killwixawin4everrrr Skrevet 16. august 2008 Del Skrevet 16. august 2008 (endret) Jeg (eller rettere sagt fattern ) har klart å få en wixawin infeksjon på pc'en ... har lest de andre postene her men trenger tydeligvis å poste loggen fra hijackthis til noen som har mer peil enn meg selv.. og der kommer forhåpentligvis noen her inne inn i bildet(?) bør jeg døpe om hijackthis til noe annet og isåfall skal jeg gjøre det i c:programfiler/trendmicro/hijackthis mappa eller kun bytte navnet på hurtigstart ikonet på skrivebordet ? kanskje dumt spørsmål men jeg prøvde å døpe om i c:programfiler/.../hijackthis men fikk beskjed om at noen programmer kunne påvirkes av det så jeg droppet det .. takker for all hjelp jeg kan få .. sender loggfilen når jeg har fått vite om omdøping osv... Endret 17. august 2008 av killwixawin4everrrr Lenke til kommentar
r2d290 Skrevet 16. august 2008 Del Skrevet 16. august 2008 Hvis noen programmer blir påvirket, er det isåfall bare programmet i seg selv. Det er nok av folk som kan hjelpe deg, så det er bare å poste i vei bytt navn på orginalfila, det burde holde. Men, du bør ha litt mer enn bare HijackThis. Følg veiledningen (stickey) til norbat: https://www.diskusjon.no/index.php?showtopic=691246 Lenke til kommentar
killwixawin4everrrr Skrevet 16. august 2008 Forfatter Del Skrevet 16. august 2008 hei r2d290 oppe så sent og hjelper sånne som meg ? godt det finnes folk som deg .. ok.. fikste navnet om til test.exe.. leste ikke godt nok gjennom guiden ..det sto jo egentlig ganske klart hva man skulle gjøre der. iallefall er exe filen omdøpt . er nå i full gang med scanning i SAS og regner med å ha en logg klar iløpet av en liten stund. ha en fortsatt god natt where ever you are ps . trenger du hjelp med noen tegninger noen gang må du si ifra .. så skal jeg gladelig hjepe deg . peace Lenke til kommentar
r2d290 Skrevet 17. august 2008 Del Skrevet 17. august 2008 ha en fortsatt god natt where ever you are Ja, jeg blir nok hvertfall ikke her og hjelper deg da. På tide å legge seg Men hvis ingen av de andre er oppe i natt, hjelper jeg deg i morgen (eller idag) formiddag. ps . trenger du hjelp med noen tegninger noen gang må du si ifra .. så skal jeg gladelig hjepe deg . peace Will remember you Lenke til kommentar
killwixawin4everrrr Skrevet 17. august 2008 Forfatter Del Skrevet 17. august 2008 hehe.. nei ikke la mine "puny" problemer holde deg våken .. for all del .. jeg setter pris på all hjelp jeg har fått allerede, og for all fremtidig hjelp.. skal klare å komme meg gjennom smørbrød lista med scanning og påfølgende logger som jeg skal poste her uten mer hjelp ,men trengernok litt hjelp med hva jeg skal gjøre når loggene først er postet - om det er deg eller noen av de andre her inne som tar seg av den biten får være opp til fru fortuna , så får du ha det så bra som mulig .) ') good night and don't let the bed bugs bite Lenke til kommentar
killwixawin4everrrr Skrevet 17. august 2008 Forfatter Del Skrevet 17. august 2008 voilla .. endelig gjennom scanning og her kommer de forskjellige loggene : SAS : SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/17/2008 at 01:53 AM Application Version : 4.15.1000 Core Rules Database Version : 3538 Trace Rules Database Version: 1527 Scan type : Quick Scan Total Scan Time : 00:14:02 Memory items scanned : 638 Memory threats detected : 0 Registry items scanned : 471 Registry threats detected : 0 File items scanned : 8256 File threats detected : 1 Rogue.XP AntiVirus C:\Programfiler\XP Antivirus COMBOFIX: ComboFix 08-08-15.04 - Eier 2008-08-17 2:21:58.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.714 [GMT 2:00] Running from: C:\Documents and Settings\Eier\Skrivebord\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\__c00E920F.dat C:\WINDOWS\system32\__c00FE100.dat C:\WINDOWS\system32\~.exe D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-07-17 to 2008-08-17 ))))))))))))))))))))))))))))))) . 2008-08-17 01:38 . 2008-08-17 01:38 <DIR> dr-h----- C:\Documents and Settings\Eier\Siste 2008-08-17 01:26 . 2008-08-17 01:26 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-08-17 01:26 . 2008-08-17 01:26 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\SUPERAntiSpyware.com 2008-08-17 01:26 . 2008-08-17 01:26 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-08-17 01:25 . 2008-08-17 01:25 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-08-17 01:24 . 2008-08-17 01:24 <DIR> d-------- C:\Programfiler\CCleaner 2008-08-16 23:51 . 2008-08-16 23:51 <DIR> d-------- C:\Programfiler\Trend Micro 2008-08-14 18:06 . 2008-05-01 16:34 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-10 23:10 . 2008-08-10 23:10 <DIR> d-------- C:\WINDOWS\Sun 2008-08-10 23:10 . 2008-08-10 23:10 <DIR> d-------- C:\Programfiler\Sun 2008-08-10 23:10 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-08-10 23:09 . 2008-08-10 23:10 <DIR> d-------- C:\Programfiler\Java 2008-08-10 23:08 . 2008-08-10 23:08 <DIR> d-------- C:\Programfiler\Fellesfiler\Java 2008-08-05 22:05 . 2008-08-05 22:05 <DIR> d-------- C:\Documents and Settings\Eier\Programdata\Creative 2008-08-05 20:17 . 2008-08-05 20:17 <DIR> d-------- C:\Programfiler\Combined Community Codec Pack . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-17 00:31 --------- d-----w C:\Documents and Settings\Eier\Programdata\skypePM 2008-08-17 00:31 --------- d-----w C:\Documents and Settings\Eier\Programdata\Skype 2008-07-13 10:04 --------- d-----w C:\Documents and Settings\All Users\Programdata\FLEXnet 2008-07-07 20:33 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-06-24 16:24 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:43 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-03-05 14:32 32 ----a-w C:\Documents and Settings\All Users\Programdata\ezsid.dat 2008-03-10 17:10 10,240 --sha-w C:\WINDOWS\rnapxs\rnapxs.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Programfiler\Messenger\msmsgs.exe" [2004-10-13 18:24 1694208] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:03 15360] "swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-15 16:11 68856] "Skype"="C:\Programfiler\Skype\Phone\Skype.exe" [2008-02-06 18:21 21898024] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 00:04 52736] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-10-16 14:05 114688] "KYE_Showicon"="C:\Programfiler\USB Storage RW\shwicon.exe" [2002-10-25 23:33 69632] "KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 06:02 61440] "StorageGuard"="C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 15:01 155648] "WCOLOREAL"="C:\Programfiler\Coloreal\coloreal.exe" [2002-11-27 01:14 131072] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 05:42 212992] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 13:22 7700480] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112] "PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920] "HPHUPD08"="C:\Programfiler\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 18:35 49152] "HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152] "NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 13:22 86016] "Acrobat Assistant 8.0"="C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 00:24 620152] "Adobe_ID0EYTHM"="C:\PROGRA~1\FELLES~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 17:40 1884160] "F-Secure Manager"="C:\Programfiler\F-Secure Internet Security\Common\FSM32.EXE" [2005-10-26 03:51 122929] "F-Secure TNB"="C:\Programfiler\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 16:51 700416] "F-Secure Startup Wizard"="C:\Programfiler\F-Secure Internet Security\FSGUI\FSSW.EXE" [2005-10-18 10:29 372736] "News Service"="C:\Programfiler\F-Secure Internet Security\FSGUI\ispnews.exe" [2005-05-31 14:45 356352] "SSBkgdUpdate"="C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16 185896] "OpwareSE4"="C:\Programfiler\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45 75304] "WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 08:35 20480] "ScanSoft OmniPage SE 4.0-reminder"="C:\Programfiler\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2006-09-26 15:38 1410600] "QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2008-06-07 15:36 413696] "iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "nwiz"="nwiz.exe" [2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe] "CTHelper"="CTHELPER.EXE" [2003-01-09 08:39 28672 C:\WINDOWS\system32\cthelper.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "PlayCenter2"="C:\Programfiler\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" [2001-07-21 01:00 131072] "SetDefaultMidi"="MIDIDEF.EXE" [2002-12-04 08:55 49152 C:\WINDOWS\mididef.exe] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-03-03 23:42:58 295606] Adobe Acrobat Synchronizer.lnk - C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 01:01:50 734872] Adobe Reader Speed Launch.lnk - C:\Programfiler\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 02:48:20 40048] Adobe Reader Synchronizer.lnk - C:\Programfiler\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 01:01:50 734872] F-Secure 2006.lnk - C:\Programfiler\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2008-03-10 19:05:13 36903] hp center.lnk - C:\Programfiler\hp center\137903\Program\BackWeb-137903.exe [2003-01-29 01:36:32 16384] HP Digital Imaging Monitor.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624] HP Image Zone Hurtigstart.lnk - C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.PIM1"= pclepim1.dll "msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm "vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\hp center\\137903\\Program\\BackWeb-137903.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programfiler\\Fellesfiler\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"= "C:\\Programfiler\\F-Secure Internet Security\\backweb\\4476822\\Program\\fspex.exe"= "C:\\Programfiler\\Bonjour\\mDNSResponder.exe"= "C:\\Programfiler\\iTunes\\iTunes.exe"= "C:\\Programfiler\\Messenger\\msmsgs.exe"= "C:\\Programfiler\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2005-11-18 17:04] R2 BackWeb Plug-in - 4476822;F-Secure 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE [2008-03-10 19:05] R2 F-Secure Filter;F-Secure File System Filter;C:\Programfiler\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [2004-09-10 17:14] R2 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programfiler\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys [2005-02-21 19:49] R2 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programfiler\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [2004-06-01 11:03] . Contents of the 'Scheduled Tasks' folder 2008-08-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Programfiler\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2008-08-17 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Programfiler\Windows Defender\MpCmdRun.exe [2006-11-03 19:20] 2008-08-17 C:\WINDOWS\Tasks\Scheduled scanning task.job - C:\PROGRA~1\F-SECU~1\ANTI-V~1\fsav.exe [2005-06-15 21:56] . - - - - ORPHANS REMOVED - - - - HKLM-Run-Jet Detection - C:\Programfiler\Creative\SBAudigy\PROGRAM\ADGJDet.exe Notify-__c00E920F - C:\WINDOWS\system32\__c00E920F.dat . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Eier\Programdata\Mozilla\Firefox\Profiles\c8zijfqr.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.startsiden.no/ ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-17 02:26:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\HP\KBD\hkmodule.dll . ------------------------ Other Running Processes ------------------------ . C:\Programfiler\Windows Defender\MsMpEng.exe C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programfiler\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\Programfiler\F-Secure Internet Security\Anti-Virus\fsgk32st.exe C:\Programfiler\F-Secure Internet Security\backweb\4476822\Program\fsbwsys.exe C:\Programfiler\F-Secure Internet Security\Anti-Virus\fsgk32.exe C:\Programfiler\F-Secure Internet Security\Anti-Virus\fssm32.exe C:\Programfiler\F-Secure Internet Security\Common\FSMA32.EXE C:\Programfiler\F-Secure Internet Security\Common\FSMB32.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\F-Secure Internet Security\Common\FCH32.EXE C:\WINDOWS\system32\MsPMSPSv.exe C:\Programfiler\F-Secure Internet Security\Common\FAMEH32.EXE C:\Programfiler\F-Secure Internet Security\Anti-Virus\fsqh.exe C:\Programfiler\F-Secure Internet Security\Anti-Virus\FSAV32.exe C:\Programfiler\F-Secure Internet Security\Anti-Virus\FSRW.exe C:\Programfiler\F-Secure Internet Security\FSPC\fspc.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe C:\Programfiler\F-Secure Internet Security\FSPC\fshttps\fshttps.exe C:\Programfiler\F-Secure Internet Security\FWES\program\fsdfwd.exe C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\PROGRA~1\F-SECU~1\ANTI-S~1\FSAW.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\F-Secure Internet Security\FSGUI\fsguidll.exe C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe C:\Programfiler\HP\Digital Imaging\bin\hpqimzone.exe C:\Programfiler\HP\Digital Imaging\bin\hpqste08.exe C:\WINDOWS\system32\HPZipm12.exe C:\Programfiler\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\system32\imapi.exe . ************************************************************************** . Completion time: 2008-08-17 2:35:55 - machine was rebooted ComboFix-quarantined-files.txt 2008-08-17 00:35:41 Pre-Run: 48,803,594,240 byte ledig Post-Run: 48,803,930,112 byte ledig 199 --- E O F --- 2008-08-15 08:01:45 HIJACKTHIS: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:51:32, on 17.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programfiler\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE C:\Programfiler\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Programfiler\F-Secure Internet Security\Anti-Virus\fsgk32st.exe C:\Programfiler\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe C:\Programfiler\F-Secure Internet Security\Anti-Virus\FSGK32.EXE C:\Programfiler\F-Secure Internet Security\Anti-Virus\fssm32.exe C:\Programfiler\F-Secure Internet Security\Common\FSMA32.EXE C:\Programfiler\F-Secure Internet Security\Common\FSMB32.EXE C:\WINDOWS\System32\nvsvc32.exe C:\windows\system\hpsysdrv.exe C:\Programfiler\USB Storage RW\shwicon.exe C:\HP\KBD\KBD.EXE C:\Programfiler\F-Secure Internet Security\backweb\4476822\Program\fspex.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Programfiler\F-Secure Internet Security\Common\FCH32.EXE C:\WINDOWS\System32\svchost.exe C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Programfiler\F-Secure Internet Security\Common\FAMEH32.EXE C:\Programfiler\F-Secure Internet Security\Anti-Virus\fsqh.exe C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Programfiler\F-Secure Internet Security\Anti-Virus\fsav32.exe C:\Programfiler\F-Secure Internet Security\Anti-Virus\fsrw.exe C:\Programfiler\F-Secure Internet Security\FSPC\fspc.exe C:\Programfiler\F-Secure Internet Security\Common\FSM32.EXE C:\Programfiler\F-Secure Internet Security\FSGUI\ispnews.exe C:\Programfiler\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe C:\Programfiler\iTunes\iTunesHelper.exe C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Programfiler\F-Secure Internet Security\FWES\Program\fsdfwd.exe C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe C:\Programfiler\iPod\bin\iPodService.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Programfiler\F-Secure Internet Security\FSGUI\fsguidll.exe C:\Programfiler\hp center\137903\Program\BackWeb-137903.exe C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe C:\Programfiler\HP\Digital Imaging\bin\hpqimzone.exe C:\Programfiler\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\System32\HPZipm12.exe C:\Programfiler\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\explorer.exe C:\Programfiler\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\Trend Micro\HijackThis\test.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Programfiler\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [storageGuard] "C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] C:\Programfiler\Coloreal\coloreal.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [HPHUPD08] C:\Programfiler\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\FELLES~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programfiler\F-Secure Internet Security\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programfiler\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Programfiler\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot O4 - HKLM\..\Run: [News Service] "C:\Programfiler\F-Secure Internet Security\FSGUI\ispnews.exe" O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Programfiler\Fellesfiler\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Programfiler\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe O4 - HKLM\..\Run: [scanSoft OmniPage SE 4.0-reminder] "C:\Programfiler\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Programdata\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\RunOnce: [setDefaultMidi] MIDIDEF.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [setDefaultMidi] MIDIDEF.EXE (User 'Default user') O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programfiler\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programfiler\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: F-Secure 2006.lnk = C:\Programfiler\F-Secure Internet Security\backweb\4476822\Program\fspex.exe O4 - Global Startup: hp center.lnk = C:\Programfiler\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Hurtigstart.lnk = C:\Programfiler\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &Blokker dette popup-vinduet - C:\Programfiler\F-Secure Internet Security\Anti-Spyware\blockpopups.htm O8 - Extra context menu item: Append to existing PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programfiler\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra 'Tools' menuitem: Webfilter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Programfiler\F-Secure Internet Security\FSPC\fspcmsie.dll O9 - Extra button: IE-skjold - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure Internet Security\Anti-Spyware\ieshield.dll O9 - Extra 'Tools' menuitem: IE-skjold... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Programfiler\F-Secure Internet Security\Anti-Spyware\ieshield.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204566974156 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1204570245921 O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://vpn.formue.no/ts/msrdp.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jd...ows-i586-jc.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FELLES~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Programfiler\Fellesfiler\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programfiler\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Programfiler\F-Secure Internet Security\Anti-Virus\fsgk32st.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: fsbwsys - F-Secure Corp. - C:\Programfiler\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programfiler\F-Secure Internet Security\FWES\Program\fsdfwd.exe O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Programfiler\F-Secure Internet Security\FSPC\fshttps\fshttps.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programfiler\F-Secure Internet Security\Common\FSMA32.EXE O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe -- End of file - 15030 bytes håper jeg fikk til dette med å skjule loggene da... og håper data'n ikke er klar for dynga enda ... Ü thnxAlot Lenke til kommentar
r2d290 Skrevet 17. august 2008 Del Skrevet 17. august 2008 (endret) Det var da som... Nå som jeg akkurat skulle gå jaja, får se litt på det da edit: SAS fjernet "XP antivirus", og combofix fjernet et par filer. Utover dette ser loggene riktig så rene og pene ut. Du får fortelle litt om hvordan maskinen fungerer nå Endret 17. august 2008 av r2d290 Lenke til kommentar
killwixawin4everrrr Skrevet 17. august 2008 Forfatter Del Skrevet 17. august 2008 hei og god morgen takk til nattens ridder for bistand og guiding. den virker faktisk fin nå... har ikke sett no pop-up siden igår.. nå er faren min fornøyd , så får vi se hvor lang tid han bruker på å skaffe en skokk med virus igjen :) takk og ha en fin fin søndag videre peace Lenke til kommentar
r2d290 Skrevet 17. august 2008 Del Skrevet 17. august 2008 Vi er ikke _helt_ ferdig enda. Må avinstallere et par programmer. Combofix må avinstalleres. Gå til Start > Kjør Skriv følgende i boksen: combofix /u PS: legg merke til mellomrommet mellom X og /u Trykk Enter. Denne kommandoen vil: Fjerne følgende:ComboFix og dets tilhørende filer og mapper. VundoFix backups, hvis de eksisterer. Mappen C:\Deckard, hvis den eksisterer Mappen C:\OtMoveIt, hvis den eksisterer [*] Nullstille klokke-instillingene. [*] Skjule filetternavn hvis det er nødvendig. [*] Skjule System/Skjulte filer og mapper hvis det er nødvendig. [*] Nullstille systemgjennoprettingspunkter. Du kan avinstallere HijackThis: Start HijackThis, velg None of the above, just start the program. Så trykker du på Config>>Misc Tools>>Uninstall HijackThis & exit>>Ja/Yes. Programmet er nå avinstallert. SAS anbefaler jeg deg at du beholder, men hvis du ønsker å kvitte deg med den, gjør du det fra legg til/fjern programmer. Pass på å holde F-secure oppdatert -Surf trygt- Lenke til kommentar
Bruker-158599 Skrevet 17. august 2008 Del Skrevet 17. august 2008 Vi er ikke _helt_ ferdig enda. Må avinstallere et par programmer. Combofix må avinstalleres. Gå til Start > Kjør Skriv følgende i boksen: combofix /uPS: legg merke til mellomrommet mellom X og /u Trykk Enter. Denne kommandoen vil: Fjerne følgende:ComboFix og dets tilhørende filer og mapper. VundoFix backups, hvis de eksisterer. Mappen C:\Deckard, hvis den eksisterer Mappen C:\OtMoveIt, hvis den eksisterer [*] Nullstille klokke-instillingene. [*] Skjule filetternavn hvis det er nødvendig. [*] Skjule System/Skjulte filer og mapper hvis det er nødvendig. [*] Nullstille systemgjennoprettingspunkter. Du kan avinstallere HijackThis: Start HijackThis, velg None of the above, just start the program. Så trykker du på Config>>Misc Tools>>Uninstall HijackThis & exit>>Ja/Yes. Programmet er nå avinstallert. SAS anbefaler jeg deg at du beholder, men hvis du ønsker å kvitte deg med den, gjør du det fra legg til/fjern programmer. Pass på å holde F-secure oppdatert -Surf trygt- egnetlig hadde det vært lurt å hatt HJT Lenke til kommentar
r2d290 Skrevet 17. august 2008 Del Skrevet 17. august 2008 Derfor jeg sier "kan", og ikke "må" (som jeg sier om combofix)... Men HijackThis er såpass lite, at det er ikke no stress å laste ned ny når du trenger det, og da vet du også at du får nyeste versjon. Du har uansett ikke noe nytte av HijackThis uten å få hjelp av en som kan å analysere. Men bestem selv... Lenke til kommentar
Edvinsen85 Skrevet 17. august 2008 Del Skrevet 17. august 2008 Takker og bukker for all den hjelpen jeg kunne få ut av det som står her! Deilig å bli kvitt de stygge pop-upsene. Lenke til kommentar
r2d290 Skrevet 17. august 2008 Del Skrevet 17. august 2008 Edvinsen85: Denne tråden var ment for killwixawin4ever... og det vi har bedt han gjøre, har vi funnet ut av ut ifra loggene h*n har postet. Dette betyr ikke at du har samme problemet, og selvom du er kvitt pop-up, er det mulig det er rester igjen. Hvis du har kjørt Combofix og HijackThis, må disse loggene analyseres. Du bør derfor opprette en ny tråd og poste loggen dine der, så vi ser at det ikke er noen rester Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå