[Coolyxxx]

Hej,
Nå, min mor hentede noget og firewall kom med nogle indlæg. Eller anden måde det fik installeret, før hun har fortalt mig. Så scanninger der kører nu, kan det tage nogen tid, fordi det er en langsom computer. Jeg ved ikke, hvad det hedder Men det hele er mærkelige symboler, og ulæselige. Har du et HijackThis log selv, i det mindste én ting tager ikke lang tid ...

Logfile af Trend Micro HijackThis v2.0.2
Scan gemt på 8:53:31 PM, den 31/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Kørende processer:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ SYSTEM32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ System32 \ Svchost.exe
C: \ Programmer \ Avast4 \ aswUpdSv.exe
C: \ Programmer \ Avast4 \ ashServ.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
C: \ Programmer \ Common Files \ Epson \ EBAPI \ SAgent2.exe
C: \ WINDOWS \ SYSTEM32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ WINDOWS \ Explorer.EXE
C: \ WINDOWS \ system32 \ SearchIndexer.exe
C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ jusched.exe
C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ PROGRA ~ 1 \ Avast4 \ ashDisp.exe
C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Programmer \ Avast4 \ ashMaiSv.exe
C: \ Programmer \ Avast4 \ ashWebSv.exe
C: \ Programmer \ DAP \ DAP.EXE
C: \ Programmer \ SUPERAntiSpyware \ SUPERAntiSpyware.exe
C: \ Programmer \ Malwarebytes' Anti-Malware \ mbam.exe
C: \ Programmer \ Spybot - Search & Destroy \ SpybotSD.exe
C: \ Programmer \ Mozilla Firefox \ firefox.exe
C: \ Programmer \ Avast4 \ ashSimpl.exe
C: \ Documents and Settings \ Vip \ Desktop \ HiJackThis.exe
C: \ Programmer \ Avast4 \ setup \ avast.setup

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.yahoo.com.hk/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search, SearchAssistant =
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Window title = Windows Internet Explorer leveret af Administrator Kevin
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Int ernet Settings, ProxyOverride = lokale
R3 - URLSearchHook: (no name) - (0A94B116-4504-4e26-AB05-E61E474AA38B) - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Programmer \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEHelper.dll
O2 - BHO: RealPlayer Download og Record Plugin for Internet Explorer - (3049C3E9-B461-4BC5-8870-4C09146192CA) - C: \ Programmer \ Real \ RealPlayer \ rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S & D IE Protection - (53707962-6F74-2D53-2644-206D7942484F) - C: \ PROGRA ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O2 - BHO: SSVHelper Class - (761497BB-D6F0-462C-B6EB-D4DAF1D92D43) - C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O2 - BHO: (no name) - (7E853D72-626A-48EC-A868-BA8D5E23E045) - (no file)
O2 - BHO: Windows Live Sign-in Helper - (9030D464-4C02-4ABF-8ECC-5164760863C6) - C: \ Programmer \ Common Files \ Microsoft Shared \ Windows Live \ WindowsLiveLogin.dll
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ jusched.exe"
O4 - HKLM \ .. \ Run: [ATICCC] "C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe" runtime-Delay
O4 - HKLM \ .. \ Run: [avast!] C: \ PROGRA ~ 1 \ Avast4 \ ashDisp.exe
O4 - HKLM \ .. \ RunOnce: [Malwarebytes' Anti-Malware] C: \ Programmer \ Malwarebytes' Anti-Malware \ mbamgui.exe / install / lydløs
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'Default user')
O4 - Startup: AAéò ¶ ¯ ÉËÙÍÁ ¶ ¹. Lnk =?
O8 - Extra sammenhæng menupunktet: & Clean Traces - C: \ Programmer \ DAP \ Privacy Package \ dapcleanerie.htm
O8 - Extra sammenhæng menupunktet: & Download med & DAP - C: \ Programmer \ DAP \ dapextie.htm
O8 - Extra sammenhæng menupunkt: Download & alle med DAP - C: \ Programmer \ DAP \ dapextie2.htm
O8 - Extra sammenhæng menupunktet: E & ksporter til Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ mikroer ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra knappen: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Extra 'Tools' MENUITEM: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Ekstra knap: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ mikroer ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Ekstra knap: QQ - (c95fe080-8f5d-11d2-a20b-00aa003c157b) - C: \ WINDOWS \ system32 \ shdocvw.dll
O9 - Extra 'Tools' MENUITEM:?? QQ - (c95fe080-8f5d-11d2-a20b-00aa003c157b) - C: \ WINDOWS \ system32 \ shdocvw.dll
O9 - Extra knappen: (no name) - (DFB852A3-47F8-48C4-A200-58CAB36FD2A2) - C: \ PROGRA ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O9 - Extra 'Tools' MENUITEM: Spybot - Search & Destroy Configuration - (DFB852A3-47F8-48C4-A200-58CAB36FD2A2) - C: \ PROGRA ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O9 - Extra knappen: (no name) - (e2e2dd38-d088-4134-82b7-f2ba38496583) - C: \ WINDOWS \ Network Diagnostic \ xpnetdiag.exe
O9 - Extra 'Tools' MENUITEM: @ xpsp3res.dll, -20001 - (e2e2dd38-d088-4134-82b7-f2ba38496583) - C: \ WINDOWS \ Network Diagnostic \ xpnetdiag.exe
O9 - Ekstra knap: Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Programmer \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: Windows Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Programmer \ Messenger \ msmsgs.exe
O16 - DPF: (17492023-C23A-453E-A040-C7C580BBF700) (Windows Genuine Advantage Validation Tool) -- http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: (4F1E5B1A-2A80-42CA-8532-2D05CB959537) -- http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: (5D6F45B3-9043-443D-A792-115447494D24) -- http://messenger.zone.msn.com/EN-AU/.../GAME_UNO1.cab
O16 - DPF: (6E32070A-766D-4EE6-879C-DC1FA91D2FC3) (MUWebControl Class) -- http://update.microsoft.com/microsof...?1133040258574
O16 - DPF: (8E0D4DE5-3180-4024-A327-4DFAD1796A8D) -- http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: (C3F79A2B-B9B4-4A66-B012-3EE46475B072) -- http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: (D27CDB6E-AE6D-11CF-96B8-444553540000) (Shockwave Flash Object) -- http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify:! SASWinLogon - C: \ Programmer \ SUPERAntiSpyware \ SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C: \ Programmer \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C: \ Programmer \ Avast4 \ aswUpdSv.exe
O23 - Service: Ati Genvejstast Poller - ATI Technologies Inc. - C: \ WINDOWS \ system32 \ Ati2evxx.exe
O23 - Service: ATI Smart - Unknown ejer - C: \ WINDOWS \ system32 \ ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C: \ Programmer \ Avast4 \ ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C: \ Programmer \ Avast4 \ ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C: \ Programmer \ Avast4 \ ashWebSv.exe
O23 - Service: Epson Printer Status Agent2 (EPSONStatusAgent2) - Seiko Epson CORPORATION - C: \ Programmer \ Common Files \ Epson \ EBAPI \ SAgent2.exe

--
End of file - 7692 bytes
_______________________________________________
Any help is appreciated.
BTW. Jeg kan ikke finde et ikon, der ligner 'afinstallere' til mig, så afinstallation vil ikke være en mulighed ...

