . 2008-07-22 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Sony 2008-07-22 21:41 . 2008-07-22 21:41 <DIR> d-------- C:\Programfiler\Sony 2008-07-22 20:11 . 2008-07-22 21:13 <DIR> d-------- C:\Programfiler\Avanquest update 2008-07-22 20:11 . 2008-07-22 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\BVRP Software 2008-07-22 20:09 . 2008-07-22 21:41 <DIR> d-------- C:\Programfiler\Sony Ericsson 2008-07-22 20:09 . 2008-07-22 20:09 <DIR> d-------- C:\Documents and Settings\Emily\Programdata\InstallShield 2008-07-22 20:09 . 2008-07-22 20:09 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Sony Ericsson 2008-07-21 22:15 . 2008-07-27 22:36 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-13 19:46 --------- d-----w C:\Documents and Settings\Emily\Programdata\Skype 2008-08-12 06:34 --------- d-----w C:\Documents and Settings\Emily\Programdata\ZoomBrowser EX 2008-08-12 06:34 --------- d-----w C:\Documents and Settings\All Users\Programdata\ZoomBrowser 2008-07-22 18:11 --------- d--h--w C:\Programfiler\InstallShield Installation Information 2008-07-02 19:20 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-17 20:47 --------- d-----w C:\Programfiler\AVG 2008-06-17 20:47 --------- d-----w C:\Documents and Settings\All Users\Programdata\avg8 2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-06-13 15:51 --------- d-----w C:\Programfiler\Microsoft CAPICOM 2.1.0.2 2007-11-07 19:52 4,114,344 ----a-w C:\Programfiler\bitcomet_setup.exe 2006-04-09 23:12 11,817,800 ----a-w C:\Programfiler\GoogleEarth.exe 2006-03-14 18:12 359,112 ----a-w C:\Programfiler\LimeWireWin.exe 2006-03-14 17:37 3,453,539 ----a-w C:\Programfiler\DCPlusPlus-0.687.exe 2005-08-21 15:30 17,920 ----a-w C:\Documents and Settings\Emily\Programdata\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 11:34 5724184] "Creative Detector"="C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe" [2004-10-05 10:52 98304] "Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2006-10-13 06:20 20058152] "updateMgr"="C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472] "Sony Ericsson PC Suite"="C:\Programfiler\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 17:20 356352] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2003-09-04 21:36 110592] "SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2003-09-04 21:34 618496] "LaunchAp"="C:\Program Files\Launch Manager\LaunchAp.exe" [2004-01-28 18:46 32768] "HotkeyApp"="C:\Program Files\Launch Manager\HotkeyApp.exe" [2004-01-28 11:15 40960] "CtrlVol"="C:\Program Files\Launch Manager\CtrlVol.exe" [2003-09-16 15:28 20480] "LMgrOSD"="C:\Program Files\Launch Manager\OSD.exe" [2003-06-25 11:53 204800] "Wbutton"="C:\Program Files\Launch Manager\Wbutton.exe" [2004-01-30 18:11 65536] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-07-09 16:25 155648] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-07-09 16:13 114688] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 04:48 36975] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-01-10 16:27 385024] "snpstd"="C:\WINDOWS\vsnpstd.exe" [2003-12-31 18:39 40960] "InCD"="C:\Programfiler\Ahead\InCD\InCD.exe" [2003-07-31 19:17 1208380] "NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 12:50 155648] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-02 21:20 1232152] "AGRSMMSG"="AGRSMMSG.exe" [2003-06-26 20:53 88363 C:\WINDOWS\AGRSMMSG.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696] Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2005-03-31 10:05:13 6144] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "C:\\Programfiler\\FlashFXP\\flashfxp.exe"= "C:\\Programfiler\\SmartFTP Client 2.0\\SmartFTP.exe"= "C:\\StubInstaller.exe"= "C:\\Programfiler\\LimeWire\\LimeWire.exe"= "C:\\WINDOWS\\amcap.exe"= "C:\\Programfiler\\BitComet\\BitComet.exe"= "C:\\Programfiler\\VideoLAN\\VLC\\vlc.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\AVG\\AVG8\\avgupd.exe"= "C:\\Programfiler\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "23975:TCP"= 23975:TCP:BitComet 23975 TCP "23975:UDP"= 23975:UDP:BitComet 23975 UDP R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 21:20] R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 12:27] R1 Wbutton;Wbutton;C:\WINDOWS\system32\drivers\Wbutton.sys [2002-10-23 12:25] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-02 21:20] S3 s217bus;Sony Ericsson Device 217 driver (WDM);C:\WINDOWS\system32\DRIVERS\s217bus.sys [2007-11-02 15:22] S3 s217mdfl;Sony Ericsson Device 217 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s217mdfl.sys [2007-11-02 15:22] S3 s217mdm;Sony Ericsson Device 217 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s217mdm.sys [2007-11-02 15:22] S3 s217mgmt;Sony Ericsson Device 217 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s217mgmt.sys [2007-11-02 15:22] S3 s217nd5;Sony Ericsson Device 217 USB Ethernet Emulation SEMC217 (NDIS);C:\WINDOWS\system32\DRIVERS\s217nd5.sys [2007-11-02 15:22] S3 s217obex;Sony Ericsson Device 217 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s217obex.sys [2007-11-02 15:22] S3 s217unic;Sony Ericsson Device 217 USB Ethernet Emulation SEMC217 (WDM);C:\WINDOWS\system32\DRIVERS\s217unic.sys [2007-11-02 15:22] . Contents of the 'Scheduled Tasks' folder 2008-08-11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Programfiler\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57] 2008-08-12 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Programfiler\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 13:24] . - - - - ORPHANS REMOVED - - - - HKLM-Run-BVRPLiveUpdate - C:\Programfiler\Avanquest update\Engine\Setup.exe Notify-__c002521A - C:\WINDOWS\system32\__c002521A.dat . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Emily\Programdata\Mozilla\Firefox\Profiles\jebnep9r.default\ ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-13 21:57:29 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\TEMP\84edd3f1-9560-4f42-95c9-171db0b6578a.tmp C:\WINDOWS\TEMP\8a8e38cf-37a2-473a-8f94-2971730fc7a9.tmp scan completed successfully hidden files: 2 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\CTSVCCDA.EXE C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe C:\Programfiler\Ahead\InCD\incdsrv.exe C:\Programfiler\Canon\CAL\CALMAIN.exe C:\Programfiler\AVG\AVG8\avgrsx.exe C:\Programfiler\AVG\AVG8\avgtray.exe . ************************************************************************** . Completion time: 2008-08-13 22:07:31 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-13 20:07:06 Pre-Run: 8,658,862,080 byte ledig Post-Run: 8,715,317,248 byte ledig 167 --- E O F --- 2008-07-22 19:26:25 Hijackthis Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:15:08, on 13.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe C:\Programfiler\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Canon\CAL\CALMAIN.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\AGRSMMSG.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Launch Manager\LaunchAp.exe C:\Program Files\Launch Manager\HotkeyApp.exe C:\Program Files\Launch Manager\OSD.exe C:\Program Files\Launch Manager\Wbutton.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe C:\WINDOWS\vsnpstd.exe C:\Programfiler\Ahead\InCD\InCD.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe C:\Programfiler\Skype\Phone\Skype.exe C:\Programfiler\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Programfiler\Windows Live\Messenger\usnsvc.exe C:\Programfiler\BitComet\BitComet.exe C:\Programfiler\Trend Micro\test\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vg.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programfiler\BitComet\tools\BitCometBHO.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programfiler\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programfiler\FlashFXP\IEFlash.dll O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSD.exe O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe" O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe O4 - HKLM\..\Run: [inCD] C:\Programfiler\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Creative Detector] C:\Programfiler\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [updateMgr] "C:\Programfiler\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: Download all links using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://C:\Programfiler\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_09\bin\npjpi142_09.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_09\bin\npjpi142_09.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.auckland.ac...s/ebraryRdr.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110835193014 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {D1EA8D3D-F511-4388-B754-4A0CC14A4778} (Aurigma Image Uploader 3.0 Control) - http://foto.vg.no/activex/ImageUploader3.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programfiler\Canon\CAL\CALMAIN.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programfiler\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Programfiler\Ahead\InCD\InCDsrv.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe -- End of file - 10136 bytes SuperAntiSpyware: Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Loghttp://www.superantispyware.com Generated 08/13/2008 at 09:39 PM Application Version : 4.15.1000 Core Rules Database Version : 3535 Trace Rules Database Version: 1524 Scan type : Quick Scan Total Scan Time : 00:10:53 Memory items scanned : 450 Memory threats detected : 0 Registry items scanned : 398 Registry threats detected : 0 File items scanned : 5604 File threats detected : 0 Lenke til kommentar
r2d290 Skrevet 13. august 2008 Del Skrevet 13. august 2008 Combofix fjernet tre filer. Utenom det, ser jeg ikke noe galt med loggene. Merker du fortsatt dette problemet? Lenke til kommentar
marama Skrevet 14. august 2008 Del Skrevet 14. august 2008 samme trojaner som jeg plages med å få fjernet kanskje.. fikk den for 2-3 dager siden. popper opp love calculator +div andre sider på norsk... adressen er fra wixawin.no eller no sånt.. har prøvd mange forskjellige spyware programmer, men d funker ikke.. eneste som finner den er AVG. ligger i virus vault men får ikke fjernet den... pcn er merkbart tregere. men skjønner ikke helt dette hijack greiene.. men skal sette meg ned å prøve å lese noen tråder for å se om jeg blir noe klokere. Lenke til kommentar
r2d290 Skrevet 14. august 2008 Del Skrevet 14. august 2008 Og loggen du lager, poster du i en EGEN tråd, ved å trykke "nytt emne". Det er ikke så vanskelig. Bare gjør akkurat som jeg sier: Først Combofix: Last ned Combofix (av sUBs), og legg det på Skrivebordet. Kjør combofix.exe, og følg veiledningen. Du får et spørsmål om at "Roughly 1/100 machines failed to make it through the disinfection process!! Are you sure you want to do this??" - Svar Yes Du må ikke klikke på vinduet mens programmet kjører. Dette kan føre til at programmet fryser. Post loggfilen fra Combofix (c:\combofix.txt) Så HijackThis: Gjør følgende: Last ned 'HijackThis'. Lagre den i en permanent mappe, f.eks i C:\HJT\, dobbelklikk på HijackThis.exe, og trykk Do a system scan and save a logfile. Når Notisblokk-vinduet åpnes, trykker du Ctrl-A for å markere hele teksten, kopierer det Ctrl-C og limer det inn i din neste post på forumet Ctrl-V. Mesteparten av innholdet i lista er trygt. Ikke fiks noe enda. Du vil da få en logg tilsvarende den i spoiler nedenfor: Logfile of HijackThis v1.99.1 Scan saved at 17:06:11, on 08.09.2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programfiler\Sygate\SPF\smc.exe C:\WINDOWS\system32\spoolsv.exe c:\programfiler\fellesfiler\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\LVCOMSX.EXE C:\Programfiler\Logitech\Video\CameraAssistant.exe C:\WINDOWS\system32\ElkCtrl.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programfiler\Java\jre1.5.0_07\bin\jusched.exe C:\Programfiler\Ahead\InCD\InCD.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Kenneth\Skrivebord\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stealthy.foolishgames.net/news.php R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programfiler\Logitech\Video\CameraAssistant.exe O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Programfiler\Logitech\Video\InstallHelper.exe /inspect O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Programfiler\RivaTuner v2.0 RC 16\RivaTuner.exe" /S O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programfiler\fellesfiler\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programfiler\Sygate\SPF\smc.exe[/code] Når du har gjort dette, er det bare å vente på svar... Lenke til kommentar
marama Skrevet 14. august 2008 Del Skrevet 14. august 2008 oioi, jeg skal prøve så gått jeg kan.. takker Lenke til kommentar
marama Skrevet 14. august 2008 Del Skrevet 14. august 2008 ComboFix 08-08-13.05 - Stig Øyvind 2008-08-14 20:11:39.2 - NTFSx86 Running from: C:\Documents and Settings\Stig Øyvind\Skrivebord\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\Stig Øyvind\Cookies.\stig øyvind@adserver[1].txt C:\Documents and Settings\Stig Øyvind\Cookies.\stig øyvind@adtrgt[2].txt C:\Documents and Settings\Stig Øyvind\Cookies.\stig øyvind@cubics[2].txt C:\Documents and Settings\Stig Øyvind\Cookies.\stig øyvind@ebay[2].txt C:\Documents and Settings\Stig Øyvind\Cookies.\stig ø[email protected][1].txt C:\Documents and Settings\Stig Øyvind\Cookies.\stig øyvind@tradedoubler[1].txt C:\WINDOWS\system32\__c00105A4.dat C:\WINDOWS\system32\__c00AA777.dat C:\WINDOWS\system32\~.exe . ((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 ))))))))))))))))))))))))))))))) . 2008-08-14 20:11 . 2008-08-14 20:11 <DIR> d-------- C:\327882R2FWJFW 2008-08-14 19:55 . 2008-08-14 19:55 <DIR> d-------- C:\WINDOWS\system32\xircom 2008-08-14 19:55 . 2008-08-14 19:55 <DIR> d-------- C:\Programfiler\microsoft frontpage 2008-08-14 19:19 . 2008-08-14 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-08-14 19:18 . 2008-08-14 20:05 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-08-14 19:18 . 2008-08-14 20:05 <DIR> d-------- C:\Documents and Settings\Stig Øyvind\Programdata\SUPERAntiSpyware.com 2008-08-14 19:16 . 2008-08-14 19:16 6,467,096 --a------ C:\Programfiler\SUPERAntiSpyware.exe 2008-08-14 19:01 . 2008-08-14 20:06 <DIR> d-a------ C:\Documents and Settings\All Users\Programdata\TEMP 2008-08-14 19:00 . 2008-08-14 19:00 13,559,336 --a------ C:\Programfiler\sdsetup.exe 2008-08-14 13:51 . 2008-08-14 19:19 <DIR> dr-h----- C:\Documents and Settings\Stig Øyvind\Siste 2008-08-14 13:51 . 2008-08-14 19:19 <DIR> dr-h----- C:\Documents and Settings\Stig Øyvind\Siste 2008-08-14 02:06 . 2008-08-14 02:07 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-08-14 01:02 . 2008-08-14 01:02 <DIR> d-------- C:\Programfiler\CCleaner 2008-08-14 01:00 . 2008-08-14 01:00 2,922,072 --a------ C:\Programfiler\ccsetup210.exe 2008-08-13 21:46 . 2008-05-01 16:34 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-12 01:36 . 2008-08-14 19:16 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-08-12 01:19 . 2008-08-14 09:33 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-08-12 01:19 . 2008-08-12 01:19 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-12 01:19 . 2008-08-12 01:19 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-08-12 01:18 . 2008-08-12 01:18 <DIR> d-------- C:\Programfiler\AVG 2008-08-12 01:18 . 2008-08-12 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\avg8 2008-08-12 01:07 . 2008-08-12 01:09 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft 2008-08-12 01:00 . 2008-08-12 01:05 19,153,264 --a------ C:\Programfiler\aaw2008.exe 2008-08-12 00:58 . 2008-08-12 01:12 48,367,896 --a------ C:\Programfiler\avg_free_stf_en_8_138a1332.exe 2008-08-11 14:13 . 2008-08-11 14:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-08-11 14:13 . 2008-08-11 14:13 1,409 --a------ C:\WINDOWS\QTFont.for 2008-08-06 21:52 . 2008-08-13 12:42 244 --ah----- C:\sqmnoopt19.sqm 2008-08-06 21:52 . 2008-08-13 12:42 232 --ah----- C:\sqmdata19.sqm 2008-08-05 17:58 . 2008-08-13 12:41 244 --ah----- C:\sqmnoopt18.sqm 2008-08-05 17:58 . 2008-08-13 12:41 232 --ah----- C:\sqmdata18.sqm 2008-08-05 11:09 . 2008-08-13 11:50 244 --ah----- C:\sqmnoopt17.sqm 2008-08-05 11:09 . 2008-08-13 11:50 232 --ah----- C:\sqmdata17.sqm 2008-08-01 23:44 . 2008-08-13 11:44 244 --ah----- C:\sqmnoopt16.sqm 2008-08-01 23:44 . 2008-08-13 11:44 232 --ah----- C:\sqmdata16.sqm 2008-07-30 21:42 . 2008-08-13 02:08 244 --ah----- C:\sqmnoopt15.sqm 2008-07-30 21:42 . 2008-08-13 02:08 232 --ah----- C:\sqmdata15.sqm 2008-07-28 15:38 . 2008-08-13 01:27 244 --ah----- C:\sqmnoopt14.sqm 2008-07-28 15:38 . 2008-08-13 01:27 232 --ah----- C:\sqmdata14.sqm 2008-07-22 16:05 . 2008-08-13 00:29 244 --ah----- C:\sqmnoopt13.sqm 2008-07-22 16:05 . 2008-08-13 00:29 232 --ah----- C:\sqmdata13.sqm 2008-07-21 18:48 . 2008-08-12 14:02 244 --ah----- C:\sqmnoopt12.sqm 2008-07-21 18:48 . 2008-08-12 14:02 232 --ah----- C:\sqmdata12.sqm 2008-07-20 23:39 . 2008-08-12 10:15 244 --ah----- C:\sqmnoopt11.sqm 2008-07-20 23:39 . 2008-08-12 10:15 232 --ah----- C:\sqmdata11.sqm 2008-07-20 23:33 . 2008-08-12 00:26 244 --ah----- C:\sqmnoopt10.sqm 2008-07-20 23:33 . 2008-08-12 00:26 232 --ah----- C:\sqmdata10.sqm 2008-07-18 23:55 . 2008-08-11 14:21 244 --ah----- C:\sqmnoopt09.sqm 2008-07-18 23:55 . 2008-08-11 14:21 232 --ah----- C:\sqmdata09.sqm 2008-07-18 21:39 . 2008-08-11 12:56 244 --ah----- C:\sqmnoopt08.sqm 2008-07-18 21:39 . 2008-08-11 12:56 232 --ah----- C:\sqmdata08.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-14 18:05 --------- d-----w C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-07-07 20:23 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:31 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:16 666,624 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:37 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:44 360,960 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:32 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\drivers\bthport.sys 2008-04-12 21:02 1,495,112 ----a-w C:\Programfiler\install_flash_player.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:03 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2006-08-11 18:56 794714] "SMSERIAL"="C:\WINDOWS\sm56hlpr.exe" [1963-01-01 00:00 565248] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-10-24 17:43 286720] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-12 01:18 1232152] "VTTimer"="VTTimer.exe" [2006-08-03 14:53 53248 C:\WINDOWS\system32\VTTimer.exe] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048] HP Image Zone Hurtigstart.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "AdVantage"="C:\Programfiler\AdVantage\AdVantage.exe" "DAEMON Tools"="C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033 "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "S3Trayp"=S3trayp.exe "HDAudDeck"=C:\Programfiler\VIA\VIAudioi\HDADeck\HDeck.exe 1 "Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" "NeroFilterCheck"=C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_02\bin\jusched.exe" "GrooveMonitor"="C:\Programfiler\Microsoft Office\Office12\GrooveMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= "C:\\Programfiler\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Programfiler\\Microsoft Office\\Office12\\GROOVE.EXE"= "C:\\Programfiler\\Microsoft Office\\Office12\\ONENOTE.EXE"= "C:\\Programfiler\\AVG\\AVG8\\avgupd.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-12 01:19] R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-12 01:18] R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:03] R3 S3GIGP;S3GIGP;C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2006-09-12 10:43] R3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys [2006-07-03 17:11] S3 cxbu0wdm;CardMan 3x21;C:\WINDOWS\system32\DRIVERS\cxbu0wdm.sys [2008-01-15 12:39] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder 2008-07-04 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Programfiler\TuneUp Utilities 2007\SystemOptimizer.exe [2007-08-02 19:35] 2008-08-09 C:\WINDOWS\Tasks\WebReg psc 1600 series.job - C:\Programfiler\HP\Digital Imaging\bin\hpqwrg.exe [2004-11-04 20:12] . - - - - ORPHANS REMOVED - - - - Notify-__c00105A4 - C:\WINDOWS\system32\__c00105A4.dat Notify-WgaLogon - (no file) . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.startsiden.no/ O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-14 20:14:11 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2008-08-14 20:15:54 ComboFix-quarantined-files.txt 2008-08-14 18:15:42 Pre-Run: 29,764,689,920 byte ledig Post-Run: 29,758,713,856 byte ledig 170 --- E O F --- 2008-08-14 00:07:28 Lenke til kommentar
marama Skrevet 14. august 2008 Del Skrevet 14. august 2008 (endret) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:31:24, on 14.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\VTTimer.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\HP\Digital Imaging\bin\hpqgalry.exe C:\Programfiler\Java\jre1.6.0_03\bin\jucheck.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Programfiler\AVG\AVG8\avgrsx.exe C:\Programfiler\AVG\AVG8\avgrsx.exe C:\Programfiler\AVG\AVG8\avgrsx.exe C:\Programfiler\Internet Explorer\IEXPLORE.EXE C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Koblingshjelpeprogram for Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programfiler\AVG\AVG8\avgssie.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [sMSERIAL] C:\WINDOWS\sm56hlpr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Hurtigstart.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing) O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programfiler\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Programfiler\Fellesfiler\Ahead\Lib\NMIndexingService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 5849 bytes Ble dette riktig? Endret 14. august 2008 av marama Lenke til kommentar
r2d290 Skrevet 14. august 2008 Del Skrevet 14. august 2008 (endret) Hva i setningen "Og loggen du lager, poster du i en EGEN tråd, ved å trykke "nytt emne"." var det du ikke forstod? Er litt viktig å holde oss til ett problem per tråd, hvis ikke blir det fort rot Se om du får kjørt HijackThis også, og post loggen til HijackThis OG Combofix i en EGEN tråd, så skal vi se på det edit: se der ja, der kom HijackThis-loggen også hvis du nå får kopiert disse loggene over i en egen tråd, så fortsetter vi der Endret 14. august 2008 av r2d290 Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå