Mamma ned noe

**Coolyxxx** · #1 31st 2008 okt 03:00

Hei,
Vel, min mor lastet ned noe og brannmuren kom opp med noen melding. Noe det ble installert før hun fortalte meg. Så, skanner kjører nå, kan det ta litt tid fordi det er en treg datamaskin. Jeg vet ikke hva det heter skjønt, det er alle rare symboler og uleselig. Har du en HijackThis logg om minst én ting det tar ikke lang tid ...

Logfile of Trend Micro HijackThis v2.0.2
Scan lagret 8:53:31 PM, on 31/10/2008
Plattform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Kjører prosesser:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programfiler \ Avast4 \ aswUpdSv.exe
C: \ Programfiler \ Avast4 \ ashServ.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
C: \ Programfiler \ Fellesfiler \ EPSON \ EBAPI \ SAgent2.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ WINDOWS \ Explorer.exe
C: \ WINDOWS \ system32 \ SearchIndexer.exe
C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ jusched.exe
C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ progra ~ 1 \ Avast4 \ ashDisp.exe
C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Programfiler \ Avast4 \ ashMaiSv.exe
C: \ Programfiler \ Avast4 \ ashWebSv.exe
C: \ Program Files \ DAP \ DAP.EXE
C: \ Programfiler \ SUPERAntiSpyware \ SUPERAntiSpyware.exe
C: \ Programfiler \ Malwarebytes' Anti-Malware \ mbam.exe
C: \ Programfiler \ Spybot - Search & Destroy \ SpybotSD.exe
C: \ Programfiler \ Mozilla Firefox \ firefox.exe
C: \ Programfiler \ Avast4 \ ashSimpl.exe
C: \ Documents and Settings \ Vip \ Skrivebord \ HiJackThis.exe
C: \ Programfiler \ Avast4 \ setup \ avast.setup

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.yahoo.com.hk/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Search, SearchAssistant =
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Window Tittel = Windows Internet Explorer levert av Administrator Kevin
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Int ernet Settings, ProxyOverride = lokale
R3 - URLSearchHook: (no name) - (0A94B116-4504-4e26-AB05-E61E474AA38B) - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Programfiler \ Fellesfiler \ Adobe \ Acrobat \ ActiveX \ AcroIEHelper.dll
O2 - BHO: RealPlayer Download og Record Plugin for Internet Explorer - (3049C3E9-B461-4BC5-8870-4C09146192CA) - C: \ Programfiler \ Real \ RealPlayer \ rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S & D IE Protection - (53707962-6F74-2D53-2644-206D7942484F) - C: \ progra ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O2 - BHO: SSVHelper Class - (761497BB-D6F0-462C-B6EB-D4DAF1D92D43) - C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O2 - BHO: (no name) - (7E853D72-626A-48EC-A868-BA8D5E23E045) - (no file)
O2 - BHO: Windows Live Sign-in Helper - (9030D464-4C02-4ABF-8ECC-5164760863C6) - C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ Windows Live \ WindowsLiveLogin.dll
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ jusched.exe"
O4 - HKLM \ .. \ Run: [ATICCC] "C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe" runtime-Delay
O4 - HKLM \ .. \ Run: [avast!] C: \ progra ~ 1 \ Avast4 \ ashDisp.exe
O4 - HKLM \ .. \ RunOnce: [Malwarebytes' Anti-Malware] C: \ Programfiler \ Malwarebytes' Anti-Malware \ mbamgui.exe / install / lydløs
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'Default user')
O4 - Startup: æø ¶ ¯ ÉËÙÍÁ ¶ ¹. Lnk =?
O8 - Extra sammenheng menyelement: & Clean spor - C: \ Program Files \ DAP \ Privacy Package \ dapcleanerie.htm
O8 - Extra sammenheng menyelement: & Download med & DAP - C: \ Program Files \ DAP \ dapextie.htm
O8 - Extra sammenheng menyelement: Download & alle med DAP - C: \ Program Files \ DAP \ dapextie2.htm
O8 - Extra sammenheng menyelement: E & ksporter til Microsoft Excel - res: / / c: \ progra ~ 1 \ micros ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra knappen: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Extra "Verktøy" MENUITEM: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Extra knappen: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ progra ~ 1 \ micros ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Extra knappen: qq - (c95fe080-8f5d-11d2-a20b-00aa003c157b) - C: \ WINDOWS \ system32 \ shdocvw.dll
O9 - Extra "Verktøy" MENUITEM:? Qq - (c95fe080-8f5d-11d2-a20b-00aa003c157b) - C: \ WINDOWS \ system32 \ shdocvw.dll
O9 - Extra knappen: (no name) - (DFB852A3-47F8-48C4-a200-58CAB36FD2A2) - C: \ progra ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O9 - Extra "Verktøy" MENUITEM: Spybot - Search & Destroy Configuration - (DFB852A3-47F8-48C4-a200-58CAB36FD2A2) - C: \ progra ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O9 - Extra knappen: (no name) - (e2e2dd38-d088-4134-82b7-f2ba38496583) - C: \ WINDOWS \ Network Diagnostic \ xpnetdiag.exe
O9 - Extra "Verktøy" MENUITEM: @ xpsp3res.dll, -20001 - (e2e2dd38-d088-4134-82b7-f2ba38496583) - C: \ WINDOWS \ Network Diagnostic \ xpnetdiag.exe
O9 - Extra knappen: Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O9 - Extra "Verktøy" MENUITEM: Windows Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O16 - DPF: (17492023-C23A-453E-A040-C7C580BBF700) (Windows Genuine Advantage Validation Tool) -- http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: (4F1E5B1A-2A80-42CA-8532-2D05CB959537) -- http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: (5D6F45B3-9043-443D-A792-115447494D24) -- http://messenger.zone.msn.com/EN-AU/.../GAME_UNO1.cab
O16 - DPF: (6E32070A-766D-4EE6-879C-DC1FA91D2FC3) (MUWebControl klasse) -- http://update.microsoft.com/microsof...?1133040258574
O16 - DPF: (8E0D4DE5-3180-4024-a327-4DFAD1796A8D) -- http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: (C3F79A2B-B9B4-4A66-B012-3EE46475B072) -- http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: (D27CDB6E-AE6D-11CF-96B8-444553540000) (Shockwave Flash Object) -- http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify:! SASWinLogon - C: \ Programfiler \ SUPERAntiSpyware \ SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C: \ Programfiler \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C: \ Programfiler \ Avast4 \ aswUpdSv.exe
O23 - Service: ATI Hurtigtast Poller - ATI Technologies Inc. - C: \ WINDOWS \ system32 \ Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C: \ WINDOWS \ system32 \ ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C: \ Programfiler \ Avast4 \ ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C: \ Programfiler \ Avast4 \ ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C: \ Programfiler \ Avast4 \ ashWebSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C: \ Programfiler \ Fellesfiler \ EPSON \ EBAPI \ SAgent2.exe

--
End of file - 7692 bytes
_______________________________________________
Hjelp er verdsatt.
BTW. Jeg finner ikke et ikon som ser ut som "avinstallere" til meg, så avinstallerer ikke vil være et alternativ ...

**Coolyxxx** · #2 31st 2008 okt 15:21

Vel. Jeg forlot skanner å kjøre over natten, men SuperAntiSpyware holdt på møter problemer og lukkes ... Jeg har MalwareBytes logg her:

Malwarebytes' Anti-Malware 1.30
Database versjon: 1343
Windows 5.1.2600 Service Pack 3

1/11/2008 9:19:03 AM
mbam-log-2008-11-01 (09-19-03). txt

Scan type: Full Scan (C: \ | D: \ | E: \ |)
Objekter skannet: 190626
Tid brukt: 3 time (r), 56 minutt (er), 28 sekund (er)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registernøkler Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(Ingen skadelige eks oppdaget)

Memory Modules Infected:
(Ingen skadelige eks oppdaget)

Registernøkler Infected:
(Ingen skadelige eks oppdaget)

Registry Values Infected:
(Ingen skadelige eks oppdaget)

Registry Data Items Infected:
(Ingen skadelige eks oppdaget)

Folders Infected:
(Ingen skadelige eks oppdaget)

Files Infected:
C: \ WINDOWS \ system32 \ _005069_.tmp.dll (Trojan.Agent) -> karantene og slettet.
C: \ WINDOWS \ system32 \ _005101_.tmp.dll (Trojan.Agent) -> karantene og slettet.

**Glaswegian** · #3 31st 2008 okt 15:24

Hei

Fortsett med skanner du kjører, og deretter følge disse instruksjonene.

Laste ned ComboFix fra ett av disse stedene:

Link 1
Link 2
Link 3

* VIKTIG! Lagre ComboFix.exe til skrivebordet ditt

Deaktivere antivirus-og antispionprogrammer, vanligvis via et høyreklikk på System-ikonet. De kan ellers forstyrrer våre verktøy
Dobbeltklikk på ComboFix.exe og følg instruksjonene.
Som en del av den prosessen, ComboFix vil kontrollere om Microsoft Windows-gjenopprettingskonsollen er installert. Med malware infeksjoner blir som de er i dag, er det sterkt anbefalt å ha denne pre-installert på maskinen din før du gjør noe malware fjerning. Det vil tillate deg å starte opp i en spesiell utvinning / reparasjon som vil hjelpe oss til å lettere hjelpe bør du maskinen din har et problem etter et forsøkt fjerning av malware.
Følg instruksjonene for å tillate ComboFix å laste ned og installere Microsoft Windows-gjenopprettingskonsollen, og når du blir spurt, samtykker i lisensavtalen for å installere Microsoft Windows Recovery Console.

** Vær oppmerksom på følgende: Hvis Microsoft Windows Recovery Console allerede er installert, ComboFix fortsetter det malware fjerning prosedyrer.

Når Microsoft Windows-gjenopprettingskonsollen er installert ved hjelp ComboFix, får du følgende melding:

Klikk på JaÅ fortsette scanning for malware.

Når du er ferdig, ComboFix skal produsere en logg for deg. Ta med C: \ ComboFix.txt i neste svaret, alog med andre logger.

**Coolyxxx** · #4 31st 2008 okt 15:52

For noen grunn ComboFix lukket SuperAntiSpyware mens det var skanning, så det er nytt nå. Og avast! starter ikke opp standard lenger ... Jeg åpner programmet, men det er fortsatt ikke i systemskuffen ting ... Og programmet som mamma nedlastede er satt til å kjøre ved oppstart ... Lag her allikevel:

ComboFix 08-10-30.13 - Vip 2008-11-01 9:36:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.732 [GMT 11:00]
Running from: C: \ Documents and Settings \ Vip \ Skrivebord \ ComboFix.exe
* Opprettet et nytt gjenopprettingspunkt
.

((((((((((((((((((((((((((((((((((((((( Other slettingene ))))))))) ))))))))))))))))))))))))))))))))))))))))
.

C: \ Program Files \ Warcraft III \ _desktop.ini
C: \ WINDOWS \ system32 \ _005058_.tmp.dll
C: \ WINDOWS \ system32 \ _005059_.tmp.dll
C: \ WINDOWS \ system32 \ _005060_.tmp.dll
C: \ WINDOWS \ system32 \ _005061_.tmp.dll
C: \ WINDOWS \ system32 \ _005068_.tmp.dll
C: \ WINDOWS \ system32 \ _005070_.tmp.dll
C: \ WINDOWS \ system32 \ _005071_.tmp.dll
C: \ WINDOWS \ system32 \ _005072_.tmp.dll
C: \ WINDOWS \ system32 \ _005073_.tmp.dll
C: \ WINDOWS \ system32 \ _005074_.tmp.dll
C: \ WINDOWS \ system32 \ _005075_.tmp.dll
C: \ WINDOWS \ system32 \ _005076_.tmp.dll
C: \ WINDOWS \ system32 \ _005077_.tmp.dll
C: \ WINDOWS \ system32 \ _005078_.tmp.dll
C: \ WINDOWS \ system32 \ _005079_.tmp.dll
C: \ WINDOWS \ system32 \ _005080_.tmp.dll
C: \ WINDOWS \ system32 \ _005081_.tmp.dll
C: \ WINDOWS \ system32 \ _005082_.tmp.dll
C: \ WINDOWS \ system32 \ _005084_.tmp.dll
C: \ WINDOWS \ system32 \ _005087_.tmp.dll
C: \ WINDOWS \ system32 \ _005088_.tmp.dll
C: \ WINDOWS \ system32 \ _005092_.tmp.dll
C: \ WINDOWS \ system32 \ _005093_.tmp.dll
C: \ WINDOWS \ system32 \ _005094_.tmp.dll
C: \ WINDOWS \ system32 \ _005095_.tmp.dll
C: \ WINDOWS \ system32 \ _005096_.tmp.dll
C: \ WINDOWS \ system32 \ _005097_.tmp.dll
C: \ WINDOWS \ system32 \ _005098_.tmp.dll
C: \ WINDOWS \ system32 \ _005099_.tmp.dll
C: \ WINDOWS \ system32 \ _005100_.tmp.dll
C: \ WINDOWS \ system32 \ _005102_.tmp.dll
C: \ WINDOWS \ system32 \ _005103_.tmp.dll
C: \ WINDOWS \ system32 \ _005104_.tmp.dll
C: \ WINDOWS \ system32 \ _005106_.tmp.dll
C: \ WINDOWS \ system32 \ _005107_.tmp.dll
C: \ WINDOWS \ system32 \ _005108_.tmp.dll
C: \ WINDOWS \ system32 \ _005109_.tmp.dll
C: \ WINDOWS \ system32 \ _005110_.tmp.dll
C: \ WINDOWS \ system32 \ _005111_.tmp.dll
C: \ WINDOWS \ system32 \ _005112_.tmp.dll
C: \ WINDOWS \ system32 \ _005115_.tmp.dll
C: \ WINDOWS \ system32 \ _005116_.tmp.dll
C: \ WINDOWS \ system32 \ _005117_.tmp.dll
C: \ WINDOWS \ system32 \ _005118_.tmp.dll
C: \ WINDOWS \ system32 \ _005119_.tmp.dll
C: \ WINDOWS \ system32 \ _005121_.tmp.dll
C: \ WINDOWS \ system32 \ _005122_.tmp.dll
C: \ WINDOWS \ system32 \ _005123_.tmp.dll
C: \ WINDOWS \ system32 \ _005125_.tmp.dll
C: \ WINDOWS \ system32 \ _005128_.tmp.dll
C: \ WINDOWS \ system32 \ _005129_.tmp.dll
C: \ WINDOWS \ system32 \ _005133_.tmp.dll
C: \ WINDOWS \ system32 \ _005134_.tmp.dll
C: \ WINDOWS \ system32 \ _005136_.tmp.dll
C: \ WINDOWS \ system32 \ _005137_.tmp.dll
C: \ WINDOWS \ system32 \ _005139_.tmp.dll
C: \ WINDOWS \ system32 \ _005141_.tmp.dll
C: \ WINDOWS \ system32 \ _005142_.tmp.dll
C: \ WINDOWS \ system32 \ _005143_.tmp.dll
C: \ WINDOWS \ system32 \ _005144_.tmp.dll
C: \ WINDOWS \ system32 \ _005147_.tmp.dll
C: \ WINDOWS \ system32 \ _005148_.tmp.dll
C: \ WINDOWS \ system32 \ _005149_.tmp.dll
C: \ WINDOWS \ system32 \ _005150_.tmp.dll
C: \ WINDOWS \ system32 \ _005151_.tmp.dll
C: \ WINDOWS \ system32 \ _005156_.tmp.dll
C: \ WINDOWS \ system32 \ _005158_.tmp.dll
C: \ WINDOWS \ system32 \ Cache
C: \ WINDOWS \ system32 \ Cfx32.lic
C: \ WINDOWS \ system32 \ cfx32.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers / Services )))))))) )))))))))))))))))))))))))))))))))))))))))
.

------- \ Legacy_NPF

((((((((((((((((((((((((( Files Created fra 2008-09-28 til 2008-10-31 ))))))))))) ))))))))))))))))))))
.

2008-10-31 20:45. 2008-10-31 20:45 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ SUPERAntiSpyware.com
2008-10-31 20:45. 2008-10-31 20:45 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ Malwarebytes
2008-10-31 20:33. 2008-10-31 20:33 <DIR> d -------- C: \ Programfiler \ Tudou
2008-10-24 12:04. 2008-10-16 03:34 337.408 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Netapi32.dll
2008-10-15 20:43. 2008-09-15 23:12 1.846.400 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Win32k.sys
2008-10-15 20:43. 2008-09-08 21:41 333.824 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Srv.sys
2008-10-15 20:42. 2008-08-14 21:11 2.189.184 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntoskrnl.exe
2008-10-15 20:42. 2008-08-14 21:09 2.145.280 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrnlmp.exe
2008-10-15 20:42. 2008-08-14 20:33 2.066.048 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrnlpa.exe
2008-10-15 20:42. 2008-08-14 20:33 2.023.936 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrpamp.exe
2008-09-18 19:05. 2008-10-31 20:52 <DIR> d -------- C: \ Programfiler \ Avast4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 22:38 --------- d ----- w C: \ Program Files \ Warcraft III
2008-10-31 22:30 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ Spybot - Search & Destroy
2008-10-31 09:47 --------- d ----- w C: \ Programfiler \ Malwarebytes' Anti-Malware
2008-10-31 09:32 --------- d --- aw C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-10-22 05:10 38.496 ---- aw C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-10-22 05:10 15.504 ---- aw C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-10-09 06:46 --------- d ----- w C: \ Programfiler \ PPStream
2008-10-09 03:31 --------- d ----- w C: \ Programfiler \ SUPERAntiSpyware
2008-10-09 03:28 --------- d ----- w C: \ Programfiler \ Spybot - Search & Destroy
2008-09-18 08:42 --------- d ----- w C: \ Documents and Settings \ Vip \ Application Data \ Ahead
2008-09-08 10:41 333.824 ---- aw C: \ WINDOWS \ system32 \ drivers \ Srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries ikke vises
REGEDIT4

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"NeroFilterCheck" = "C: \ WINDOWS \ system32 \ NeroCheck.e XE" [2001-07-09 155648]
"SunJavaUpdateSched" = "C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ jusched.exe" [2008-06-10 144784]
"ATICCC" = "C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe" [2006-01-02 45056]

[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2008-04-14 15360]

C: \ Documents and Settings \ Vip \ Start-meny \ Programmer \ Startup
' "Ôîú ÓëÖμôû.lnk - C: \ Programfiler \ Tudou \ ú ÓëTudou \ TudouVa.exe [2008-07-06 3248128]

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ policies \ system]
"DisableChangePassword" = 1 (0x1)

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ Policies \ Explorer]
"NoAutoUpdate" = 1 (0x1)
"MaxRecentDocs" = 1 (0x1)

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ curr entversion \ Explorer \ ShellExecuteHooks]
"(56F9679E-7826-4C84-81F3-532071A8BCC5)" = "C: \ Programfiler \ Windows Desktop Search \ MSNLNamespaceMgr.dll" [2006-04-24 282624]
"(5AE067D3-9AFB-48E0-853A-EBB7F4A000DA)" = "C: \ Programfiler \ SUPERAntiSpyware \ SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
"UIHost" = "C: \ \ WINDOWS \ \ system32 \ \ logonuiX.exe"

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \! SASWinLogon]
2008-10-09 14:31 352256 C: \ Programfiler \ SUPERAntiSpyware \ SASWINLO.DLL

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ drivers32]
"VIDC.I420" = i420vfw.dll
"aux" = ctwdm32.dll
"VIDC.HFYU" = huffyuv.dll
"VIDC.X264" = x264vfw.dll
"VIDC.3iv2" = 3ivxVfWCodec.dll
"VIDC.VP31" = vp31vfw.dll
"msacm.l3fhg" = mp3fhg.acm
"msacm.ac3filter" = ac3filter.acm

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ Adobe Reader Speed Launch.lnk]
backup = C: \ WINDOWS \ PSS \ Adobe Reader Speed Launch.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ Adobe Reader Synchronizer.lnk]
backup = C: \ WINDOWS \ PSS \ Adobe Reader Synchronizer.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ WinZip Quick Pick.lnk]
backup = C: \ WINDOWS \ PSS \ WinZip Quick Pick.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Azureus Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ Azureus Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Azureus Ultra Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ Azureus Ultra Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ BitTorrent Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ BitTorrent Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ eMule Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ eMule Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ LimeWire På Startup.lnk]
backup = C: \ WINDOWS \ PSS \ LimeWire On Startup.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ LimeWire Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ LimeWire Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ PowerReg Scheduler V3.exe]
backup = C: \ WINDOWS \ PSS \ PowerReg Scheduler V3.exeStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Registrering Tom Clancy's Rainbow Six]
backup = C: \ WINDOWS \ PSS \ Registration Tom Clancy's Rainbow SixStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ SpeedFan.lnk]
backup = C: \ WINDOWS \ PSS \ SpeedFan.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Thoosje Sidebar.lnk]

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ WordWeb.lnk]
backup = C: \ WINDOWS \ PSS \ WordWeb.lnkStartup
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \! AVG Anti-Spyware
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BitTorrent
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Boss Key
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ CmCardRun
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ CursorXP
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ EasyTuneVPro
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ iTunesHelper
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ LogonStudio
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ OrderReminder
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ RecordPadRun
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SpeedOptimizer
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ swg
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Veoh

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Adobe Photo Downloader]
- en ------ 2005-09-09 01:18 57344 C: \ Programfiler \ Adobe \ Photoshop Elements 4.0 \ apdproxy.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BgMonitor_ (79662E04-7C6C-4d9f-84C7-88D8A56B10AA)]
- en ------ 2006-04-21 18:03 94208 C: \ Programfiler \ Fellesfiler \ Ahead \ Lib \ NMBgMonitor.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ DAEMON Tools]
- en ------ 2005-12-11 01:57 133016 C: \ Programfiler \ DAEMON Tools \ daemon.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ LanguageShortcut]
- en ------ 2006-04-13 12:09 49152 C: \ Program Files \ Cyberlink \ PowerDVD \ Language \ Language.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ QuickTime Task]
- en ------ 2008-03-29 00:37 413696 C: \ Programfiler \ K-Lite Codec Pack \ QuickTime \ QTTask.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ RemoteControl]
- en ------ 2005-12-07 23:57 30208 C: \ Program Files \ Cyberlink \ PowerDVD \ PDVDServ.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SpybotSD TeaTimer]
-rahs ---- 2008-09-16 12:16 1833296 C: \ Programfiler \ Spybot - Search & Destroy \ TeaTimer.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Steam]
- en ------ 2008-03-29 09:39 1271032 C: \ Ventilverksted \ Steam \ Steam.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Uniblue RegistryBooster 2]
- en ------ 2007-12-05 16:06 1885464 C: \ Programfiler \ Uniblue \ RegistryBooster 2 \ RegistryBooster.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Uniblue SpeedUpMyPC]
- en ------ 2008-01-29 09:46 9442584 C: \ Programfiler \ Uniblue \ SpeedUpMyPC 3 \ SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ WinampAgent]
- en ------ 2008-04-02 05:49 36352 C: \ Programfiler \ Winamp \ winampa.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BluetoothAuthenticationA gent]
- en ------ 2008-04-14 06:42 110592 C: \ WINDOWS \ system32 \ bthprops.cpl

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ C-Media Mixer]
- en ------ 2003-03-20 17:21 1855488 C: \ WINDOWS \ mixer.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ tjenester]
"WMPNetworkSvc" = 3 (0x3)
"gusvc" = 3 (0x3)
"RichVideo" = 2 (0x2)
"BthServ" = 2 (0x2)
"iPod Service" = 3 (0x3)
"Apple Mobile Device" = 2 (0x2)
"LiveUpdate Notice Service" = 2 (0x2)
"VideoAcceleratorEngine" = 3 (0x3)
"MDM" = 2 (0x2)
"IDriverT" = 3 (0x3)
"aawservice" = 3 (0x3)
"PDEngine" = 3 (0x3)
"PDAgent" = 3 (0x3)
"Pml Driver HPZ12" = 3 (0x3)
"CPUCooLServer" = 2 (0x2)
"usnjsvc" = 3 (0x3)
"AdobeActiveFileMonitor4.0" = 2 (0x2)
"WLSetupSvc" = 3 (0x3)
"cmdAgent" = 2 (0x2)
"FLEXnet Licensing Service" = 3 (0x3)
"Bonjour Service" = 2 (0x2)
"ose" = 3 (0x3)

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ security center \ Monitoring]
"DisableMonitoring" = dword: 00000001

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ security center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ security center \ Monitoring \ SymantecFirewall]
"DisableMonitoring" = dword: 00000001

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ DAP \ \ DAP.exe" =
"C: \ \ Program Files \ \ Messenger \ \ msmsgs.exe" =
"<NO Navn>" = "C: \ \ Program Files \ \ PPStream \ \ PPStream.exe" "C: \ \ Program Files \ \ PPStream \ \ PPStream.exe
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =
"C: \ \ Program Files \ \ Windows Live \ \ Messenger \ \ msnmsgr.exe" =
"C: \ \ Program Files \ \ Windows Live \ \ Messenger \ \ livecall.exe" =
"C: \ \ Program Files \ \ UT2004 \ \ System \ \ UT2004.exe" =
"C: \ \ Program Files \ \ DeusEx \ \ System \ \ DeusEx.exe" =
"C: \ \ Program Files \ \ Tudou \ \ ÉËÙTudou \ \ TudouVa.exe" =

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ GloballyOpenPorts \ List]
"3389: TCP" = 3389: TCP: *: Disabled: @ xpsp2res.dll, -22,009
"15394: TCP" = 15394: TCP: *: Disabled: BitComet 15394 TCP
"15394: UDP" = 15394: UDP: *: Disabled: BitComet 15394 UDP
"6555: TCP" = 6555: TCP: *: Disabled: BitComet 6555 TCP
"6555: UDP" = 6555: UDP: *: Disabled: BitComet 6555 UDP

R1 aswSP; avast! Self Protection; C: \ WINDOWS \ system32 \ drivers \ aswSP.sys [2008-07-20 78416]
R1 atitray; atitray, C: \ Programfiler \ Ray Adams \ ATI Tray Tools \ atitray.sys [2007-05-22 18088]
R2 aswFsBlk; aswFsBlk; C: \ WINDOWS \ system32 \ drivers \ aswF sBlk.sys [2008-07-20 20560]
R2 ROCKEYNT; ROCKEYNT; C: \ WINDOWS \ system32 \ drivers \ Rock eynt.sys [2005-01-04 18223]
R2 SBKUPNT; SBKUPNT; C: \ WINDOWS \ system32 \ drivers \ SBKUPN T. SYS [2001-07-13 14976]
S3 motccgp; Motorola USB Composite Device Driver; C: \ WINDOWS \ system32 \ drivers \ motccgp.sys [2007-06-18 17920]
S3 motccgpfl; MotCcgpFlService; C: \ WINDOWS \ system32 \ DRI Vers \ motccgpfl.sys [2007-01-22 7680]
S3 MotDev; Motorola Inc. USB Device; C: \ WINDOWS \ system32 \ drivers \ motodrv.sys [2007-05-07 42112]
S3 RTLWUSB; NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver; C: \ WINDOWS \ system32 \ drivers \ wg111v2.sys [2006-03-16 167808]
S3 XDva042; XDva042; C: \ WINDOWS \ system32 \ XDva042.sys []
.
Innholdet i "Scheduled Tasks"-mappen

2008-10-01 C: \ WINDOWS \ Tasks \ AppleSoftwareUpdate.job
- C: \ Programfiler \ Apple Software Update \ SoftwareUpdate.exe [2007-08-29 14:57]

2008-10-27 C: \ WINDOWS \ Tasks \ Uniblue SpeedUpMyPC Nag.job
- C: \ Programfiler \ Uniblue \ SpeedUpMyPC \ SpeedUpMyPC.exe []

2007-05-14 C: \ WINDOWS \ Tasks \ Uniblue SpeedUpMyPC.job
- C: \ Programfiler \ Uniblue \ SpeedUpMyPC \ SpeedUpMyPC.exe []

2008-10-25 C: \ WINDOWS \ Tasks \ Uniblue SpyEraser Nag.job
- C: \ Programfiler \ Uniblue \ SpyEraser \ SpyEraser.exe []
.
- - - - Orphans fjernet - - - --

URLSearchHooks-(0A94B116-4504-4e26-AB05-E61E474AA38B) - (no file)
ShellIconOverlayIdentifiers-hex (2): 7b, 38,41,34,32,44,46,42,46,2 d, 37,38,36,38,2 d, 34,30,32,39,2 d, 39, 35,38, \ - (no file)
ShellExecuteHooks-(E0D8FD38-6F36-4C9F-AE43-EDFA2BB266BA) - (no file)
MSConfigStartUp-COMODO Firewall Pro - C: \ Programfiler \ COMODO \ Firewall \ cfp.exe
MSConfigStartUp-EzPrint - C: \ Program Files \ Lexmark 4300 Series \ ezprint.exe
MSConfigStartUp-FaxCenterServer - C: \ Programfiler \ Lexmark Faks Solutions \ fm3032.exe
MSConfigStartUp-TkBellExe - C: \ Programfiler \ Fellesfiler \ Real \ Update_OB \ realsched.exe
MSConfigStartUp-Uniblue SpyEraser - C: \ Programfiler \ Uniblue \ SpyEraser \ SpyEraser.exe

.
------- Tilleggsavtale Scan -------
.
FireFox -: Profile - C: \ Documents and Settings \ Vip \ Application Data \ Mozilla \ Firefox \ Profiles \ 19piaa5b.default \
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp: / / hk.yahoo.com /
.
.
------- File Associations -------
.
txtfile = C: \ WINDOWS \ Notepad.exe% 1
.

************************************************** ************************

CatchMe 0.3.1367 W2K/XP/Vista - rootkit / skjulemodus malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-01 09:42:02
Windows 5.1.2600 Service Pack 3 NTFS

skanning skjulte prosesser ...

scanning hidden autostart entries ...

skanning skjulte filer ...

skanning er fullført
skjulte filer: 0

************************************************** ************************
.
------------------------ Other Running Prosesser ----------------------- --
.
C: \ WINDOWS \ system32 \ ati2evxx.exe
C: \ Programfiler \ Avast4 \ aswUpdSv.exe
C: \ Programfiler \ Avast4 \ ashServ.exe
C: \ WINDOWS \ system32 \ ati2evxx.exe
C: \ Programfiler \ Fellesfiler \ EPSON \ EBAPI \ SAgent2.exe
C: \ WINDOWS \ system32 \ searchindexer.exe
C: \ Programfiler \ Avast4 \ ashMaiSv.exe
C: \ Programfiler \ Avast4 \ ashWebSv.exe
C: \ WINDOWS \ system32 \ imapi.exe
.
************************************************** ************************
.
Fullføringstidspunkt: 2008-11-01 9:47:03 - machine was omstartet
ComboFix-karantene-files.txt 2008-10-31 22:46:53

Pre-Run: 17476198400 bytes gratis
Post-Run: 17429176320 bytes gratis

WindowsXP-KB310994-SP2-Pro-bootdisk-ENU.exe
[boot loader]
timeout = 2
default = multi (0) disk (0) rdisk (0) partition (1) \ WINDOW S
[operating systems]
C: \ Cmdcons \ BOOTSECT.DAT = "Microsoft Windows Recovery Console" / cmdcons
multi (0) disk (0) rdisk (0) partition (1) \ WINDOWS = "Micro myk Windows XP Professional" / noexecute = OptIn / fastdetect

335 --- EOF --- 2008-10-24 09:01:23
__________________________________________________ _________________________________________________

EDIT: Jeg var klikke rundt og fant et ikon som så ut som avinstallere. Jeg klikket og det begynte å avinstallere (eller i det minste håper jeg det var) fordi det var i rare symboler.

**Coolyxxx** · #5 31st 2008 okt 18:39

SuperAntiSpyware logg. Jeg måtte gjøre rask skanning, fordi det vil alltid komme opp med en feilmelding når jeg gjorde full scan.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/01/2008 at 11:45

Application Version: 4.21.1004

Core Rules Database Version: 3618
Trace Rules Database Version: 1603

Scan type: Quick Scan
Total Scan Time: 00:35:28

Minne eks skannet: 490
Minne trusler oppdages: 0
Registerelementene skannet: 436
Registerverdi trusler oppdages: 0
Fil eks skannet: 33788
Fil trusler oppdages: 2

Trojan.Vundo-Variant / F
C: \ WINDOWS \ system32 \ AZIPCONTMN.DLL
C: \ WINDOWS \ system32 \ SYSFOLDERAZIPCNT.DLL

**Glaswegian** · #6 1ste Nov 2008, 10:16

Hei igjen

Ikke klikk på noe eller kjøre flere skanninger med mindre jeg råder deg til det. Det bare gjør ting forvirrende for meg - jeg ser en oppføring i en logg, men det er borte fra den neste og så videre - takk.

Jeg mistenker at dette er problemet

C: \ Programfiler \ Tudou

hvis din mor er en fan av den kinesiske versjonen av YouTube.

Jeg ønsker å ta en titt på de to filer funnet av SAS.

Vennligst gå til: VirusTotal

I midten av siden finner du en "Browse"-Knappen.

Klikk på "Browse"-knappen og gå til denne filen i RED:

C: \ WINDOWS \ system32 \ AZIPCONTMN.DLL

Klikk "Åpen".
Klikk "Send fil"-Knappen nederst på VirusTotal siden.
Dette vil skanne filen. Vær tålmodig.
Når skannes, kopiere og lime inn resultatet i din neste svaret.

Gjenta det over for denne filen også.

C: \ WINDOWS \ system32 \ SYSFOLDERAZIPCNT.DLL

Combofix

Lukk alle åpne nettlesere.
Åpen notisblokk og kopiere / lime inn tekst i boksen nedenfor i den:

Code:

  Folder::
  C: \ Programfiler \ Tudou

Ser på bildet nedenfor som eksempel

Lagre dette som CFScript.txt, På samme sted som ComboFix.exe

Henvise til bildet over, flytter CFScript onto ComboFix.exe.

Når du er ferdig, vil den produsere en logg for deg "C: \ ComboFix.txt"

Ikke mouseclick combofix's vinduet mens det kjører. Dette kan føre til stall.

FORSIKTIG! Alle andre som tenker på å bruke over script gjør det på eget ansvar - du kan ende opp med å måtte re-installere Windows!

Vennligst post loggen C: \ ComboFix.txt Den VirusTotal resultater og en fersk HijackThis Logg for videre vurdering.

**Coolyxxx** · #7 1ste Nov 2008, 16:53

Det stemmer mamma ser noen kinesisk videoene ... Jeg kunne ikke finne filer når du surfer på VirusTotal. Jeg gikk på dem i explorer, og fant ikke begge. Har loggene:
ComboFix:

ComboFix 08-11-01.01 - Vip 2008-11-02 10:36:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.865 [GMT 11:00]
Running from: C: \ Documents and Settings \ Vip \ Skrivebord \ ComboFix.exe
Command brytere brukes:: C: \ Documents and Settings \ Vip \ Skrivebord \ CFScript.txt
* Opprettet et nytt gjenopprettingspunkt
.

((((((((((((((((((((((((((((((((((((((( Other slettingene ))))))))) ))))))))))))))))))))))))))))))))))))))))
.

C: \ Programfiler \ Tudou

.
((((((((((((((((((((((((( Files Created fra 2008-10-01 til 2008-11-01 ))))))))))) ))))))))))))))))))))
.

2008-11-01 09:55. 2008-11-01 09:55 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ Uniblue
2008-10-31 20:45. 2008-10-31 20:45 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ SUPERAntiSpyware.com
2008-10-31 20:45. 2008-10-31 20:45 <DIR> d -------- C: \ Documents and Settings \ Vip \ Application Data \ Malwarebytes
2008-10-24 12:04. 2008-10-16 03:34 337.408 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Netapi32.dll
2008-10-15 20:43. 2008-09-15 23:12 1.846.400 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Win32k.sys
2008-10-15 20:43. 2008-09-08 21:41 333.824 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ Srv.sys
2008-10-15 20:42. 2008-08-14 21:11 2.189.184 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntoskrnl.exe
2008-10-15 20:42. 2008-08-14 21:09 2.145.280 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrnlmp.exe
2008-10-15 20:42. 2008-08-14 20:33 2.066.048 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrnlpa.exe
2008-10-15 20:42. 2008-08-14 20:33 2.023.936 ----- c --- C: \ WINDOWS \ system32 \ dllcache \ ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))) ))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-31 22:38 --------- d ----- w C: \ Program Files \ Warcraft III
2008-10-31 22:30 --------- d ----- w C: \ Documents and Settings \ All Users \ Application Data \ Spybot - Search & Destroy
2008-10-31 09:52 --------- d ----- w C: \ Programfiler \ Avast4
2008-10-31 09:47 --------- d ----- w C: \ Programfiler \ Malwarebytes' Anti-Malware
2008-10-31 09:32 --------- d --- aw C: \ Documents and Settings \ All Users \ Application Data \ TEMP
2008-10-22 05:10 38.496 ---- aw C: \ WINDOWS \ system32 \ drivers \ mbamswissarmy.sys
2008-10-22 05:10 15.504 ---- aw C: \ WINDOWS \ system32 \ drivers \ mbam.sys
2008-10-09 06:46 --------- d ----- w C: \ Programfiler \ PPStream
2008-10-09 03:31 --------- d ----- w C: \ Programfiler \ SUPERAntiSpyware
2008-10-09 03:28 --------- d ----- w C: \ Programfiler \ Spybot - Search & Destroy
2008-09-18 08:42 --------- d ----- w C: \ Documents and Settings \ Vip \ Application Data \ Ahead
2008-09-15 12:12 1.846.400 ---- aw C: \ WINDOWS \ system32 \ Win32k.sys
2008-09-08 10:41 333.824 ---- aw C: \ WINDOWS \ system32 \ drivers \ Srv.sys
2008-08-28 07:46 74.752 ---- aw C: \ WINDOWS \ system32 \ msw3prt.dll
2008-08-28 07:46 104.960 ---- aw C: \ WINDOWS \ system32 \ win32spl.dll
2008-08-26 07:24 826.368 ---- aw C: \ WINDOWS \ system32 \ Wininet.dll
2008-08-14 10:11 2.189.184 ---- aw C: \ WINDOWS \ system32 \ ntoskrnl.exe
2008-08-14 09:33 2.066.048 ---- aw C: \ WINDOWS \ system32 \ ntkrnlpa.exe
2008-07-29 12:05 32.768 - SHA-w C: \ WINDOWS \ system32 \ config \ systemprofile \ Lokale innstillinger \ Logg \ History.IE5 \ MSHist012008072920080 730 \ index.dat
.

((((((((((((((((((((((((((((( Snapshot @ 2008-11-01_ 9.46.14.14 ))))))))))) ))))))))))))))))))))))))))))))
.
- 2008-10-31 22:41:26 16.384 ---- atw C: \ WINDOWS \ Temp \ Perflib_Perfdata_570.dat
+ 2008-11-01 23:26:02 16.384 ---- atw C: \ WINDOWS \ Temp \ Perflib_Perfdata_570.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))) ))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty entries & legit default entries ikke vises
REGEDIT4

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Curre ntVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ Curr entVersion \ Run]
"NeroFilterCheck" = "C: \ WINDOWS \ system32 \ NeroCheck.e XE" [2001-07-09 155648]
"SunJavaUpdateSched" = "C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ jusched.exe" [2008-06-10 144784]
"ATICCC" = "C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe" [2006-01-02 45056]
"avast" = "C: \ Programfiler \ Avast4 \ ashDisp.exe" [2008-07-20 78008]

[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run]
"Ctfmon.exe" = "C: \ WINDOWS \ system32 \ Ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ policies \ system]
"DisableChangePassword" = 1 (0x1)

[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ curre ntversion \ Policies \ Explorer]
"NoAutoUpdate" = 1 (0x1)
"MaxRecentDocs" = 1 (0x1)

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ curr entversion \ Explorer \ ShellExecuteHooks]
"(56F9679E-7826-4C84-81F3-532071A8BCC5)" = "C: \ Programfiler \ Windows Desktop Search \ MSNLNamespaceMgr.dll" [2006-04-24 282624]
"(5AE067D3-9AFB-48E0-853A-EBB7F4A000DA)" = "C: \ Programfiler \ SUPERAntiSpyware \ SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]
"UIHost" = "C: \ \ WINDOWS \ \ system32 \ \ logonuiX.exe"

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Notify \! SASWinLogon]
2008-10-09 14:31 352256 C: \ Programfiler \ SUPERAntiSpyware \ SASWINLO.DLL

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ drivers32]
"VIDC.I420" = i420vfw.dll
"aux" = ctwdm32.dll
"VIDC.HFYU" = huffyuv.dll
"VIDC.X264" = x264vfw.dll
"VIDC.3iv2" = 3ivxVfWCodec.dll
"VIDC.VP31" = vp31vfw.dll
"msacm.l3fhg" = mp3fhg.acm
"msacm.ac3filter" = ac3filter.acm

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ Adobe Reader Speed Launch.lnk]
backup = C: \ WINDOWS \ PSS \ Adobe Reader Speed Launch.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ Adobe Reader Synchronizer.lnk]
backup = C: \ WINDOWS \ PSS \ Adobe Reader Synchronizer.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ All Users ^ Start Menu ^ Programs ^ Startup ^ WinZip Quick Pick.lnk]
backup = C: \ WINDOWS \ PSS \ WinZip Quick Pick.lnkCommon Startup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Azureus Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ Azureus Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Azureus Ultra Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ Azureus Ultra Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ BitTorrent Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ BitTorrent Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ eMule Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ eMule Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ LimeWire På Startup.lnk]
backup = C: \ WINDOWS \ PSS \ LimeWire On Startup.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ LimeWire Turbo Accelerator.lnk]
backup = C: \ WINDOWS \ PSS \ LimeWire Turbo Accelerator.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ PowerReg Scheduler V3.exe]
backup = C: \ WINDOWS \ PSS \ PowerReg Scheduler V3.exeStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Registrering Tom Clancy's Rainbow Six]
backup = C: \ WINDOWS \ PSS \ Registration Tom Clancy's Rainbow SixStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ SpeedFan.lnk]
backup = C: \ WINDOWS \ PSS \ SpeedFan.lnkStartup

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ Thoosje Sidebar.lnk]

[HKLM \ ~ \ startupfolder \ C: ^ Documents and Settings ^ Kevin ^ Start Menu ^ Programs ^ Startup ^ WordWeb.lnk]
backup = C: \ WINDOWS \ PSS \ WordWeb.lnkStartup
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \! AVG Anti-Spyware
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BitTorrent
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Boss Key
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ CmCardRun
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ CursorXP
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ EasyTuneVPro
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ iTunesHelper
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ LogonStudio
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ OrderReminder
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ RecordPadRun
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SpeedOptimizer
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ swg
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Veoh

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Adobe Photo Downloader]
- en ------ 2005-09-09 01:18 57344 C: \ Programfiler \ Adobe \ Photoshop Elements 4.0 \ apdproxy.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BgMonitor_ (79662E04-7C6C-4d9f-84C7-88D8A56B10AA)]
- en ------ 2006-04-21 18:03 94208 C: \ Programfiler \ Fellesfiler \ Ahead \ Lib \ NMBgMonitor.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ DAEMON Tools]
- en ------ 2005-12-11 01:57 133016 C: \ Programfiler \ DAEMON Tools \ daemon.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ LanguageShortcut]
- en ------ 2006-04-13 12:09 49152 C: \ Program Files \ Cyberlink \ PowerDVD \ Language \ Language.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ QuickTime Task]
- en ------ 2008-03-29 00:37 413696 C: \ Programfiler \ K-Lite Codec Pack \ QuickTime \ QTTask.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ RemoteControl]
- en ------ 2005-12-07 23:57 30208 C: \ Program Files \ Cyberlink \ PowerDVD \ PDVDServ.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ SpybotSD TeaTimer]
-rahs ---- 2008-09-16 12:16 1833296 C: \ Programfiler \ Spybot - Search & Destroy \ TeaTimer.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Steam]
- en ------ 2008-03-29 09:39 1271032 C: \ Ventilverksted \ Steam \ Steam.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Uniblue RegistryBooster 2]
- en ------ 2007-12-05 16:06 1885464 C: \ Programfiler \ Uniblue \ RegistryBooster 2 \ RegistryBooster.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ Uniblue SpeedUpMyPC]
- en ------ 2008-01-29 09:46 9442584 C: \ Programfiler \ Uniblue \ SpeedUpMyPC 3 \ SpeedUpMyPC.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ WinampAgent]
- en ------ 2008-04-02 05:49 36352 C: \ Programfiler \ Winamp \ winampa.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ BluetoothAuthenticationA gent]
- en ------ 2008-04-14 06:42 110592 C: \ WINDOWS \ system32 \ bthprops.cpl

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ startupreg \ C-Media Mixer]
- en ------ 2003-03-20 17:21 1855488 C: \ WINDOWS \ mixer.exe

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Shared Tools \ msconfig \ tjenester]
"WMPNetworkSvc" = 3 (0x3)
"gusvc" = 3 (0x3)
"RichVideo" = 2 (0x2)
"BthServ" = 2 (0x2)
"iPod Service" = 3 (0x3)
"Apple Mobile Device" = 2 (0x2)
"LiveUpdate Notice Service" = 2 (0x2)
"VideoAcceleratorEngine" = 3 (0x3)
"MDM" = 2 (0x2)
"IDriverT" = 3 (0x3)
"aawservice" = 3 (0x3)
"PDEngine" = 3 (0x3)
"PDAgent" = 3 (0x3)
"Pml Driver HPZ12" = 3 (0x3)
"CPUCooLServer" = 2 (0x2)
"usnjsvc" = 3 (0x3)
"AdobeActiveFileMonitor4.0" = 2 (0x2)
"WLSetupSvc" = 3 (0x3)
"cmdAgent" = 2 (0x2)
"FLEXnet Licensing Service" = 3 (0x3)
"Bonjour Service" = 2 (0x2)
"ose" = 3 (0x3)

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ security center \ Monitoring]
"DisableMonitoring" = dword: 00000001

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ security center \ Monitoring \ SymantecAntiVirus]
"DisableMonitoring" = dword: 00000001

[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ security center \ Monitoring \ SymantecFirewall]
"DisableMonitoring" = dword: 00000001

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ AuthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"C: \ \ Program Files \ DAP \ \ DAP.exe" =
"C: \ \ Program Files \ \ Messenger \ \ msmsgs.exe" =
"<NO Navn>" = "C: \ \ Program Files \ \ PPStream \ \ PPStream.exe" "C: \ \ Program Files \ \ PPStream \ \ PPStream.exe
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =
"C: \ \ Program Files \ \ Windows Live \ \ Messenger \ \ msnmsgr.exe" =
"C: \ \ Program Files \ \ Windows Live \ \ Messenger \ \ livecall.exe" =
"C: \ \ Program Files \ \ UT2004 \ \ System \ \ UT2004.exe" =
"C: \ \ Program Files \ \ DeusEx \ \ System \ \ DeusEx.exe" =

[HKLM \ ~ \ Services \ sharedaccess \ Parameters \ firewallpo licy \ standardprofile \ GloballyOpenPorts \ List]
"3389: TCP" = 3389: TCP: *: Disabled: @ xpsp2res.dll, -22,009
"15394: TCP" = 15394: TCP: *: Disabled: BitComet 15394 TCP
"15394: UDP" = 15394: UDP: *: Disabled: BitComet 15394 UDP
"6555: TCP" = 6555: TCP: *: Disabled: BitComet 6555 TCP
"6555: UDP" = 6555: UDP: *: Disabled: BitComet 6555 UDP

R1 aswSP; avast! Self Protection; C: \ WINDOWS \ system32 \ drivers \ aswSP.sys [2008-07-20 78416]
R1 atitray; atitray, C: \ Programfiler \ Ray Adams \ ATI Tray Tools \ atitray.sys [2007-05-22 18088]
R2 aswFsBlk; aswFsBlk; C: \ WINDOWS \ system32 \ drivers \ aswF sBlk.sys [2008-07-20 20560]
R2 ROCKEYNT; ROCKEYNT; C: \ WINDOWS \ system32 \ drivers \ Rock eynt.sys [2005-01-04 18223]
R2 SBKUPNT; SBKUPNT; C: \ WINDOWS \ system32 \ drivers \ SBKUPN T. SYS [2001-07-13 14976]
S3 motccgp; Motorola USB Composite Device Driver; C: \ WINDOWS \ system32 \ drivers \ motccgp.sys [2007-06-18 17920]
S3 motccgpfl; MotCcgpFlService; C: \ WINDOWS \ system32 \ DRI Vers \ motccgpfl.sys [2007-01-22 7680]
S3 MotDev; Motorola Inc. USB Device; C: \ WINDOWS \ system32 \ drivers \ motodrv.sys [2007-05-07 42112]
S3 RTLWUSB; NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver; C: \ WINDOWS \ system32 \ drivers \ wg111v2.sys [2006-03-16 167808]
S3 XDva042; XDva042; C: \ WINDOWS \ system32 \ XDva042.sys []
.
Innholdet i "Scheduled Tasks"-mappen

2008-10-01 C: \ WINDOWS \ Tasks \ AppleSoftwareUpdate.job
- C: \ Programfiler \ Apple Software Update \ SoftwareUpdate.exe [2007-08-29 14:57]

2008-10-27 C: \ WINDOWS \ Tasks \ Uniblue SpeedUpMyPC Nag.job
- C: \ Programfiler \ Uniblue \ SpeedUpMyPC \ SpeedUpMyPC.exe []

2007-05-14 C: \ WINDOWS \ Tasks \ Uniblue SpeedUpMyPC.job
- C: \ Programfiler \ Uniblue \ SpeedUpMyPC \ SpeedUpMyPC.exe []

2008-10-25 C: \ WINDOWS \ Tasks \ Uniblue SpyEraser Nag.job
- C: \ Programfiler \ Uniblue \ SpyEraser \ SpyEraser.exe []
.

************************************************** ************************

CatchMe 0.3.1367 W2K/XP/Vista - rootkit / skjulemodus malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-02 10:39:31
Windows 5.1.2600 Service Pack 3 NTFS

skanning skjulte prosesser ...

scanning hidden autostart entries ...

skanning skjulte filer ...

skanning er fullført
skjulte filer: 0

************************************************** ************************
.
Fullføringstidspunkt: 2008-11-02 10:41:44
ComboFix-karantene-files.txt 2008-11-01 23:41:32
ComboFix2.txt 2008-10-31 22:47:05

Pre-Run: 17222828032 bytes gratis
Post-Run: 17200967680 bytes gratis

233 --- EOF --- 2008-10-24 09:01:23
__________________________________________________ _________________________

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan lagret 10:50:19, på 2/11/2008
Plattform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Kjører prosesser:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ Winlogon.exe
C: \ WINDOWS \ system32 \ Services.exe
C: \ WINDOWS \ system32 \ Lsass.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ Programfiler \ Avast4 \ aswUpdSv.exe
C: \ Programfiler \ Avast4 \ ashServ.exe
C: \ WINDOWS \ system32 \ Spoolsv.exe
C: \ Programfiler \ Fellesfiler \ EPSON \ EBAPI \ SAgent2.exe
C: \ WINDOWS \ system32 \ Svchost.exe
C: \ WINDOWS \ system32 \ SearchIndexer.exe
C: \ Programfiler \ Avast4 \ ashMaiSv.exe
C: \ Programfiler \ Avast4 \ ashWebSv.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ Ctfmon.exe
C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ jusched.exe
C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Programfiler \ Avast4 \ ashDisp.exe
C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe
C: \ WINDOWS \ explorer.exe
C: \ Programfiler \ Spybot - Search & Destroy \ TeaTimer.exe
C: \ Documents and Settings \ Vip \ Skrivebord \ HiJackThis.exe

R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://www.yahoo.com.hk/
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Int ernet Settings, ProxyOverride = lokale
O2 - BHO: Adobe PDF Reader Link Helper - (06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) - C: \ Programfiler \ Fellesfiler \ Adobe \ Acrobat \ ActiveX \ AcroIEHelper.dll
O2 - BHO: RealPlayer Download og Record Plugin for Internet Explorer - (3049C3E9-B461-4BC5-8870-4C09146192CA) - C: \ Programfiler \ Real \ RealPlayer \ rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S & D IE Protection - (53707962-6F74-2D53-2644-206D7942484F) - C: \ progra ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O2 - BHO: SSVHelper Class - (761497BB-D6F0-462C-B6EB-D4DAF1D92D43) - C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O2 - BHO: (no name) - (7E853D72-626A-48EC-A868-BA8D5E23E045) - (no file)
O2 - BHO: Windows Live Sign-in Helper - (9030D464-4C02-4ABF-8ECC-5164760863C6) - C: \ Programfiler \ Fellesfiler \ Microsoft Shared \ Windows Live \ WindowsLiveLogin.dll
O4 - HKLM \ .. \ Run: [NeroFilterCheck] C: \ WINDOWS \ system32 \ NeroCheck.exe
O4 - HKLM \ .. \ Run: [SunJavaUpdateSched] "C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ jusched.exe"
O4 - HKLM \ .. \ Run: [ATICCC] "C: \ Programfiler \ ATI Technologies \ ATI.ACE \ cli.exe" runtime-Delay
O4 - HKLM \ .. \ Run: [avast] C: \ Programfiler \ Avast4 \ ashDisp.exe
O4 - HKCU \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe
O4 - HKUS \ S-1-5-19 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS \ S-1-5-20 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS \ S-1-5-18 \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'SYSTEM')
O4 - HKUS \. DEFAULT \ .. \ Run: [Ctfmon.exe] C: \ WINDOWS \ system32 \ Ctfmon.exe (User 'Default user')
O8 - Extra sammenheng menyelement: & Clean spor - C: \ Program Files \ DAP \ Privacy Package \ dapcleanerie.htm
O8 - Extra sammenheng menyelement: & Download med & DAP - C: \ Program Files \ DAP \ dapextie.htm
O8 - Extra sammenheng menyelement: Download & alle med DAP - C: \ Program Files \ DAP \ dapextie2.htm
O8 - Extra sammenheng menyelement: E & ksporter til Microsoft Excel - res: / / c: \ progra ~ 1 \ micros ~ 2 \ Office11 \ EXCEL.EXE/3000
O9 - Extra knappen: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Extra "Verktøy" MENUITEM: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Programfiler \ Java \ jre1.6.0_07 \ bin \ ssv.dll
O9 - Extra knappen: Research - (92780B25-18CC-41C8-B9BE-3C9C571A8263) - C: \ progra ~ 1 \ micros ~ 2 \ Office11 \ REFIEBAR.DLL
O9 - Extra knappen: qq - (c95fe080-8f5d-11d2-a20b-00aa003c157b) - C: \ WINDOWS \ system32 \ shdocvw.dll
O9 - Extra "Verktøy" MENUITEM:? Qq - (c95fe080-8f5d-11d2-a20b-00aa003c157b) - C: \ WINDOWS \ system32 \ shdocvw.dll
O9 - Extra knappen: (no name) - (DFB852A3-47F8-48C4-a200-58CAB36FD2A2) - C: \ progra ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O9 - Extra "Verktøy" MENUITEM: Spybot - Search & Destroy Configuration - (DFB852A3-47F8-48C4-a200-58CAB36FD2A2) - C: \ progra ~ 1 \ Spybot ~ 1 \ SDHelper.dll
O9 - Extra knappen: Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O9 - Extra "Verktøy" MENUITEM: Windows Messenger - (FB5F1910-F110-11d2-BB9E-00C04F795683) - C: \ Programfiler \ Messenger \ msmsgs.exe
O16 - DPF: (17492023-C23A-453E-A040-C7C580BBF700) (Windows Genuine Advantage Validation Tool) -- http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: (4F1E5B1A-2A80-42CA-8532-2D05CB959537) -- http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: (5D6F45B3-9043-443D-A792-115447494D24) -- http://messenger.zone.msn.com/EN-AU/.../GAME_UNO1.cab
O16 - DPF: (6E32070A-766D-4EE6-879C-DC1FA91D2FC3) (MUWebControl klasse) -- http://update.microsoft.com/microsof...?1133040258574
O16 - DPF: (8E0D4DE5-3180-4024-a327-4DFAD1796A8D) -- http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: (C3F79A2B-B9B4-4A66-B012-3EE46475B072) -- http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: (D27CDB6E-AE6D-11CF-96B8-444553540000) (Shockwave Flash Object) -- http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify:! SASWinLogon - C: \ Programfiler \ SUPERAntiSpyware \ SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C: \ Programfiler \ Lavasoft \ Ad-Aware 2007 \ aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C: \ Programfiler \ Avast4 \ aswUpdSv.exe
O23 - Service: ATI Hurtigtast Poller - ATI Technologies Inc. - C: \ WINDOWS \ system32 \ Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C: \ WINDOWS \ system32 \ ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C: \ Programfiler \ Avast4 \ ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C: \ Programfiler \ Avast4 \ ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C: \ Programfiler \ Avast4 \ ashWebSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C: \ Programfiler \ Fellesfiler \ EPSON \ EBAPI \ SAgent2.exe

--
End of file - 6734 bytes

**Glaswegian** · #8 2nd 2008 nov 05:29

Hei

De to filene ble ikke funnet av combofix, så jeg gjorde egentlig ikke forvente seg å være der.

Hvordan er systemet kjører nå?

La oss kjøre en online scan.

Utføre en online scan med Panda ActiveScan

Klikk på Scan PCen nå
En "pop up"-vindu vises, eller en ny fane åpnes.
Klikk på Registrer
Velg det du liker best, men vi anbefaler Gratis registering.
Klikk på Registrer
Oppgi din e-postadresse, og lage et passord.
Velg "Jeg ønsker ikke å motta noen form for informasjon. "(Med mindre du ønsker å motta slik informasjon)
Klikk på Sende
Bekreft registreringen, og fortsette med å oppgi brukernavn og passord, klikk deretter på Angi
Velg Full Scan, klikk på Scan Now
Vent på de komponenter som skal lastes inn og installert. Ikke lukk dette vinduet, eller gå til en annen side mens det nedlasting. Du kan fortsette å bruke Internett ved å åpne et nytt vindu i nettleseren din.
Hvis den finner malware kan desinfisere den desinfiserer knappen blir aktivert. Klikk på Desinfisere
Vær ignorere tilbud om å kjøpe programmet. Klikk på Eksporter til
Eksportere loggen og lagre den på skrivebordet.
Vær så snill fest innholdet i denne loggen til ditt svar, sammen med en ny HijackThis logg.

* Slå av sanntid scanner av et eksisterende antivirusprogram mens utføre online scan.

**Coolyxxx** · #9 3dje Nov 2008, 03:07

Sitat:

Originally Posted by Glaswegian

Vær så snill fest innholdet i denne loggen til ditt svar, sammen med en ny HijackThis logg.

Vel, du sa fester, i rødt, så jeg trodde jeg ville feste. Ikke sikker på hva forskjellen er mellom fester og kopiere / lime, med unntak for en lengre innlegg ... The Panda Active Scan funnet noen ting, men jeg bare kunne desinfisere en, ormen en grunn for det andre, det sa jeg måtte kjøpe den.

**Glaswegian** · #10 5te Nov 2008, 07:45

Hei igjen

Unnskyldninger for ikke å komme tilbake til deg før - virkeligheten er ganske opptatt for øyeblikket.

Hvordan er systemet kjører nå?

Det eneste elementet PowerRegScheduler - du kan fjerne det hvis du ønsker det.

Lignende Tråder
Tråd	Tråd startet	Forum	Svar	Siste innlegg
Nedlastede pdf filer undeletable	dhonwenz	General Software Chat	0	2 juni 2009 17:23
49 Mest Nedlastede Wordpress Themes Of All Time!	KanoakaVirus	Web Design, hosting & SEO	1	1 mars 2009 12:04
Dum sønn ned en skadelig programe, kan hvem som helst kan du hjelpe?	john101	Virus, spionprogrammer og sikkerhet	28	29 oktober 2008 18:55
Lastet ned en DVD, ikke i vanlig format, ikke sikker på hvilket program	gladrock	Multimedia & Kodeker	1	2 januar 2008 11:52
Hva er det beste albumet du har kjøpt / lastet ned nylig?	Hybr! D	Av Emne Diskusjon	13	29 oktober 2007 18:07