[Coolyxxx]

Godt. Jeg forlod scanninger til at køre den ene dag, men SuperAntiSpyware holdes på problemer og lukket ... Jeg har MalwareBytes log her:

Malwarebytes' Anti-Malware 1.30
Database version: 1343
Windows 5.1.2600 Service Pack 3

1/11/2008 9:19:03 AM
mbam-log-2008-11-01 (09-19-03). txt

Scan type: Full Scan (C: \ | D: \ | E: \ |)
Objekter skannet: 190626
Tidsforbrug: 3 time (r), 56 minut (ter), 28 sekund (s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registreringsdatabasenøgler Inficerede: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(Nr. ondsindede elementer opdaget)

Memory Modules Infected:
(Nr. ondsindede elementer opdaget)

Registreringsdatabasenøgler Inficerede:
(Nr. ondsindede elementer opdaget)

Registry Values Infected:
(Nr. ondsindede elementer opdaget)

Registry Data Items Infected:
(Nr. ondsindede elementer opdaget)

Folders Infected:
(Nr. ondsindede elementer opdaget)

Files Infected:
C: \ WINDOWS \ system32 \ _005069_.tmp.dll (Trojan.Agent) -> karantæne og slettet.
C: \ WINDOWS \ system32 \ _005101_.tmp.dll (Trojan.Agent) -> karantæne og slettet.

[Glaswegian]

Hej

Fortsæt med scanner du kører, og følg derefter disse instruktioner.

Downloade ComboFix fra et af disse steder:

Link 1
Link 2
Link 3

* VIGTIGT! Gem ComboFix.exe til dit skrivebord

• Deaktiver dit antivirus-og antispyware-programmer, som regel via et højreklik på statusfeltets ikon. De kan ellers gribe ind i vores værktøjer
• Dobbeltklik på ComboFix.exe & følg instruktionerne.
• Som en del af den proces, ComboFix vil tjekke for at se om Microsoft Windows Genoprettelseskonsol er installeret. Med malware infektioner bliver som de er i dag, er det stærkt anbefales at få denne pre-installeret på din maskine før du gør noget malware fjernelse. Det vil gøre det muligt for dig at starte op i en særlig nyttiggørelse / reparation mode, der vil give os mulighed for at lettere hjælpe dig bør din computer har et problem efter et forsøg på fjernelse af malware.
• Følg anvisningerne for at tillade ComboFix at hente og installere Microsoft Windows Genoprettelseskonsol, og når du bliver bedt om, er enige om at det Slutbrugerlicensaftale for at installere Microsoft Windows Genoprettelseskonsol.

** Bemærk venligst: Hvis Microsoft Windows Genoprettelseskonsol allerede er installeret, ComboFix vil fortsætte det malware fjernelse procedurer.

Når Microsoft Windows Genoprettelseskonsol er installeret ved hjælp ComboFix, skal du se følgende besked:




Klik på Ja, Til at fortsætte scanning for malware.

Når du er færdig, ComboFix, skal fremlægge en log for dig. Angiv venligst også C: \ ComboFix.txt i dit næste svar, alog med de andre logfiler.

[Coolyxxx]

Af en eller anden grund, ComboFix lukkede SuperAntiSpyware mens det var scanning, så det er genstartes nu. Og avast! ikke starter om udeblivelsesdomme længere ... Jeg åbner programmet, men det er stadig ikke i systemet bakken ting ... Og programmet, at min mor hentede er indstillet til at køre ved start ... Log her alligevel:

ComboFix 08-10-30.13 - VIP 2008-11-01 9:36:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.732 [GMT 11:00]
Kører fra: C: \ Documents and Settings \ Vip \ Desktop \ ComboFix.exe
* Skabt et nyt gendannelsespunkt
.

((((((((((((((((((((((((((((((((((((((( Andre Bortfald ))))))))) ))))))))))))))))))))))))))))))))))))))))
.

C: \ Programmer \ Warcraft III \ _desktop.ini
C: \ WINDOWS \ system32 \ _005058_.tmp.dll
C: \ WINDOWS \ system32 \ _005059_.tmp.dll
C: \ WINDOWS \ system32 \ _005060_.tmp.dll
C: \ WINDOWS \ system32 \ _005061_.tmp.dll
C: \ WINDOWS \ system32 \ _005068_.tmp.dll
C: \ WINDOWS \ system32 \ _005070_.tmp.dll
C: \ WINDOWS \ system32 \ _005071_.tmp.dll
C: \ WINDOWS \ system32 \ _005072_.tmp.dll
C: \ WINDOWS \ system32 \ _005073_.tmp.dll
C: \ WINDOWS \ system32 \ _005074_.tmp.dll
C: \ WINDOWS \ system32 \ _005075_.tmp.dll
C: \ WINDOWS \ system32 \ _005076_.tmp.dll
C: \ WINDOWS \ system32 \ _005077_.tmp.dll
C: \ WINDOWS \ system32 \ _005078_.tmp.dll
C: \ WINDOWS \ system32 \ _005079_.tmp.dll
C: \ WINDOWS \ system32 \ _005080_.tmp.dll
C: \ WINDOWS \ system32 \ _005081_.tmp.dll
C: \ WINDOWS \ system32 \ _005082_.tmp.dll
C: \ WINDOWS \ system32 \ _005084_.tmp.dll
C: \ WINDOWS \ system32 \ _005087_.tmp.dll
C: \ WINDOWS \ system32 \ _005088_.tmp.dll
C: \ WINDOWS \ system32 \ _005092_.tmp.dll
C: \ WINDOWS \ system32 \ _005093_.tmp.dll
C: \ WINDOWS \ system32 \ _005094_.tmp.dll
C: \ WINDOWS \ system32 \ _005095_.tmp.dll
C: \ WINDOWS \ system32 \ _005096_.tmp.dll
C: \ WINDOWS \ system32 \ _005097_.tmp.dll
C: \ WINDOWS \ system32 \ _005098_.tmp.dll
C: \ WINDOWS \ system32 \ _005099_.tmp.dll
C: \ WINDOWS \ system32 \ _005100_.tmp.dll
C: \ WINDOWS \ system32 \ _005102_.tmp.dll
C: \ WINDOWS \ system32 \ _005103_.tmp.dll
C: \ WINDOWS \ system32 \ _005104_.tmp.dll
C: \ WINDOWS \ system32 \ _005106_.tmp.dll
C: \ WINDOWS \ system32 \ _005107_.tmp.dll
C: \ WINDOWS \ system32 \ _005108_.tmp.dll
C: \ WINDOWS \ system32 \ _005109_.tmp.dll
C: \ WINDOWS \ system32 \ _005110_.tmp.dll
C: \ WINDOWS \ system32 \ _005111_.tmp.dll
C: \ WINDOWS \ system32 \ _005112_.tmp.dll
C: \ WINDOWS \ system32 \ _005115_.tmp.dll
C: \ WINDOWS \ system32 \ _005116_.tmp.dll
C: \ WINDOWS \ system32 \ _005117_.tmp.dll
C: \ WINDOWS \ system32 \ _005118_.tmp.dll
C: \ WINDOWS \ system32 \ _005119_.tmp.dll
C: \ WINDOWS \ system32 \ _005121_.tmp.dll
C: \ WINDOWS \ system32 \ _005122_.tmp.dll
C: \ WINDOWS \ system32 \ _005123_.tmp.dll
C: \ WINDOWS \ system32 \ _005125_.tmp.dll
C: \ WINDOWS \ system32 \ _005128_.tmp.dll
C: \ WINDOWS \ system32 \ _005129_.tmp.dll
C: \ WINDOWS \ system32 \ _005133_.tmp.dll
C: \ WINDOWS \ system32 \ _005134_.tmp.dll
C: \ WINDOWS \ system32 \ _005136_.tmp.dll
C: \ WINDOWS \ system32 \ _005137_.tmp.dll
C: \ WINDOWS \ system32 \ _005139_.tmp.dll
C: \ WINDOWS \ system32 \ _005141_.tmp.dll
C: \ WINDOWS \ system32 \ _005142_.tmp.dll
C: \ WINDOWS \ system32 \ _005143_.tmp.dll
C: \ WINDOWS \ system32 \ _005144_.tmp.dll
C: \ WINDOWS \ system32 \ _005147_.tmp.dll
C: \ WINDOWS \ system32 \ _005148_.tmp.dll
C: \ WINDOWS \ system32 \ _005149_.tmp.dll
C: \ WINDOWS \ system32 \ _005150_.tmp.dll
C: \ WINDOWS \ system32 \ _005151_.tmp.dll
C: \ WINDOWS \ system32 \ _005156_.tmp.dll
C: \ WINDOWS \ system32 \ _005158_.tmp.dll
C: \ WINDOWS \ system32 \ Cache
C: \ WINDOWS \ system32 \ Cfx32.lic
C: \ WINDOWS \ system32 \ cfx32.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers / Services )))))))) )))))))))))))))))))))))))))))))))))))))))
.

