emva Skrevet 21. august 2008 Del Skrevet 21. august 2008 Får ikke installert SP3 pga services.exe er i bruk Hei. SP3 vil ikke installeres på en XP Home maskin. Feil meldingen den gir er: "The file C:windowssystem32services.exe is open or in use by another application. Close all other applications and then click retry" Har kjørt SAS, SpyBot S&D en del ganger (normal og sikkerhetsmodus) AVG vil heller ikke inn. det ligger der, men servicen starer ikke Combofix ComboFix 08-08-14.03 - navn 2008-08-21 12:44:36.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.250 [GMT 2:00] Running from: C:\Documents and Settings\navn\Skrivebord\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 ))))))))))))))))))))))))))))))) . 2008-08-21 00:17 . 2008-08-21 00:17 d-------- C:\Documents and Settings\Administrator 2008-08-20 15:10 . 2008-08-21 00:34 d-------- C:\WINDOWS\system32\CatRoot_bak 2008-08-19 00:42 . 2008-08-21 12:42 dr-h----- C:\Documents and Settings\navn\Siste 2008-08-19 00:32 . 2008-08-19 00:32 d-------- C:\Programfiler\CCleaner 2008-08-18 21:22 . 2008-08-18 21:22 d-------- C:\WINDOWS\system32\drivers\Avg 2008-08-18 21:22 . 2008-08-18 21:22 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-08-18 21:22 . 2008-08-18 21:22 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-08-18 21:21 . 2008-08-18 21:21 d-------- C:\Programfiler\AVG 2008-08-18 21:21 . 2008-08-18 22:12 d-------- C:\Documents and Settings\All Users\Programdata\avg8 2008-08-18 18:22 . 2008-08-18 20:55 363 --a------ C:\WINDOWS\wininit.ini 2008-08-18 17:44 . 2008-08-18 18:29 d-------- C:\Programfiler\SUPERAntiSpyware 2008-08-18 17:44 . 2008-08-18 17:44 d-------- C:\Documents and Settings\navn\Programdata\SUPERAntiSpyware.com 2008-08-18 17:44 . 2008-08-18 17:44 d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-08-18 17:43 . 2008-08-18 17:43 d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-08-18 17:37 . 2008-08-18 17:37 d-------- C:\Programfiler\Spybot - Search & Destroy 2008-08-18 17:37 . 2008-08-19 16:44 d-------- C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-21 10:41 --------- d-----w C:\Documents and Settings\navn\Programdata\OpenOffice.org2 2008-06-14 18:00 272,256 ------w C:\WINDOWS\system32\dllcache\bthport.sys . ------- Sigcheck ------- md5deep: C:\WINDOWS\system32\svchost.exe: error at offset 0: Permission denied 2004-08-04 14:00 502272 1640872f408745717b054512a7e44b87 C:\WINDOWS\system32\winlogon.exe md5deep: C:\WINDOWS\explorer.exe: error at offset 0: Permission denied md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied md5deep: C:\WINDOWS\system32\lsass.exe: error at offset 0: Permission denied 2005-06-11 02:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe md5deep: C:\WINDOWS\system32\spoolsv.exe: error at offset 0: Permission denied . ((((((((((((((((((((((((((((( snapshot@2008-08-19_15.27.26.89 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-19 00:59:10 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-08-20 22:39:50 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2008-08-19 00:59:10 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat + 2008-08-20 22:39:50 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Logg\History.IE5\index.dat - 2008-08-19 00:59:10 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat + 2008-08-20 22:39:50 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360] "MsnMsgr"="C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" [2006-03-01 19:43 90112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648] "LogitechCommunicationsManager"="C:\Programfiler\Fellesfiler\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984] "LogitechQuickCamRibbon"="C:\Programfiler\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792] "SoundMan"="SOUNDMAN.EXE" [2006-06-21 06:42 577536 C:\WINDOWS\SOUNDMAN.EXE] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "WUAppSetup"="C:\Programfiler\Fellesfiler\logishrd\WUApp32.exe" [2007-07-19 02:45 439568] C:\Documents and Settings\navn\Start-meny\Programmer\Oppstart\ OpenOffice.org 2.1.lnk - C:\Programfiler\OpenOffice.org 2.1\program\quickstart.exe [2006-12-02 00:32:46 393216] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Hurtigstart for Adobe Reader.lnk - C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2000-03-05 16:57:42 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "NqNLSHNsWkfx"= {3CDB81B2-9671-2B18-635F-C8046803C3AB} - C:\WINDOWS\system32\fhfx.dll [2007-04-16 17:54 32768] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Messenger\\Msmsgs.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Programfiler\\Windows Live\\Messenger\\livecall.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-18 21:22] R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-18 21:21] R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-18 21:22] R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 10:42] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [] S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [] . . ------- Supplementary Scan ------- . R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore O8 -: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN O9 -: {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\navn\Start-meny\Programmer\IMVU\Run IMVU.lnk O16 -: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://159.171.96.58/activex/AMC.cab C:\WINDOWS\Downloaded Program Files\setup.inf ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-21 12:47:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-08-21 12:48:30 ComboFix-quarantined-files.txt 2008-08-21 10:48:27 Pre-Run: 13,679,603,712 byte ledig Post-Run: 13,669,924,864 byte ledig 110 --- E O F --- 2008-08-18 15:26:57 høytadette Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:50:28, on 21.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\programfiler\fellesfiler\logishrd\lvmvfm\LVPrcSrv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe C:\Programfiler\Fellesfiler\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Programfiler\Fellesfiler\LogiShrd\LComMgr\Communications_Helper.exe C:\Programfiler\Logitech\QuickCam\Quickcam.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe C:\WINDOWS\system32\wuauclt.exe C:\Programfiler\OpenOffice.org 2.1\program\soffice.exe C:\Programfiler\OpenOffice.org 2.1\program\soffice.BIN C:\Programfiler\Fellesfiler\Logishrd\LQCVFX\COCIManager.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\navn\Skrivebord\HiJackThis.exe C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programfiler\Fellesfiler\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programfiler\Fellesfiler\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programfiler\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programfiler\Fellesfiler\Ahead\lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Programfiler\Fellesfiler\logishrd\WUApp32.exe -v 0x046d -p 0x092e -f video -m logitech -d 11.1.0.2016 (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Programfiler\Fellesfiler\logishrd\WUApp32.exe -v 0x046d -p 0x092e -f video -m logitech -d 11.1.0.2016 (User 'Default user') O4 - Startup: OpenOffice.org 2.1.lnk = C:\Programfiler\OpenOffice.org 2.1\program\quickstart.exe O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\navn\Start-meny\Programmer\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: @c:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @c:\Programfiler\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://159.171.96.58/activex/AMC.cab O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file) O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: NqNLSHNsWkfx - {3CDB81B2-9671-2B18-635F-C8046803C3AB} - C:\WINDOWS\system32\fhfx.dll O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: iPod-tjeneste (iPod Service) - Unknown owner - C:\Programfiler\iPod\bin\iPodService.exe (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programfiler\Fellesfiler\LightScribe\LSSrvc.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Programfiler\Fellesfiler\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programfiler\fellesfiler\logishrd\lvmvfm\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programfiler\Fellesfiler\LogiShrd\SrvLnch\SrvLnch.exe -- End of file - 7256 bytes og 2 SAS logger for å vise hva som var på maskinen første: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/18/2008 at 07:40 PM Application Version : 4.15.1000 Core Rules Database Version : 3469 Trace Rules Database Version: 1460 Scan type : Complete Scan Total Scan Time : 00:58:44 Memory items scanned : 171 Memory threats detected : 1 Registry items scanned : 4512 Registry threats detected : 13 File items scanned : 22253 File threats detected : 146 Trojan.Vundo-Variant/Small-GEN C:\WINDOWS\SYSTEM32\MLJCSLIA.DLL C:\WINDOWS\SYSTEM32\MLJCSLIA.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{455ECFBC-91CB-4689-A6AF-4C78031FAA72} HKCR\CLSID\{455ECFBC-91CB-4689-A6AF-4C78031FAA72} HKCR\CLSID\{455ECFBC-91CB-4689-A6AF-4C78031FAA72}\InprocServer32 HKCR\CLSID\{455ECFBC-91CB-4689-A6AF-4C78031FAA72}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{455ECFBC-91CB-4689-A6AF-4C78031FAA72} Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mlJCSlIA Rootkit.SysRest-A HKLM\System\ControlSet001\Services\sysrest.sys C:\WINDOWS\SYSTEM32\SYSREST.SYS HKLM\System\ControlSet001\Enum\Root\LEGACY_sysrest.sys HKLM\System\ControlSet003\Services\sysrest.sys HKLM\System\ControlSet003\Enum\Root\LEGACY_sysrest.sys HKLM\System\CurrentControlSet\Services\sysrest.sys HKLM\System\CurrentControlSet\Enum\Root\LEGACY_sysrest.sys Adware.Tracking Cookie C:\Documents and Settings\navn\Cookies\navn@questionmarket[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@pro-market[2].txt C:\Documents and Settings\navn\Cookies\navn@advertising[3].