------- \ Legacy_NPF


((((((((((((((((((((((((( Files Created fra 2008-09-28 til 2008-10-31 ))))))))))) ))))))))))))))))))))
.

2008-10-31 20:45. 2008-10-31 20:45 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ SUPERAntiSpyware.com
2008-10-31 20:45. 2008-10-31 20:45 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ Malwarebytes
2008-10-31 20:33. 2008-10-31 20:33 <DIR> d -------- C: \ Programmer \ Tudou
2008-10-24 12:04. 2008-10-16 03:34 337.408 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Netapi32.dll
2008-10-15 20:43. 2008-09-15 23:12 1.846.400 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Win32k.sys
2008-10-15 20:43. 2008-09-08 21:41 333.824 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ srv.sys
2008-10-15 20:42. 2008-08-14 21:11 2.189.184 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntoskrnl.exe
2008-10-15 20:42. 2008-08-14 21:09 2.145.280 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Ntkrnlmp.exe
2008-10-15 20:42. 2008-08-14 20:33 2.066.048 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrnlpa.exe
2008-10-15 20:42. 2008-08-14 20:33 2.023.936 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrpamp.exe
2008-09-18 19:05. 2008-10-31 20:52 <DIR> d -------- C: \ Programmer \ Avast4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 22:38 --------- d ----- w C: \ Programmer \ Warcraft III
2008-10-31 22:30 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ Spybot - Search & Destroy
2008-10-31 09:47 --------- d ----- w C: \ Programmer \ Malwarebytes' Anti-Malware
2008-10-31 09:32 --------- d --- aw C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-10-22 05:10 38.496 ---- aw C: \ Windows \ System32 \ Drivers \ mbamswissarmy.sys
2008-10-22 05:10 15.504 ---- aw C: \ Windows \ System32 \ Drivers \ mbam.sys
2008-10-09 06:46 --------- d ----- w C: \ Programmer \ PPStream
2008-10-09 03:31 --------- d ----- w C: \ Programmer \ SUPERAntiSpyware
2008-10-09 03:28 --------- d ----- w C: \ Programmer \ Spybot - Search & Destroy
2008-09-18 08:42 --------- d ----- w C: \ Documents and Settings \ Vip \ Application Data \ Ahead
2008-09-08 10:41 333.824 ---- aw C: \ Windows \ System32 \ Drivers \ srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries er ikke vist
REGEDIT4

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"NeroFilterCheck" = "C: \ WINDOWS \ system32 \ NeroCheck.e XE" [2001-07-09 155648]
"SunJavaUpdateSched" = "C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ jusched.exe" [2008-06-10 144784]
"ATICCC" = "C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe" [2006-01-02 45056]

[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2008-04-14 15360]

C: \ Documents and Settings \ Vip \ Menuen Start \ Programmer \ Start \
' "Ôîú ÓëÖμôû.lnk - C: \ Programmer \ Tudou \ ú ÓëTudou \ TudouVa.exe [2008-07-06 3248128]

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ policies \ system]
"DisableChangePassword" = 1 (0x1)

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ policies \ Explorer]
"NoAutoUpdate" = 1 (0x1)
"MaxRecentDocs" = 1 (0x1)

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ Explorer \ ShellExecuteHooks]
"(56F9679E-7826-4C84-81F3-532071A8BCC5)" = "C: \ Programmer \ Windows Desktop Search \ MSNLNamespaceMgr.dll" [2006-04-24 282624]
"(5AE067D3-9AFB, 48E0-853A-EBB7F4A000DA)" = "C: \ Programmer \ SUPERAntiSpyware \ SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
"UIHost" = "C: \ \ WINDOWS \ \ system32 \ \ logonuiX.exe"

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmelde \! SASWinLogon]
2008-10-09 14:31 352256 C: \ Programmer \ SUPERAntiSpyware \ SASWINLO.DLL

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ drivers32]
"VIDC.I420" = i420vfw.dll
"aux" = ctwdm32.dll
"VIDC.HFYU" = huffyuv.dll
"VIDC.X264" = x264vfw.dll
"VIDC.3iv2" = 3ivxVfWCodec.dll
"VIDC.VP31" = vp31vfw.dll
"msacm.l3fhg" = mp3fhg.acm
"msacm.ac3filter" = ac3filter.acm

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ Adobe Reader Speed Launch.lnk]
backup = C: \ WINDOWS \ PSS \ Adobe Reader Speed Launch.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ Adobe Reader Synchronizer.lnk]
backup = C: \ WINDOWS \ PSS \ Adobe Reader Synchronizer.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menuen Start ^ Programmer ^ Start ^ WinZip Quick Pick.lnk]
backup = C: \ WINDOWS \ PSS \ WinZip Quick Pick.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Azureus Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ Azureus Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Azureus Ultra Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ Azureus Ultra Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ BitTorrent Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ BitTorrent Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ eMule Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ eMule Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ LimeWire På Startup.lnk]
backup = C: \ WINDOWS \ PSS \ LimeWire On Startup.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ LimeWire Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ LimeWire Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ PowerReg Scheduler V3.exe]
backup = C: \ WINDOWS \ PSS \ PowerReg Scheduler V3.exeStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Registrering Tom Clancy's Rainbow Six]
backup = C: \ WINDOWS \ PSS \ Registration Tom Clancy's Rainbow SixStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ SpeedFan.lnk]
backup = C: \ WINDOWS \ PSS \ SpeedFan.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Thoosje Sidebar.lnk]

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ WordWeb.lnk]
backup = C: \ WINDOWS \ PSS \ WordWeb.lnkStartup
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \! AVG anti-spyware
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BitTorrent
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Boss Key
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ CmCardRun
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ CursorXP
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ EasyTuneVPro
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ iTunesHelper
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ LogonStudio
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ OrderReminder
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ RecordPadRun
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SpeedOptimizer
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SWG
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Veoh

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Adobe Photo Downloader]
- a ------ 2005-09-09 01:18 57344 C: \ Programmer \ Adobe \ Photoshop Elements 4.0 \ apdproxy.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BgMonitor_ (79662E04-7C6C-4d9f-84C7-88D8A56B10AA)]
- a ------ 2006-04-21 18:03 94208 C: \ Programmer \ Common Files \ Ahead \ Lib \ NMBgMonitor.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Daemon Tools]
- a ------ 2005-12-11 01:57 133016 C: \ Programmer \ Daemon Tools \ daemon.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ LanguageShortcut]
- a ------ 2006-04-13 12:09 49152 C: \ Programmer \ Cyberlink \ PowerDVD \ Language \ Language.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ QuickTime Task]
- a ------ 2008-03-29 00:37 413696 C: \ Programmer \ K-Lite Codec Pack \ QuickTime \ QTTask.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ RemoteControl]
- a ------ 2005-12-07 23:57 30208 C: \ Programmer \ Cyberlink \ PowerDVD \ PDVDServ.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SpybotSD TeaTimer]
-rahs ---- 2008-09-16 12:16 1833296 C: \ Programmer \ Spybot - Search & Destroy \ TeaTimer.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Steam]
- a ------ 2008-03-29 09:39 1271032 C: \ Valve \ Steam \ Steam.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Uniblue RegistryBooster 2]
- a ------ 2007-12-05 16:06 1885464 C: \ Programmer \ Uniblue \ RegistryBooster 2 \ RegistryBooster.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Uniblue SpeedUpMyPC]
- a ------ 2008-01-29 09:46 9442584 C: \ Programmer \ Uniblue \ SpeedUpMyPC 3 \ SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ WinampAgent]
- a ------ 2008-04-02 05:49 36352 C: \ Programmer \ Winamp \ winampa.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BluetoothAuthenticationA Gent]
- a ------ 2008-04-14 06:42 110592 C: \ WINDOWS \ system32 \ bthprops.cpl

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ C-Media Mixer]
- a ------ 2003-03-20 17:21 1855488 C: \ WINDOWS \ mixer.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ tjenester]
"WMPNetworkSvc" = 3 (0x3)
"gusvc" = 3 (0x3)
"RichVideo" = 2 (0x2)
"BthServ" = 2 (0x2)
"iPod Service" = 3 (0x3)
"Apple Mobile Device" = 2 (0x2)
"LiveUpdate Notice Service" = 2 (0x2)
"VideoAcceleratorEngine" = 3 (0x3)
"MDM" = 2 (0x2)
"IDriverT" = 3 (0x3)
"aawservice" = 3 (0x3)
"PDEngine" = 3 (0x3)
"PDAgent" = 3 (0x3)
"Pml Driver HPZ12" = 3 (0x3)
"CPUCooLServer" = 2 (0x2)
"usnjsvc" = 3 (0x3)
"AdobeActiveFileMonitor4.0" = 2 (0x2)
"WLSetupSvc" = 3 (0x3)
"cmdAgent" = 2 (0x2)
"FLEXnet Licensing Service" = 3 (0x3)
"Bonjour Service" = 2 (0x2)
"OSE" = 3 (0x3)

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring]
"DisableMonitoring" = dword: 00000001

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecFirewall]
"DisableMonitoring" = dword: 00000001

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Programmer \ \ DAP \ \ DAP.exe" =
"C: \ \ Programmer \ \ Messenger \ \ msmsgs.exe" =
"<NO Navn" = "C: \ \ Programmer \ \ PPStream \ \ PPStream.exe" "C: \ \ Programmer \ \ PPStream \ \ PPStream.exe
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =
"C: \ \ Programmer \ \ Windows Live \ \ Messenger \ \ msnmsgr.exe" =
"C: \ \ Programmer \ \ Windows Live \ \ Messenger \ \ livecall.exe" =
"C: \ \ Programmer \ \ UT2004 \ \ System \ \ UT2004.exe" =
"C: \ \ Programmer \ \ DeusEx \ \ System \ \ DeusEx.exe" =
"C: \ \ Programmer \ \ Tudou \ \ ÉËÙTudou \ \ TudouVa.exe" =

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ GloballyOpenPorts \ List]
"3389: TCP" = 3389: TCP: *: Disabled: @ Xpsp2res.dll, -22009
"15394: TCP" = 15394: TCP: *: Disabled: BitComet 15394 TCP
"15394: UDP" = 15394: UDP: *: Disabled: BitComet 15394 UDP
"6555: TCP" = 6555: TCP: *: Disabled: BitComet 6555 TCP
"6555: UDP" = 6555: UDP: *: Disabled: BitComet 6555 UDP

R1 aswSP; avast! Self Protection; C: \ Windows \ System32 \ Drivers \ aswSP.sys [2008-07-20 78416]
R1 atitray; atitray; C: \ Programmer \ Ray Adams \ ATI Tray Tools \ atitray.sys [2007-05-22 18088]
R2 aswFsBlk; aswFsBlk; C: \ Windows \ System32 \ Drivers \ aswF sBlk.sys [2008-07-20 20560]
R2 ROCKEYNT; ROCKEYNT; C: \ Windows \ System32 \ Drivers \ Rock eynt.sys [2005-01-04 18223]
R2 SBKUPNT; SBKUPNT; C: \ Windows \ System32 \ Drivers \ SBKUPN T. SYS [2001-07-13 14976]
S3 motccgp; Motorola USB Composite Device Driver; C: \ Windows \ System32 \ Drivers \ motccgp.sys [2007-06-18 17920]
S3 motccgpfl; MotCcgpFlService; C: \ WINDOWS \ system32 \ DRI VERS \ motccgpfl.sys [2007-01-22 7680]
S3 MotDev; Motorola Inc. USB Device; C: \ Windows \ System32 \ Drivers \ motodrv.sys [2007-05-07 42112]
S3 RTLWUSB; NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver; C: \ Windows \ System32 \ Drivers \ wg111v2.sys [2006-03-16 167808]
S3 XDva042; XDva042; C: \ WINDOWS \ system32 \ XDva042.sys []
.
Indhold af "Planlagte opgaver" mappe

2008-10-01 C: \ WINDOWS \ Tasks \ AppleSoftwareUpdate.job
- C: \ Programmer \ Apple Software Update \ SoftwareUpdate.exe [2007-08-29 14:57]

2008-10-27 C: \ WINDOWS \ Tasks \ Uniblue SpeedUpMyPC Nag.job
- C: \ Programmer \ Uniblue \ SpeedUpMyPC \ SpeedUpMyPC.exe []

2007-05-14 C: \ WINDOWS \ Tasks \ Uniblue SpeedUpMyPC.job
- C: \ Programmer \ Uniblue \ SpeedUpMyPC \ SpeedUpMyPC.exe []

2008-10-25 C: \ WINDOWS \ Tasks \ Uniblue SpyEraser Nag.job
- C: \ Programmer \ Uniblue \ SpyEraser \ SpyEraser.exe []
.
- - - - Forældreløse FJERNES - - - --

URLSearchHooks-(0A94B116-4504-4e26-AB05-E61E474AA38B) - (no file)
ShellIconOverlayIdentifiers-hex (2): 7b, 38,41,34,32,44,46,42,46,2 d, 37,38,36,38,2 d, 34,30,32,39,2 d, 39, 35,38, \ - (no file)
ShellExecuteHooks-(E0D8FD38-6F36-4C9F-AE43-EDFA2BB266BA) - (no file)
MSConfigStartUp-Comodo Firewall Pro - C: \ Programmer \ Comodo \ Firewall \ cfp.exe
MSConfigStartUp-EzPrint - C: \ Programmer \ Lexmark 4300 Series \ ezprint.exe
MSConfigStartUp-FaxCenterServer - C: \ Programmer \ Lexmark Fax Solutions \ fm3032.exe
MSConfigStartUp-TkBellExe - C: \ Programmer \ Common Files \ Real \ Update_OB \ realsched.exe
MSConfigStartUp-Uniblue SpyEraser - C: \ Programmer \ Uniblue \ SpyEraser \ SpyEraser.exe


.
------- Supplerende Scan -------
.
FireFox -: Profile - C: \ Documents and Settings \ Vip \ Application Data \ Mozilla \ Firefox \ Profiles \ 19piaa5b.default \
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp: / / hk.yahoo.com /
.
.
------- File Associations -------
.
txtfile = C: \ WINDOWS \ Notepad.exe% 1
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit / stealth malware detector ved Gmer, http://www.gmer.net
Rootkit scan 2008-11-01 09:42:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning skjulte processer ...

scanning skjulte autostart entries ...

scanning skjulte filer ...

scanning afsluttet med succes
skjulte filer: 0

************************************************** ************************
.
------------------------ Other Running Processes ----------------------- --
.
C: \ WINDOWS \ system32 \ ati2evxx.exe
C: \ Programmer \ Avast4 \ aswUpdSv.exe
C: \ Programmer \ Avast4 \ ashServ.exe
C: \ WINDOWS \ system32 \ ati2evxx.exe
C: \ Programmer \ Common Files \ Epson \ EBAPI \ SAgent2.exe
C: \ WINDOWS \ system32 \ searchindexer.exe
C: \ Programmer \ Avast4 \ ashMaiSv.exe
C: \ Programmer \ Avast4 \ ashWebSv.exe
C: \ WINDOWS \ system32 \ imapi.exe
.
************************************************** ************************
.
Afslutning tid: 2008-11-01 9:47:03 - maskinen blev genstartet
ComboFix-karantæne-files.txt 2008-10-31 22:46:53

Pre-Run: 17476198400 bytes fri
Post-Run: 17429176320 bytes fri

WindowsXP-KB310994-SP2-Pro-bootdisk-DAN.exe
[boot loader]
timeout = 2
default = multi (0) disk (0) rdisk (0) partition (1) \ WINDOW S
[operating systems]
C: \ Cmdcons \ BOOTSECT.DAT = "Microsoft Windows Genoprettelseskonsol" / cmdcons
multi (0) disk (0) rdisk (0) partition (1) \ WINDOWS = "Micro soft Windows XP Professional" / noexecute = OptIn / fastdetect

335 --- EOF --- 2008-10-24 09:01:23
__________________________________________________ _________________________________________________

EDIT: Jeg var klikke rundt og jeg fandt et ikon, der lignede afinstallere. Jeg klikkede og det begyndte afinstallation (eller i det mindste håber jeg, det var), fordi det var i weird symboler.

[Coolyxxx]

SuperAntiSpyware log. Jeg var nødt til at gøre hurtig scanning, fordi det altid vil komme med en fejl, når jeg har fuld scanning.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/01/2008 at 11:45

Application Version: 4.21.1004

Core Rules Database Version: 3618
Trace Rules Database Version: 1603

Scan type: Quick Scan
Total Scan Time: 00:35:28

Memory poster scannet: 490
Memory trusler opdaget: 0
Topdomæneadministratoren poster scannet: 436
Topdomæneadministratoren trusler opdaget: 0
File poster skannet: 33788
File trusler opdaget: 2

Trojan.Vundo-Variant / F
C: \ WINDOWS \ SYSTEM32 \ AZIPCONTMN.DLL
C: \ WINDOWS \ SYSTEM32 \ SYSFOLDERAZIPCNT.DLL

[Glaswegian]

Hej igen

Undlad venligst at klikke på noget eller køre flere scanninger, medmindre jeg råde dig til det. Den virker bare gør tingene forvirrende for mig - jeg kan se en optagelse i en log, men det er gået fra den næste og så videre - tak.

Jeg formoder, det er det problem

C: \ Programmer \ Tudou

medmindre din mor er en fan af den kinesiske udgave af YouTube.

Jeg vil gerne have et kig på de to filer fundet af SAS.


Gå til: VirusTotal

• I midten af siden finder du et "Browse"-Knappen.
  
  
  
  Klik på knappen "Gennemse" og browse til denne fil i RED:
  
  C: \ WINDOWS \ SYSTEM32 \ AZIPCONTMN.DLL

• Klik på "Åben".
• Klik derefter på "Send File"-Knappen i bunden af VirusTotal side.
• Dette vil scanne filen. Vær tålmodig.
• Når scannet, kopiere og indsætte resultatet i dit næste svar.

Gentag ovenstående for denne fil som godt.

C: \ WINDOWS \ SYSTEM32 \ SYSFOLDERAZIPCNT.DLL




Combofix

• Luk alle åbne browsere.
• Åben notepad og kopiere / indsætte teksten i boksen nedenfor til det:

Code:

  Folder::
  C: \ Programmer \ Tudou 

Når man ser på billedet nedenfor som et eksempel



Gem som CFScript.txtI den samme placering som ComboFix.exe




Med henvisning til billedet ovenfor, skal du trække CFScript på ComboFix.exe.

Når du er færdig, vil den udarbejde en log for dig på "C: \ ComboFix.txt"

Må ikke mouseclick combofix vindue mens det kører. Dette kan få det til at stå.

FORSIGTIG! Alle andre tænker på ved hjælp af ovenstående script gør det på egen risiko - du kan ende op med at re-installere Windows!


Please post loggen C: \ ComboFix.txt Den VirusTotal resultater og en frisk HijackThis Log for en yderligere gennemgang.

[Coolyxxx]

Yea min mor ure nogle kinesisk videoer ... Jeg kunne ikke finde de filer, når du browser i VirusTotal. Jeg selv gik til dem i Explorer, og kunne ikke finde dem begge. Got Kævlerne:
ComboFix:

ComboFix 08-11-01.01 - VIP 2008-11-02 10:36:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.865 [GMT 11:00]
Kører fra: C: \ Documents and Settings \ Vip \ Desktop \ ComboFix.exe
Command switches anvendes:: C: \ Documents and Settings \ Vip \ Desktop \ CFScript.txt
* Skabt et nyt gendannelsespunkt
.

((((((((((((((((((((((((((((((((((((((( Andre Bortfald ))))))))) ))))))))))))))))))))))))))))))))))))))))
.

C: \ Programmer \ Tudou

.
((((((((((((((((((((((((( Files Created fra 2008-10-01 til 2008-11-01 ))))))))))) ))))))))))))))))))))
.

2008-11-01 09:55. 2008-11-01 09:55 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ Uniblue
2008-10-31 20:45. 2008-10-31 20:45 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ SUPERAntiSpyware.com
2008-10-31 20:45. 2008-10-31 20:45 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ Malwarebytes
2008-10-24 12:04. 2008-10-16 03:34 337.408 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Netapi32.dll
2008-10-15 20:43. 2008-09-15 23:12 1.846.400 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Win32k.sys
2008-10-15 20:43. 2008-09-08 21:41 333.824 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ srv.sys
2008-10-15 20:42. 2008-08-14 21:11 2.189.184 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntoskrnl.exe
2008-10-15 20:42. 2008-08-14 21:09 2.145.280 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Ntkrnlmp.exe
2008-10-15 20:42. 2008-08-14 20:33 2.066.048 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrnlpa.exe
2008-10-15 20:42. 2008-08-14 20:33 2.023.936 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 22:38 --------- d ----- w C: \ Programmer \ Warcraft III
2008-10-31 22:30 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ Spybot - Search & Destroy
2008-10-31 09:52 --------- d ----- w C: \ Programmer \ Avast4
2008-10-31 09:47 --------- d ----- w C: \ Programmer \ Malwarebytes' Anti-Malware
2008-10-31 09:32 --------- d --- aw C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-10-22 05:10 38.496 ---- aw C: \ Windows \ System32 \ Drivers \ mbamswissarmy.sys
2008-10-22 05:10 15.504 ---- aw C: \ Windows \ System32 \ Drivers \ mbam.sys
2008-10-09 06:46 --------- d ----- w C: \ Programmer \ PPStream
2008-10-09 03:31 --------- d ----- w C: \ Programmer \ SUPERAntiSpyware
2008-10-09 03:28 --------- d ----- w C: \ Programmer \ Spybot - Search & Destroy
2008-09-18 08:42 --------- d ----- w C: \ Documents and Settings \ Vip \ Application Data \ Ahead
2008-09-15 12:12 1.846.400 ---- aw C: \ WINDOWS \ system32 \ Win32k.sys
2008-09-08 10:41 333.824 ---- aw C: \ Windows \ System32 \ Drivers \ srv.sys
2008-08-28 07:46 74.752 ---- aw C: \ WINDOWS \ system32 \ msw3prt.dll
2008-08-28 07:46 104.960 ---- aw C: \ WINDOWS \ system32 \ win32spl.dll
2008-08-26 07:24 826.368 ---- aw C: \ WINDOWS \ system32 \ Wininet.dll
2008-08-14 10:11 2.189.184 ---- aw C: \ Windows \ system32 \ ntoskrnl.exe
2008-08-14 09:33 2.066.048 ---- aw C: \ WINDOWS \ system32 \ ntkrnlpa.exe
2008-07-29 12:05 32.768 - sha-w C: \ WINDOWS \ system32 \ config \ systemprofile \ Local Settings \ History \ History.IE5 \ MSHist012008072920080 730 \ index.dat
.

((((((((((((((((((((((((((((( Snapshot @ 2008-11-01_ 9.46.14.14 ))))))))))) ))))))))))))))))))))))))))))))
.
- 2008-10-31 22:41:26 16.384 ---- atw C: \ Windows \ Temp \ Perflib_Perfdata_570.dat
+ 2008-11-01 23:26:02 16.384 ---- atw C: \ Windows \ Temp \ Perflib_Perfdata_570.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries er ikke vist
REGEDIT4

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"NeroFilterCheck" = "C: \ WINDOWS \ system32 \ NeroCheck.e XE" [2001-07-09 155648]
"SunJavaUpdateSched" = "C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ jusched.exe" [2008-06-10 144784]
"ATICCC" = "C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe" [2006-01-02 45056]
"avast" = "C: \ Programmer \ Avast4 \ ashDisp.exe" [2008-07-20 78008]

[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ policies \ system]
"DisableChangePassword" = 1 (0x1)

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ policies \ Explorer]
"NoAutoUpdate" = 1 (0x1)
"MaxRecentDocs" = 1 (0x1)

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entversion \ Explorer \ ShellExecuteHooks]
"(56F9679E-7826-4C84-81F3-532071A8BCC5)" = "C: \ Programmer \ Windows Desktop Search \ MSNLNamespaceMgr.dll" [2006-04-24 282624]
"(5AE067D3-9AFB, 48E0-853A-EBB7F4A000DA)" = "C: \ Programmer \ SUPERAntiSpyware \ SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
"UIHost" = "C: \ \ WINDOWS \ \ system32 \ \ logonuiX.exe"

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ anmelde \! SASWinLogon]
2008-10-09 14:31 352256 C: \ Programmer \ SUPERAntiSpyware \ SASWINLO.DLL

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ drivers32]
"VIDC.I420" = i420vfw.dll
"aux" = ctwdm32.dll
"VIDC.HFYU" = huffyuv.dll
"VIDC.X264" = x264vfw.dll
"VIDC.3iv2" = 3ivxVfWCodec.dll
"VIDC.VP31" = vp31vfw.dll
"msacm.l3fhg" = mp3fhg.acm
"msacm.ac3filter" = ac3filter.acm

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ Adobe Reader Speed Launch.lnk]
backup = C: \ WINDOWS \ PSS \ Adobe Reader Speed Launch.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ Adobe Reader Synchronizer.lnk]
backup = C: \ WINDOWS \ PSS \ Adobe Reader Synchronizer.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Menuen Start ^ Programmer ^ Start ^ WinZip Quick Pick.lnk]
backup = C: \ WINDOWS \ PSS \ WinZip Quick Pick.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Azureus Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ Azureus Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Azureus Ultra Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ Azureus Ultra Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ BitTorrent Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ BitTorrent Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ eMule Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ eMule Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ LimeWire På Startup.lnk]
backup = C: \ WINDOWS \ PSS \ LimeWire On Startup.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ LimeWire Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ LimeWire Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ PowerReg Scheduler V3.exe]
backup = C: \ WINDOWS \ PSS \ PowerReg Scheduler V3.exeStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Registrering Tom Clancy's Rainbow Six]
backup = C: \ WINDOWS \ PSS \ Registration Tom Clancy's Rainbow SixStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ SpeedFan.lnk]
backup = C: \ WINDOWS \ PSS \ SpeedFan.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Thoosje Sidebar.lnk]

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ WordWeb.lnk]
backup = C: \ WINDOWS \ PSS \ WordWeb.lnkStartup
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \! AVG anti-spyware
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BitTorrent
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Boss Key
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ CmCardRun
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ CursorXP
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ EasyTuneVPro
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ iTunesHelper
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ LogonStudio
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ OrderReminder
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ RecordPadRun
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SpeedOptimizer
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SWG
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Veoh

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Adobe Photo Downloader]
- a ------ 2005-09-09 01:18 57344 C: \ Programmer \ Adobe \ Photoshop Elements 4.0 \ apdproxy.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BgMonitor_ (79662E04-7C6C-4d9f-84C7-88D8A56B10AA)]
- a ------ 2006-04-21 18:03 94208 C: \ Programmer \ Common Files \ Ahead \ Lib \ NMBgMonitor.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Daemon Tools]
- a ------ 2005-12-11 01:57 133016 C: \ Programmer \ Daemon Tools \ daemon.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ LanguageShortcut]
- a ------ 2006-04-13 12:09 49152 C: \ Programmer \ Cyberlink \ PowerDVD \ Language \ Language.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ QuickTime Task]
- a ------ 2008-03-29 00:37 413696 C: \ Programmer \ K-Lite Codec Pack \ QuickTime \ QTTask.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ RemoteControl]
- a ------ 2005-12-07 23:57 30208 C: \ Programmer \ Cyberlink \ PowerDVD \ PDVDServ.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SpybotSD TeaTimer]
-rahs ---- 2008-09-16 12:16 1833296 C: \ Programmer \ Spybot - Search & Destroy \ TeaTimer.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Steam]
- a ------ 2008-03-29 09:39 1271032 C: \ Valve \ Steam \ Steam.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Uniblue RegistryBooster 2]
- a ------ 2007-12-05 16:06 1885464 C: \ Programmer \ Uniblue \ RegistryBooster 2 \ RegistryBooster.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Uniblue SpeedUpMyPC]
- a ------ 2008-01-29 09:46 9442584 C: \ Programmer \ Uniblue \ SpeedUpMyPC 3 \ SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ WinampAgent]
- a ------ 2008-04-02 05:49 36352 C: \ Programmer \ Winamp \ winampa.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BluetoothAuthenticationA Gent]
- a ------ 2008-04-14 06:42 110592 C: \ WINDOWS \ system32 \ bthprops.cpl

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ C-Media Mixer]
- a ------ 2003-03-20 17:21 1855488 C: \ WINDOWS \ mixer.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ tjenester]
"WMPNetworkSvc" = 3 (0x3)
"gusvc" = 3 (0x3)
"RichVideo" = 2 (0x2)
"BthServ" = 2 (0x2)
"iPod Service" = 3 (0x3)
"Apple Mobile Device" = 2 (0x2)
"LiveUpdate Notice Service" = 2 (0x2)
"VideoAcceleratorEngine" = 3 (0x3)
"MDM" = 2 (0x2)
"IDriverT" = 3 (0x3)
"aawservice" = 3 (0x3)
"PDEngine" = 3 (0x3)
"PDAgent" = 3 (0x3)
"Pml Driver HPZ12" = 3 (0x3)
"CPUCooLServer" = 2 (0x2)
"usnjsvc" = 3 (0x3)
"AdobeActiveFileMonitor4.0" = 2 (0x2)
"WLSetupSvc" = 3 (0x3)
"cmdAgent" = 2 (0x2)
"FLEXnet Licensing Service" = 3 (0x3)
"Bonjour Service" = 2 (0x2)
"OSE" = 3 (0x3)

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring]
"DisableMonitoring" = dword: 00000001

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Security Center \ Monitoring \ SymantecFirewall]
"DisableMonitoring" = dword: 00000001

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Programmer \ \ DAP \ \ DAP.exe" =
"C: \ \ Programmer \ \ Messenger \ \ msmsgs.exe" =
"<NO Navn" = "C: \ \ Programmer \ \ PPStream \ \ PPStream.exe" "C: \ \ Programmer \ \ PPStream \ \ PPStream.exe
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =
"C: \ \ Programmer \ \ Windows Live \ \ Messenger \ \ msnmsgr.exe" =
"C: \ \ Programmer \ \ Windows Live \ \ Messenger \ \ livecall.exe" =
"C: \ \ Programmer \ \ UT2004 \ \ System \ \ UT2004.exe" =
"C: \ \ Programmer \ \ DeusEx \ \ System \ \ DeusEx.exe" =

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ GloballyOpenPorts \ List]
"3389: TCP" = 3389: TCP: *: Disabled: @ Xpsp2res.dll, -22009
"15394: TCP" = 15394: TCP: *: Disabled: BitComet 15394 TCP
"15394: UDP" = 15394: UDP: *: Disabled: BitComet 15394 UDP
"6555: TCP" = 6555: TCP: *: Disabled: BitComet 6555 TCP
"6555: UDP" = 6555: UDP: *: Disabled: BitComet 6555 UDP

R1 aswSP; avast! Self Protection; C: \ Windows \ System32 \ Drivers \ aswSP.sys [2008-07-20 78416]
R1 atitray; atitray; C: \ Programmer \ Ray Adams \ ATI Tray Tools \ atitray.sys [2007-05-22 18088]
R2 aswFsBlk; aswFsBlk; C: \ Windows \ System32 \ Drivers \ aswF sBlk.sys [2008-07-20 20560]
R2 ROCKEYNT; ROCKEYNT; C: \ Windows \ System32 \ Drivers \ Rock eynt.sys [2005-01-04 18223]
R2 SBKUPNT; SBKUPNT; C: \ Windows \ System32 \ Drivers \ SBKUPN T. SYS [2001-07-13 14976]
S3 motccgp; Motorola USB Composite Device Driver; C: \ Windows \ System32 \ Drivers \ motccgp.sys [2007-06-18 17920]
S3 motccgpfl; MotCcgpFlService; C: \ WINDOWS \ system32 \ DRI VERS \ motccgpfl.sys [2007-01-22 7680]
S3 MotDev; Motorola Inc. USB Device; C: \ Windows \ System32 \ Drivers \ motodrv.sys [2007-05-07 42112]
S3 RTLWUSB; NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver; C: \ Windows \ System32 \ Drivers \ wg111v2.sys [2006-03-16 167808]
S3 XDva042; XDva042; C: \ WINDOWS \ system32 \ XDva042.sys []
.
Indhold af "Planlagte opgaver" mappe

2008-10-01 C: \ WINDOWS \ Tasks \ AppleSoftwareUpdate.job
- C: \ Programmer \ Apple Software Update \ SoftwareUpdate.exe [2007-08-29 14:57]

2008-10-27 C: \ WINDOWS \ Tasks \ Uniblue SpeedUpMyPC Nag.job
- C: \ Programmer \ Uniblue \ SpeedUpMyPC \ SpeedUpMyPC.exe []

2007-05-14 C: \ WINDOWS \ Tasks \ Uniblue SpeedUpMyPC.job
- C: \ Programmer \ Uniblue \ SpeedUpMyPC \ SpeedUpMyPC.exe []

2008-10-25 C: \ WINDOWS \ Tasks \ Uniblue SpyEraser Nag.job
- C: \ Programmer \ Uniblue \ SpyEraser \ SpyEraser.exe []
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit / stealth malware detector ved Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 10:39:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning skjulte processer ...

scanning skjulte autostart entries ...

scanning skjulte filer ...

scanning afsluttet med succes
skjulte filer: 0

************************************************** ************************
.
Afslutning tid: 2008-11-02 10:41:44
ComboFix-karantæne-files.txt 2008-11-01 23:41:32
ComboFix2.txt 2008-10-31 22:47:05

Pre-Run: 17222828032 bytes fri
Post-Run: 17200967680 bytes fri

233 --- EOF --- 2008-10-24 09:01:23
__________________________________________________ _________________________

HijackThis:

Logfile af Trend Micro HijackThis v2.0.2
Scan gemt kl 10:50:19 den 2/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Kørende processer:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ System32 \ Svchost.exe
C: \ Programmer \ Avast4 \ aswUpdSv.exe
C: \ Programmer \ Avast4 \ ashServ.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
C: \ Programmer \ Common Files \ Epson \ EBAPI \ SAgent2.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ SearchIndexer.exe
C: \ Programmer \ Avast4 \ ashMaiSv.exe
C: \ Programmer \ Avast4 \ ashWebSv.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ jusched.exe
C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Programmer \ Avast4 \ ashDisp.exe
C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ WINDOWS \ explorer.exe
C: \ Programmer \ Spybot - Search & Destroy \ TeaTimer.exe
C: \ Documents and Settings \ Vip \ Desktop \ HiJackThis.exe

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.yahoo.com.hk/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Int ernet Settings, ProxyOverride = lokale
O2 - BHO: Adobe PDF Reader Link Helper - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Programmer \ Common Files \ Adobe \ Acrobat \ ActiveX \ AcroIEHelper.dll
O2 - BHO: RealPlayer Download og Record Plugin for Internet Explorer - (3049C3E9-B461-4BC5-8870-4C09146192CA) - C: \ Programmer \ Real \ RealPlayer \ rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S & D IE Protection - (53707962-6F74-2D53-2644-206D7942484F) - C: \ PROGRA ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O2 - BHO: SSVHelper Class - (761497BB-D6F0-462C-B6EB-D4DAF1D92D43) - C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O2 - BHO: (no name) - (7E853D72-626A-48EC-A868-BA8D5E23E045) - (no file)
O2 - BHO: Windows Live Sign-in Helper - (9030D464-4C02-4ABF-8ECC-5164760863C6) - C: \ Programmer \ Common Files \ Microsoft Shared \ Windows Live \ WindowsLiveLogin.dll
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ jusched.exe"
O4 - HKLM \ .. \ Run: [ATICCC] "C: \ Programmer \ ATI Technologies \ ATI.ACE \ cli.exe" runtime-Delay
O4 - HKLM \ .. \ Run: [avast] C: \ Programmer \ Avast4 \ ashDisp.exe
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'Default user')
O8 - Extra sammenhæng menupunktet: & Clean Traces - C: \ Programmer \ DAP \ Privacy Package \ dapcleanerie.htm
O8 - Extra sammenhæng menupunktet: & Download med & DAP - C: \ Programmer \ DAP \ dapextie.htm
O8 - Extra sammenhæng menupunkt: Download & alle med DAP - C: \ Programmer \ DAP \ dapextie2.htm
O8 - Extra sammenhæng menupunktet: E & ksporter til Microsoft Excel - res: / / C: \ PROGRA ~ 1 \ mikroer ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra knappen: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Extra 'Tools' MENUITEM: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Programmer \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Ekstra knap: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ PROGRA ~ 1 \ mikroer ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Ekstra knap: QQ - (c95fe080-8f5d-11d2-a20b-00aa003c157b) - C: \ WINDOWS \ system32 \ shdocvw.dll
O9 - Extra 'Tools' MENUITEM:?? QQ - (c95fe080-8f5d-11d2-a20b-00aa003c157b) - C: \ WINDOWS \ system32 \ shdocvw.dll
O9 - Extra knappen: (no name) - (DFB852A3-47F8-48C4-A200-58CAB36FD2A2) - C: \ PROGRA ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O9 - Extra 'Tools' MENUITEM: Spybot - Search & Destroy Configuration - (DFB852A3-47F8-48C4-A200-58CAB36FD2A2) - C: \ PROGRA ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O9 - Ekstra knap: Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Programmer \ Messenger \ msmsgs.exe
O9 - Extra 'Tools' MENUITEM: Windows Messenger - (FB5F1910-F110-11D2-BB9E-00C04F795683) - C: \ Programmer \ Messenger \ msmsgs.exe
O16 - DPF: (17492023-C23A-453E-A040-C7C580BBF700) (Windows Genuine Advantage Validation Tool) -- http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: (4F1E5B1A-2A80-42CA-8532-2D05CB959537) -- http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: (5D6F45B3-9043-443D-A792-115447494D24) -- http://messenger.zone.msn.com/EN-AU/.../GAME_UNO1.cab
O16 - DPF: (6E32070A-766D-4EE6-879C-DC1FA91D2FC3) (MUWebControl Class) -- http://update.microsoft.com/microsof...?1133040258574
O16 - DPF: (8E0D4DE5-3180-4024-A327-4DFAD1796A8D) -- http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: (C3F79A2B-B9B4-4A66-B012-3EE46475B072) -- http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: (D27CDB6E-AE6D-11CF-96B8-444553540000) (Shockwave Flash Object) -- http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify:! SASWinLogon - C: \ Programmer \ SUPERAntiSpyware \ SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C: \ Programmer \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C: \ Programmer \ Avast4 \ aswUpdSv.exe
O23 - Service: Ati Genvejstast Poller - ATI Technologies Inc. - C: \ WINDOWS \ system32 \ Ati2evxx.exe
O23 - Service: ATI Smart - Unknown ejer - C: \ WINDOWS \ system32 \ ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C: \ Programmer \ Avast4 \ ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C: \ Programmer \ Avast4 \ ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C: \ Programmer \ Avast4 \ ashWebSv.exe
O23 - Service: Epson Printer Status Agent2 (EPSONStatusAgent2) - Seiko Epson CORPORATION - C: \ Programmer \ Common Files \ Epson \ EBAPI \ SAgent2.exe

--
End of file - 6734 bytes

[Glaswegian]

Hej

Disse to filer blev ikke fundet ved combofix, så jeg ville jo egentlig ikke forvente, at de er der.

Hvordan er det system, der kører nu?

Lad os køre en online scanning.

Foretage en online-scanning med Panda ActiveScan

• Klik på Scan din pc Nu
• En "pop up"-vindue vises, eller et nyt faneblad åbnes.
• Klik på Registrer
• Vælg den mulighed, du kan lide de fleste, men vi anbefaler Free Registration.
• Klik på Registrer
• Indtast din e-mail-adresse, og oprette en adgangskode.
• Vælg "Jeg ønsker ikke at modtage nogen form for information". (Medmindre du ønsker at modtage sådanne oplysninger)
• Klik på Sende
• Bekræft registreringen, og fortsætte ved at indtaste dit brugernavn og din adgangskode, og klik derefter på Indtast
• Vælg Fuld Scan, og klik derefter på Scan Nu
• Vent til de komponenter, der skal lastes og installeret. Undlad at lukke dette vindue, eller gå til en anden side, mens det er hentet. Du kan fortsætte med at bruge internettet ved at åbne et andet vindue i din browser.
• Hvis den konstaterer enhver malware kan desinficere den desinficeres knappen bliver aktiveret. Klik på Desinficere
• Du bedes se bort fra tilbud om at købe programmet. Klik på Eksport til
  
• Eksporter logge og gemme den på dit skrivebord.
• Vær så venlig vedhæfte indholdet af denne log til dit svar sammen med en ny HijackThis log.

* Sluk for realtid scanner af eventuelle eksisterende antivirus-program, mens de udfører online scanning.

[Coolyxxx]

Citat:

Oprindeligt Indsendt af Glaswegian

• Vær så venlig vedhæfte indholdet af denne log til dit svar sammen med en ny HijackThis log.

Jamen, du sagde vedhæfte, i rødt, så jeg tænkte jeg vil vedhæfte. Ikke sikker på, hvad forskellen er mellem tilknytning og kopiere / indsætte, undtagen for en længere post ... Den Panda Active Scan fundet nogle ting, men jeg kunne kun desinficere en, ormen en, fordi den for de andre, det sagde jeg er nødt til at købe det.

[Glaswegian]

Hej igen

Undskyldninger for ikke at komme tilbage til dig før - det virkelige liv er temmelig travlt i øjeblikket.

Hvordan er det system, der kører nu?


Det eneste punkt på dagsordenen er PowerRegScheduler - kan du fjerne den, hvis du ønsker det.