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@findwhat[1].txt C:\Documents and Settings\navn\Cookies\navn@insightexpressai[2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@rambler[1].txt C:\Documents and Settings\navn\Cookies\navn@revsci[1].txt C:\Documents and Settings\navn\Cookies\navn@jh[2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@cassava[1].txt C:\Documents and Settings\navn\Cookies\navn@adultfriendfinder[1].txt C:\Documents and Settings\navn\Cookies\navn@loadsex[1].txt C:\Documents and Settings\navn\Cookies\navn@tacoda[1].txt C:\Documents and Settings\navn\Cookies\navn@crackle[1].txt C:\Documents and Settings\navn\Cookies\navn@1072471539[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@adbrite[2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@list[2].txt C:\Documents and Settings\navn\Cookies\navn@realmedia[2].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@atwola[2].txt C:\Documents and Settings\navn\Cookies\navn@adtech[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@2o7[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@myroitracking[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@sexsearchcom[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@partypoker[2].txt C:\Documents and Settings\navn\Cookies\navn@sexynatalie[1].txt C:\Documents and Settings\navn\Cookies\navn@cgi-bin[2].txt C:\Documents and Settings\navn\Cookies\navn@interclick[2].txt C:\Documents and Settings\navn\Cookies\navn@spylog[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@toplist[1].txt C:\Documents and Settings\navn\Cookies\navn@need2find[2].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@specificclick[2].txt C:\Documents and Settings\navn\Cookies\navn@azjmp[2].txt C:\Documents and Settings\navn\Cookies\navn@adrevolver[4].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@yadro[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@247realmedia[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@adecn[1].txt C:\Documents and Settings\navn\Cookies\navn@cgi-bin[4].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@serving-sys[4].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@countomat[1].txt C:\Documents and Settings\navn\Cookies\navn@votasexyono[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@youporn[2].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@xiti[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@atdmt[2].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@indextools[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@cgi-bin[1].txt C:\Documents and Settings\navn\Cookies\navn@tribalfusion[2].txt C:\Documents and Settings\navn\Cookies\navn@ad[2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@winanonymous[1].txt C:\Documents and Settings\navn\Cookies\navn@hornyoyster[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@1055731211[1].txt C:\Documents and Settings\navn\Cookies\navn@trafficmp[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@kontera[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@optimost[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@systemerrorfixer[1].txt C:\Documents and Settings\navn\Cookies\navn@1040057370[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@searchfeed[1].txt C:\Documents and Settings\navn\Cookies\navn@sexysms[1].txt C:\Documents and Settings\navn\Cookies\navn@adnetserver[2].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@overture[2].txt C:\Documents and Settings\navn\Cookies\navn@888[1].txt C:\Documents and Settings\navn\Cookies\navn@tns-counter[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\navn@1071789980[1].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@adserver[1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\[email protected][2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt C:\Documents and Settings\navn\Cookies\navn@gadget[2].txt C:\Documents and Settings\navn\Cookies\navn@advertising[1].txt C:\Documents and Settings\navn\Cookies\navn@advertising[2].txt C:\Documents and Settings\navn\Cookies\navn@adnetserver[1].txt C:\Documents and Settings\navn\Cookies\navn@serving-sys[1].txt C:\Documents and Settings\navn\Cookies\navn@serving-sys[2].txt C:\Documents and Settings\navn\Cookies\[email protected][1].txt Adware.Vundo Variant/Rel HKLM\SOFTWARE\Microsoft\RemoveRP Rogue.SpyShredder-Installer C:\A Trojan.Dropper/SVCHost-Fake C:\WINDOWS\SVCHOST.EXE Trojan.XpUpdate/Fake Alert C:\WINDOWS\XPUPDATE.EXE siste: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 08/21/2008 at 11:03 AM Application Version : 4.15.1000 Core Rules Database Version : 3469 Trace Rules Database Version: 1460 Scan type : Quick Scan Total Scan Time : 00:51:00 Memory items scanned : 404 Memory threats detected : 0 Registry items scanned : 348 Registry threats detected : 0 File items scanned : 48653 File threats detected : 0 Lenke til kommentar
k-orm Skrevet 21. august 2008 Del Skrevet 21. august 2008 Start Windows i sikkerhetsmodus, trykk F8 etter BIOS-bildet. Lenke til kommentar
emva Skrevet 21. august 2008 Forfatter Del Skrevet 21. august 2008 (endret) ok, den er på vei... (logge på som admin eller en bruker?) Endret 21. august 2008 av emva Lenke til kommentar
k-orm Skrevet 21. august 2008 Del Skrevet 21. august 2008 Hvis jeg ikke tar helt feil, er man altid innlogget som administrator i sikkerhetsmodus. Lenke til kommentar
snippsat Skrevet 21. august 2008 Del Skrevet 21. august 2008 (endret) Start HijackThis "scan" finn disse linjene merk dem,så trykk fix checked. O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\navn\Start-meny\Programmer\IMVU\Run IMVU.lnk (file missing) O21 - SSODL: NqNLSHNsWkfx - {3CDB81B2-9671-2B18-635F-C8046803C3AB} - C:\WINDOWS\system32\fhfx.dll --- Start->kjør->cmd Skriv inn fet tekst sc stop iPod Service sc delete iPod Service --- Kjør CClenaner som dette. Last ned kjør CCleaner 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer som er eldere enn 48 t. Kjør og register-renser"svar ja til og reparere"-->backup svar ja når du blir spørt. Kjør register-renser et par ganger til alle feil er borte. --- md5deep er dette noe du har innstalert og kjører? http://md5deep.sourceforge.net/ Utifra loggen. md5deep: C:\WINDOWS\system32\services.exe: error at offset 0: Permission denied Dette kan mulig lage noe krøll som gjør at du får denne meldingen. "The file C:windowssystem32services.exe is open or in use by another application. Endret 21. august 2008 av SNIPPSAT Lenke til kommentar
emva Skrevet 21. august 2008 Forfatter Del Skrevet 21. august 2008 har fjernet de 3 med hijackthis, sc stop iPod Service nektet den å ta i mot men den er i listen over Tjenester enda, oppdaget at filen som den pekte til ikke eksisterte. Det er ikke noe spor av md5deep på datamaskinen, så vidt jeg kan se. Lenke til kommentar
k-ryeng Skrevet 21. august 2008 Del Skrevet 21. august 2008 Denne tråden var feilpostet og er blitt flyttet til riktig kategori. Lenke til kommentar
norbat Skrevet 21. august 2008 Del Skrevet 21. august 2008 Hent DrWeb Kjør drweb-cureit.exe (si ja til å kjøre en express scan) Når dette er ferdig klikker du på Option -> Change settings. Under fanearket Scan, fjerner du haken ved Heuristic analysis. Under fanearket Actions, skal alle punkt under Malware settes til Rename. Velg partisjon du vil scanne og klikk deretter på den grønne pilen for å starte scanningen. Velg "yes to all" når det finner noe for første gang. Når scanningen er ferdig, velg file – Trykk på- 'Save Report list'. Lagre på skrivebordet. Det vil da ligge en fil som heter "drweb.csv" på skrivebordet. Den poster du. Lenke til kommentar
emva Skrevet 22. august 2008 Forfatter Del Skrevet 22. august 2008 (endret) noen viktige filer som var infisert også ja... explorer.exe;c:\windows;Trojan.Starter.384;Renset.; psexesvc.exe;c:\windows;Program.PsExec.170;Urensbar.Slettet.; fhfx.dll;c:\windows\system32;Trojan.Proxy.3350;Slettet.; lsass.exe;c:\windows\system32;Trojan.Starter.384;Renset.; services.exe;c:\windows\system32;Trojan.Starter.384;Renset.; spoolsv.exe;c:\windows\system32;Trojan.Starter.384;Renset.; svchost.exe;c:\windows\system32;Trojan.Starter.384;Renset.; winlogon.exe;c:\windows\system32;Trojan.Starter.384;Renset.; psexec.cfexe;C:\ComboFix;Program.PsExec.171;Renamed.; vacation simple plane.mp3;C:\Documents and Settings\navn\Mine dokumenter;Trojan.Click.18899;Incurable.Moved.; ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\navn\Skrivebord\ComboFix.exe;Program.PsExec.171;; ComboFix.exe;C:\Documents and Settings\navn\Skrivebord;Archive contains infected objects;Moved.; BookMark Us.reg;C:\Documents and Settings\navn\Skrivebord\Musikk\Andreas musikk\MP3\My Music;Trojan.StartPage.1505;Deleted.; data045\data006;C:\programmer\BearShareV6.exe\data045;Adware.Softomate;; data045;C:\programmer\BearShareV6.exe;Archive contains infected objects;; BearShareV6.exe;C:\programmer;Archive contains infected objects;Moved.; data045\data006;C:\programmer\BearShareV6int.exe\data045;Adware.Softomate;; data045;C:\programmer\BearShareV6int.exe;Archive contains infected objects;; BearShareV6int.exe;C:\programmer;Archive contains infected objects;Moved.; BSINSTALL.exe\data021;C:\programmer\BSINSTALL.exe;Adware.SearchAid.40;; data027\clientax.dll;C:\programmer\BSINSTALL.exe\data027;Adware.Zango;; data027;C:\programmer\BSINSTALL.exe;Archive contains infected objects;; data030\data005;C:\programmer\BSINSTALL.exe\data030;Adware.Msearch;; data030;C:\programmer\BSINSTALL.exe;Archive contains infected objects;; BSINSTALL.exe;C:\programmer;Archive contains infected objects;Moved.; cyfhqtml.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Starter.561;Deleted.; lphc1s1j0endv.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Packed.566;Deleted.; qavvgjsw.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Starter.561;Deleted.; sysrest32.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Packed.557;Deleted.; vaordunh.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Starter.561;Deleted.; A0000005.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP2;Trojan.Packed.557;Deleted.; A0002044.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP2;Trojan.Packed.566;Deleted.; A0002049.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP2;Trojan.Starter.561;Deleted.; A0002071.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP2;Trojan.Starter.561;Deleted.; A0002074.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP2;Trojan.Starter.561;Deleted.; A0006205.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Trojan.Starter.384;Cured.; A0006206.dll;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Trojan.Proxy.3350;Deleted.; A0006207.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Trojan.Starter.384;Cured.; A0006208.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Trojan.Starter.384;Cured.; A0006209.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Trojan.Starter.384;Cured.; A0006210.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Trojan.Starter.384;Cured.; A0006211.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Trojan.Starter.384;Cured.; A0006212.EXE;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Program.PsExec.170;Renamed.; A0006213.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006213.exe;Program.PsExec.171;; A0006213.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7;Archive contains infected objects;Moved.; A0006214.reg;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7;Trojan.StartPage.1505;Deleted.; data045\data006;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006215.exe\data045;Adware.Softomate;; data045;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006215.exe;Archive contains infected objects;; A0006215.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7;Archive contains infected objects;Moved.; data045\data006;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006216.exe\data045;Adware.Softomate;; data045;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006216.exe;Archive contains infected objects;; A0006216.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7;Archive contains infected objects;Moved.; A0006217.exe\data021;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006217.exe;Adware.SearchAid.40;; data027\clientax.dll;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006217.exe\data027;Adware.Zango;; data027;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006217.exe;Archive contains infected objects;; data030\data005;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006217.exe\data030;Adware.Msearch;; data030;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7\A0006217.exe;Archive contains infected objects;; A0006217.exe;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP7;Archive contains infected objects;Moved.; psexec.#fexe;C:\ComboFix;Program.PsExec.171;; A0006206.dll;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Trojan.Proxy.3350;Slettet.; A0006212.#XE;C:\System Volume Information\_restore{4F3B614A-E164-4A3C-9497-97A7602927CA}\RP6;Program.PsExec.170;; Endret 22. august 2008 av emva Lenke til kommentar
norbat Skrevet 22. august 2008 Del Skrevet 22. august 2008 Punkt 1: Last ned Malwarebytes Anti-Malware til skrivebordet. Kjør og installer programmet. Velg Norsk-språk La programmet oppdatere seg og velg å kjør en 'hurtig systemscan', klikk Skann. Det kommer en meldingsboks om at scannen er ferdig, klikk Ok Klikk på 'Vis resultat'-knappen.Hvis det er funnet malware, vil du nå se hva som er funnet. Klikk så på Fjern valgte -knappen for å fjerne malwaren som evt. ble funnet. Det vil deretter åpnes en logg i notisblokk. Den kopiere du og poster senere. Punkt 2: Hent Combofix, og legg det på skrivebordet (Hent ny versjon som erstatter den du har fra før.) Kjør combofix.exe, og følg veiledningen. Du må ikke klikke på vinduet mens programmet kjører. Post loggfilen fra combofix (c:\combofix.txt) + loggen fra MBAM Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå