Gå til innhold

Virus, noen som kan hjelpe?

_jensen_

Av _jensen_
i IKT-drift og sikkerhet

Anbefalte innlegg

_jensen_

_jensen_

Skrevet
Skrevet

Jeg bruker ett virus program som heter avast, men skjønner ikke helt åssen det funker.

 

Har fått virus på datan min etter at jeg var så dum å godtok en sånn zip fyr av en fyr i går som hadde virus på datan, men det visste jo ikke jeg før det var forsent. Så nå driver msn å klikker hele tiden og spammer alle mulige folk jeg har på kontaktlisten med disse zip filene med virus og hele skjermen begynner å blinke. Tror jeg skal bli gal, aner ikke hva jeg skal gjøre?

Lenke til kommentar

Videoannonse

Videoannonse
Annonse
Zimon

Zimon

Skrevet
Skrevet

AVG antivirus = free.grisoft.com

Adaware = www.lavasoft.com

Spybot = www.spybotsd.net

 

Last ned disse programmene, koble ut nettverkskabelen fra Pc'en, eller skru av modemet eller noe slikt slik at du ikke har internett tilgang. Fjern Avast som nevnt over og restart PC'en. Installer AVG antivirus, spybot og adaware. Steng MSN helt, høyreklikk på icon nederst i systemtray og velg steng. Koble deg til internet og oppdater alle tre programmene, AVG vil prøve å oppdatere seg selv, men Spybot og Adaware må du klikke på oppdater nå. La alle tre programmene søke igjennom PC'en, start gjerne med AVG først. Stor sannsynligvis at en av de tre vil oppdage og fjerne viruset. Spybot og Adawre er teknisk sett ikke antivirus programmer med anti adware og anti spyware programmer, men de tar litt mer også, samt spørs hva "viruset" du har fått virkelig er for noe.

 

Om ikke dette hjelper så skriv litt mer info her om hva som skjer. Hva heter filen som prøver å bli sendt? Hvor stor er filen? etc etc.

 

Alternativt så kan du laste ned prøveversjonen av NOD32 som i mine øyne er det beste antivirus programmet per dags dato. www.nod32.com. Last det ned. Koble deg fra nettet, avinstaller antivirusprogrammet du har inne (avg eller avast) og så installer nod32. koble deg til nettet igen og oppdater og la NOD32 søke igjennom Pc'en. Merk at NOD32 ikke er noen gratis antivirus, men du har 30 dagers full prøvetid. Fungerer fint for å fjerne noe drit, så kan man avinstallere og legge inn AVG. Evt kjøpe lisens på NOD32. Har selv kjøpt langtidslisens på NOD32 og koser meg med det. :)

Lenke til kommentar
_jensen_

_jensen_

Skrevet
  • Forfatter
Skrevet (endret)

Det var dette som beskrives her, virker som det er vansklig å få det bort?

 

LINK

 

Virker nesten som det er en fil den ikke finner eller noe, så får jeg opp masse sånne "en trojansk hest er funnet!" men nå har jeg jo kjørt virus scanninga opptil flere ganger, det burde vel gå bort snart..

Endret av _jensen_
Lenke til kommentar
_jensen_

_jensen_

Skrevet
  • Forfatter
Skrevet
Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.

8993652[/snapback]

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 16:12:00, on 04.07.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\WinPop\winpop.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\DOCUME~1\Admin\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis_v2(2).zip\HiJackThis_v2.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1044

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [RegSweep] "C:\Program Files\RegSweep\RegSweep.exe" -boot

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe

O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\2u6dap5q.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles/2u6dap5q.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll

O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvlution.com/KooPlayer.ocx

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: system32 - {159AE0F4-E771-4036-B97C-9BAA5E439756} - sysprinters.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

--

End of file - 6774 bytes

Lenke til kommentar
_jensen_

_jensen_

Skrevet
  • Forfatter
Skrevet
Hei,

Kunne du lastet ned denne versjonen av hjt og postet loggen fra den: HJT v. 1.99.1

 

Edit: Og legg den i en egen mappe på skrivebordet. Før du kjører programmet, høyreklikker du på programnavnet (hijackthis.exe), velg 'Gi nytt navn'. Skriv ett eller annet, eks. 'jensen.exe'.

8994072[/snapback]

 

 

Post loggen allikevel  :)

8994254[/snapback]

 

Hvilken logg? Skjønner ikke så mye av det du forklarr ovenfor, ja jeg er blond:P Data er ikke min store ting for å si det sånn..

 

"Kunne du lastet ned denne versjonen av hjt og postet loggen fra den: HJT v. 1.99.1"

Det kommer jo virus advarsel når man prøver å laste ned denne da?

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet (endret)

Klikk på 'SKJUL'-taggen, plasser innholdet du skal ha og avslutt ved å klikke på 'SKJUL'-taggen igjen (slik fungerer det i Opera. I IE kan det kanskje hende at det kommer om et tekstfelt der du kan lime inn innholdet)

 

Eller du kan lime inn loggen og skriver i starten: (skjul) og i slutten (/skjul)

Bytt ut ( ) med [ ]

Endret av norbat
Lenke til kommentar
_jensen_

_jensen_

Skrevet
  • Forfatter
Skrevet

Klikk for å se/fjerne innholdet nedenfor
Logfile of HijackThis v1.99.1

Scan saved at 17:37:51, on 04.07.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Admin\Application Data\Simply Super Software\Trojan Remover\iok2.exe

C:\Documents and Settings\Admin\Application Data\Simply Super Software\Trojan Remover\iok2.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Admin\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1044

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [RegSweep] "C:\Program Files\RegSweep\RegSweep.exe" -boot

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\2u6dap5q.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles/2u6dap5q.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll

O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvlution.com/KooPlayer.ocx

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O21 - SSODL: system32 - {159AE0F4-E771-4036-B97C-9BAA5E439756} - sysprinters.dll (file missing)

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

Lenke til kommentar
norbat

norbat

Skrevet
Skrevet

Start HJT, velg "Do a system scan only", sett merke framfor følgende linjer og klikk 'Fix checked':

 

R3 - Default URLSearchHook is missing

O21 - SSODL: system32 - {159AE0F4-E771-4036-B97C-9BAA5E439756} - sysprinters.dll (file missing)

 

Kunne også godt tenkt meg å sett loggfilen fra Trojaner Remover (vet dessverre ikke hvordan du finner den, men start programmet og sjekk etter noe som heter logs / rapport e.l..). Husker du hva filen(e) den slettet het? Kunne det være Winpop?

 

Hent deretter DrWeb. Legg det på skrivebordet.

 

Restart i Sikker modus (trykk flere ganger på F8 under oppstart av pc'n. Bruk piltastene til å velge Sikkermodus, klikk Enter-tasten. )

 

Kjør drweb-cureit.exe (si ja til å kjøre en express scan)

Når dette er ferdig klikker du på Option -> Change settings.

Under fanearket Scan, fjerner du haken ved Heuristic analysis.

Under fanearket Actions, skal alle punkt under Malware settes til Rename.

Velg partisjon (typisk: C: ) du vil scanne og klikk deretter på den grønne pilen for

å starte scanningen. Velg "yes to all" når det finner noe for første gang.

Lenke til kommentar
_jensen_

_jensen_

Skrevet
  • Forfatter
Skrevet

Logg fra Trojaner Remover:

 

Klikk for å se/fjerne innholdet nedenfor
***** NORMAL SCAN FOR ACTIVE MALWARE *****

Trojan Remover Ver 6.6.1.2471. For information, email [email protected]

[unregistered version]

Scan started at: 04.07.2007 16:56:16

Using Database v6821

Operating System: Windows XP Professional Service Pack 2 (Build 2600)

Using data directory: C:\Documents and Settings\Admin\Application Data\Simply Super Software\Trojan Remover\

Logfile directory: C:\Documents and Settings\Admin\My Documents\Simply Super Software\Trojan Remover Logfiles\

Running with Administrator privileges

 

 

**************************************************

Checking Registry exefile command for modifications

Checking Registry comfile command for modifications

Checking Registry piffile command for modifications

Checking Registry batfile command for modifications

Checking Registry regfile command for modifications

Checking Registry cmdfile command for modifications

Checking Registry scrfile command for modifications

 

**************************************************

16:56:16: Scanning ----------WIN.INI-----------

WIN.INI found in C:\WINDOWS

 

**************************************************

16:56:16: Scanning --------SYSTEM.INI---------

SYSTEM.INI found in C:\WINDOWS

 

**************************************************

16:56:16: ----- SCANNING FOR ROOTKIT SERVICES -----

No hidden Services were detected.

 

**************************************************

16:56:17: Scanning -----WINDOWS REGISTRY-----

--------------------

Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon

--------------------

Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon

This key's "Shell" value calls the following program(s):

Explorer.exe - this entry has been left in place

----------

This key's "Userinit" value calls the following program(s):

C:\WINDOWS\system32\userinit.exe - this entry has been left in place

----------

This key's "System" value appears to be blank

----------

--------------------

Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

--------------------

Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Value Name = load

The Data Value for this entry appears to be blank

--------------------

--------------------

Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This Registry Key attempts to run the following program(s):

Value Name = IgfxTray

Value Data = C:\WINDOWS\system32\igfxtray.exe - this command has been left in place

--------------------

Value Name = HotKeysCmds

Value Data = C:\WINDOWS\system32\hkcmd.exe - this command has been left in place

--------------------

Value Name = Persistence

Value Data = C:\WINDOWS\system32\igfxpers.exe - this command has been left in place

--------------------

Value Name = SunJavaUpdateSched

Value Data = C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe - this command has been left in place

--------------------

Value Name = SoundMAXPnP

Value Data = C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe - this command has been left in place

--------------------

Value Name = SoundMAX

Value Data = C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray - this command has been left in place

--------------------

Value Name =

The Value Data for this entry appears to be blank

--------------------

Value Name = Sony Ericsson PC Suite

Value Data = C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions - this command has been left in place

--------------------

Value Name = RegSweep

Value Data = C:\Program Files\RegSweep\RegSweep.exe" -boot - this command has been left in place [file not found to scan]

--------------------

Value Name = TrojanScanner

Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file

--------------------

--------------------

Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

This Registry Key appears to be empty

--------------------

Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

This Registry Key appears to be empty

--------------------

Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run

This Registry Key attempts to run the following program(s):

Value Name = Sidebar

Value Data = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun - this command has been left in place

--------------------

Value Name = ctfmon.exe

Value Data = C:\WINDOWS\system32\ctfmon.exe - this command has been left in place

--------------------

Value Name = MsnMsgr

Value Data = C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background - this command has been left in place

--------------------

Value Name = Skype

Value Data = C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized - this command has been left in place

--------------------

Value Name = MSMSGS

Value Data = C:\Program Files\Messenger\msmsgs.exe" /background - this command has been left in place

--------------------

Value Name = WinPop

Value Data = C:\Program Files\WinPop\winpop.exe - appears to contain TROJAN.POPWIN

Value Data = C:\Program Files\WinPop\winpop.exe - this command has been removed (no action requested on file)

--------------------

--------------------

Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

This Registry Key attempts to run the following program(s):

Value Name = FFTI

Value Data = C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\2u6dap5q.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles/2u6dap5q.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED} - this command has been left in place

--------------------

 

**************************************************

16:58:17: Scanning -----SHELLEXECUTEHOOKS-----

ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}

File: shell32.dll - this file is expected and has been left in place

----------

 

**************************************************

16:58:17: Scanning -----HIDDEN REGISTRY ENTRIES-----

Taskdir check completed

----------

No Hidden File-loading Registry Entries found

----------

 

**************************************************

16:58:17: Scanning -----ACTIVE SCREENSAVER-----

No active ScreenSaver found to scan.

 

**************************************************

16:58:17: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

Checking the StubPath calls in the Active Setup\Installed Components registry keys:

Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}

StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place

----------

Key=>{26923b43-4d38-484f-9b9e-de460746276c}

StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place

----------

Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}

StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place

----------

Key=Windows Sidebar

StubPath=C:\WINDOWS\system32\hidec /W C:\VAIO\Tools\REGTLIB.EXE - this reference has been left in place [file not found to scan]

----------

Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED}

StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place

----------

Key={34A19196-274E-4D75-9D30-D7A45A0A4178}

StubPath=C:\Program Files\Windows Sidebar\.\re - this reference has been left in place [file not found to scan]

----------

Key={6B9228DA-9C15-419e-856C-19E768A13BDC}

StubPath=C:\Program Files\Windows Sidebar\.\re - this reference has been left in place [file not found to scan]

----------

Key={7790769C-0471-11d2-AF11-00C04FA35D02}

StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place

----------

Key={89820200-ECBD-11cf-8B85-00AA005B4340}

StubPath=regsvr32.exe - this reference has been left in place

----------

Key={BADA65A0-86B7-462B-B720-CE66655C73F5}

StubPath=regsvr32 /s C:\VAIO\.\vs - this reference has been left in place [file not found to scan]

----------

 

**************************************************

16:58:19: Scanning ----- SERVICEDLL REGISTRY KEYS -----

Checking DLL files called from the CurrentControlSet\Services Keys:

--------------------

Key=Alerter

ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place

--------------------

Key=AppMgmt

ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this reference has been left in place

--------------------

Key=AudioSrv

ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place

--------------------

Key=BITS

ServiceDLL=C:\WINDOWS\system32\qmgr.dll - this reference has been left in place

--------------------

Key=Browser

ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place

--------------------

Key=CryptSvc

ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place

--------------------

Key=DcomLaunch

ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place

--------------------

Key=Dhcp

ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place

--------------------

Key=dmserver

ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place

--------------------

Key=Dnscache

ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place

--------------------

Key=ERSvc

ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place

--------------------

Key=EventSystem

ServiceDLL=C:\WINDOWS\system32\es.dll - this reference has been left in place

--------------------

Key=FastUserSwitchingCompatibility

ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place

--------------------

Key=helpsvc

ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - this reference has been left in place

--------------------

Key=HidServ

ServiceDLL=%SystemRoot%\System32\hidserv.dll - this file is globally excluded (file cannot be found)

--------------------

Key=HTTPFilter

ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place

--------------------

Key=lanmanserver

ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place

--------------------

Key=lanmanworkstation

ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place

--------------------

Key=LmHosts

ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place

--------------------

Key=Messenger

ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place

--------------------

Key=Netman

ServiceDLL=%SystemRoot%\System32\netman.dll - this reference has been left in place

--------------------

Key=Nla

ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place

--------------------

Key=NtmsSvc

ServiceDLL=%SystemRoot%\system32\ntmssvc.dll - this reference has been left in place

--------------------

Key=RasAuto

ServiceDLL=%SystemRoot%\System32\rasauto.dll - this reference has been left in place

--------------------

Key=RasMan

ServiceDLL=%SystemRoot%\System32\rasmans.dll - this reference has been left in place

--------------------

Key=RemoteAccess

ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place

--------------------

Key=RemoteRegistry

ServiceDLL=%SystemRoot%\system32\regsvc.dll - this reference has been left in place

--------------------

Key=RpcSs

ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place

--------------------

Key=Schedule

ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place

--------------------

Key=seclogon

ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place

--------------------

Key=SENS

ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place

--------------------

Key=SharedAccess

ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place

--------------------

Key=ShellHWDetection

ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place

--------------------

Key=srservice

ServiceDLL=C:\WINDOWS\system32\srsvc.dll - this reference has been left in place

--------------------

Key=SSDPSRV

ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place

--------------------

Key=stisvc

ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place

--------------------

Key=TapiSrv

ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place

--------------------

Key=TermService

ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place

--------------------

Key=Themes

ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place

--------------------

Key=TrkWks

ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place

--------------------

Key=upnphost

ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place

--------------------

Key=usnsvc

ServiceDLL=C:\Program Files\MSN Messenger\usnsvc.dll - this reference has been left in place

--------------------

Key=W32Time

ServiceDLL=C:\WINDOWS\system32\w32time.dll - this reference has been left in place

--------------------

Key=WebClient

ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place

--------------------

Key=winmgmt

ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place

--------------------

Key=WmdmPmSN

ServiceDLL=C:\WINDOWS\system32\MsPMSNSv.dll - this reference has been left in place

--------------------

Key=Wmi

ServiceDLL=%SystemRoot%\System32\advapi32.dll - this reference has been left in place

--------------------

Key=wscsvc

ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place

--------------------

Key=wuauserv

ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place

--------------------

Key=WudfSvc

ServiceDLL=%SystemRoot%\System32\WUDFSvc.dll - this reference has been left in place

--------------------

Key=WZCSVC

ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place

--------------------

Key=xmlprov

ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place

 

**************************************************

16:58:25: Scanning ----- SERVICES REGISTRY KEYS -----

Checking files called from the CurrentControlSet\Services Keys:

Key=ACPI

ImagePath=system32\DRIVERS\ACPI.sys - this reference has been left in place

----------

Key=aeaudio

ImagePath=system32\drivers\aeaudio.sys - this reference has been left in place

----------

Key=aec

ImagePath=system32\drivers\aec.sys - this reference has been left in place

----------

Key=AFD

ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place

----------

Key=ALG

ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place

----------

Key=aspnet_state

ImagePath=%SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe - this reference has been left in place

----------

Key=AsyncMac

ImagePath=system32\DRIVERS\asyncmac.sys - this reference has been left in place

----------

Key=atapi

ImagePath=system32\DRIVERS\atapi.sys - this reference has been left in place

----------

Key=Atmarpc

ImagePath=system32\DRIVERS\atmarpc.sys - this reference has been left in place

----------

Key=audstub

ImagePath=system32\DRIVERS\audstub.sys - this reference has been left in place

----------

Key=avast! Antivirus

ImagePath="C:\Program Files\Alwil Software\Avast4\ashServ.exe" - this reference has been left in place

----------

Key=CCDECODE

ImagePath=system32\DRIVERS\CCDECODE.sys - this reference has been left in place

----------

Key=Cdrom

ImagePath=system32\DRIVERS\cdrom.sys - this reference has been left in place

----------

Key=CiSvc

ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place

----------

Key=ClipSrv

ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place

----------

Key=COMSysApp

ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place

----------

Key=Disk

ImagePath=system32\DRIVERS\disk.sys - this reference has been left in place

----------

Key=dmadmin

ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place

----------

Key=dmboot

ImagePath=System32\drivers\dmboot.sys - this reference has been left in place

----------

Key=dmio

ImagePath=System32\drivers\dmio.sys - this reference has been left in place

----------

Key=dmload

ImagePath=System32\drivers\dmload.sys - this reference has been left in place

----------

Key=DMusic

ImagePath=system32\drivers\DMusic.sys - this reference has been left in place

----------

Key=drmkaud

ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place

----------

Key=E1000

ImagePath=system32\DRIVERS\e1000325.sys - this reference has been left in place

----------

Key=Eventlog

ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place

----------

Key=FltMgr

ImagePath=system32\DRIVERS\fltMgr.sys - this reference has been left in place

----------

Key=Ftdisk

ImagePath=system32\DRIVERS\ftdisk.sys - this reference has been left in place

----------

Key=Gpc

ImagePath=system32\DRIVERS\msgpc.sys - this reference has been left in place

----------

Key=HTTP

ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place

----------

Key=i8042prt

ImagePath=system32\DRIVERS\i8042prt.sys - this reference has been left in place

----------

Key=ialm

ImagePath=system32\DRIVERS\ialmnt5.sys - this reference has been left in place

----------

Key=Imapi

ImagePath=system32\DRIVERS\imapi.sys - this reference has been left in place

----------

Key=ImapiService

ImagePath=C:\WINDOWS\system32\imapi.exe - this reference has been left in place

----------

Key=IntelIde

ImagePath=system32\DRIVERS\intelide.sys - this reference has been left in place

----------

Key=intelppm

ImagePath=system32\DRIVERS\intelppm.sys - this reference has been left in place

----------

Key=Ip6Fw

ImagePath=system32\DRIVERS\Ip6Fw.sys - this reference has been left in place

----------

Key=IpFilterDriver

ImagePath=system32\DRIVERS\ipfltdrv.sys - this reference has been left in place

----------

Key=IpInIp

ImagePath=system32\DRIVERS\ipinip.sys - this reference has been left in place

----------

Key=IpNat

ImagePath=system32\DRIVERS\ipnat.sys - this reference has been left in place

----------

Key=IPSec

ImagePath=system32\DRIVERS\ipsec.sys - this reference has been left in place

----------

Key=IRENUM

ImagePath=system32\DRIVERS\irenum.sys - this reference has been left in place

----------

Key=isapnp

ImagePath=system32\DRIVERS\isapnp.sys - this reference has been left in place

----------

Key=Kbdclass

ImagePath=system32\DRIVERS\kbdclass.sys - this reference has been left in place

----------

Key=kmixer

ImagePath=system32\drivers\kmixer.sys - this reference has been left in place

----------

Key=MidiSyn

ImagePath=system32\drivers\MidiSyn.sys - this reference has been left in place

----------

Key=mnmsrvc

ImagePath=C:\WINDOWS\system32\mnmsrvc.exe - this reference has been left in place

----------

Key=Mouclass

ImagePath=system32\DRIVERS\mouclass.sys - this reference has been left in place

----------

Key=MRxDAV

ImagePath=system32\DRIVERS\mrxdav.sys - this reference has been left in place

----------

Key=MRxSmb

ImagePath=system32\DRIVERS\mrxsmb.sys - this reference has been left in place

----------

Key=MSDTC

ImagePath=C:\WINDOWS\system32\msdtc.exe - this reference has been left in place

----------

Key=MSIServer

ImagePath=C:\WINDOWS\system32\msiexec.exe /V - this reference has been left in place

----------

Key=MSKSSRV

ImagePath=system32\drivers\MSKSSRV.sys - this reference has been left in place

----------

Key=MSPCLOCK

ImagePath=system32\drivers\MSPCLOCK.sys - this reference has been left in place

----------

Key=MSPQM

ImagePath=system32\drivers\MSPQM.sys - this reference has been left in place

----------

Key=mssmbios

ImagePath=system32\DRIVERS\mssmbios.sys - this reference has been left in place

----------

Key=MSTEE

ImagePath=system32\drivers\MSTEE.sys - this reference has been left in place

----------

Key=NABTSFEC

ImagePath=system32\DRIVERS\NABTSFEC.sys - this reference has been left in place

----------

Key=NdisIP

ImagePath=system32\DRIVERS\NdisIP.sys - this reference has been left in place

----------

Key=NdisTapi

ImagePath=system32\DRIVERS\ndistapi.sys - this reference has been left in place

----------

Key=Ndisuio

ImagePath=system32\DRIVERS\ndisuio.sys - this reference has been left in place

----------

Key=NdisWan

ImagePath=system32\DRIVERS\ndiswan.sys - this reference has been left in place

----------

Key=NetBIOS

ImagePath=system32\DRIVERS\netbios.sys - this reference has been left in place

----------

Key=NetBT

ImagePath=system32\DRIVERS\netbt.sys - this reference has been left in place

----------

Key=NetDDE

ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place

----------

Key=NetDDEdsdm

ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place

----------

Key=Netlogon

ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place

----------

Key=NtLmSsp

ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place

----------

Key=NwlnkFlt

ImagePath=system32\DRIVERS\nwlnkflt.sys - this reference has been left in place

----------

Key=NwlnkFwd

ImagePath=system32\DRIVERS\nwlnkfwd.sys - this reference has been left in place

----------

Key=PCI

ImagePath=system32\DRIVERS\pci.sys - this reference has been left in place

----------

Key=PD0620VID

ImagePath=system32\DRIVERS\P0620Vid.sys - this reference has been left in place

----------

Key=pfc

ImagePath=system32\drivers\pfc.sys - this reference has been left in place

----------

Key=PlugPlay

ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place

----------

Key=PolicyAgent

ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place

----------

Key=PptpMiniport

ImagePath=system32\DRIVERS\raspptp.sys - this reference has been left in place

----------

Key=ProtectedStorage

ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place

----------

Key=PSched

ImagePath=system32\DRIVERS\psched.sys - this reference has been left in place

----------

Key=Ptilink

ImagePath=system32\DRIVERS\ptilink.sys - this reference has been left in place

----------

Key=RasAcd

ImagePath=system32\DRIVERS\rasacd.sys - this reference has been left in place

----------

Key=Rasl2tp

ImagePath=system32\DRIVERS\rasl2tp.sys - this reference has been left in place

----------

Key=RasPppoe

ImagePath=system32\DRIVERS\raspppoe.sys - this reference has been left in place

----------

Key=Raspti

ImagePath=system32\DRIVERS\raspti.sys - this reference has been left in place

----------

Key=Rdbss

ImagePath=system32\DRIVERS\rdbss.sys - this reference has been left in place

----------

Key=RDPCDD

ImagePath=System32\DRIVERS\RDPCDD.sys - this reference has been left in place

----------

Key=rdpdr

ImagePath=system32\DRIVERS\rdpdr.sys - this reference has been left in place

----------

Key=RDSessMgr

ImagePath=C:\WINDOWS\system32\sessmgr.exe - this reference has been left in place

----------

Key=redbook

ImagePath=system32\DRIVERS\redbook.sys - this reference has been left in place

----------

Key=RpcLocator

ImagePath=%SystemRoot%\system32\locator.exe - this reference has been left in place

----------

Key=rspndr

ImagePath=system32\DRIVERS\rspndr.sys - this reference has been left in place

----------

Key=RSVP

ImagePath=%SystemRoot%\system32\rsvp.exe - this reference has been left in place

----------

Key=SamSs

ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place

----------

Key=SCardSvr

ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place

----------

Key=Secdrv

ImagePath=system32\DRIVERS\secdrv.sys - this reference has been left in place

----------

Key=senfilt

ImagePath=system32\drivers\senfilt.sys - this reference has been left in place

----------

Key=SLIP

ImagePath=system32\DRIVERS\SLIP.sys - this reference has been left in place

----------

Key=smwdm

ImagePath=system32\drivers\smwdm.sys - this reference has been left in place

----------

Key=SoundMAX Agent Service (default)

ImagePath=C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe - this reference has been left in place

----------

Key=splitter

ImagePath=system32\drivers\splitter.sys - this reference has been left in place

----------

Key=Spooler

ImagePath=%SystemRoot%\system32\spoolsv.exe - this reference has been left in place

----------

Key=sr

ImagePath=system32\DRIVERS\sr.sys - this reference has been left in place

----------

Key=Srv

ImagePath=system32\DRIVERS\srv.sys - this reference has been left in place

----------

Key=streamip

ImagePath=system32\DRIVERS\StreamIP.sys - this reference has been left in place

----------

Key=swenum

ImagePath=system32\DRIVERS\swenum.sys - this reference has been left in place

----------

Key=swmidi

ImagePath=system32\drivers\swmidi.sys - this reference has been left in place

----------

Key=SwPrv

ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{20B927CF-1EC5-4EE3-AAB1-50DE78FD4BE7} - this reference has been left in place

----------

Key=sysaudio

ImagePath=system32\drivers\sysaudio.sys - this reference has been left in place

----------

Key=SysmonLog

ImagePath=%SystemRoot%\system32\smlogsvc.exe - this reference has been left in place

----------

Key=Tcpip

ImagePath=system32\DRIVERS\tcpip.sys - this reference has been left in place

----------

Key=TermDD

ImagePath=system32\DRIVERS\termdd.sys - this reference has been left in place

----------

Key=TlntSvr

ImagePath=C:\WINDOWS\system32\tlntsvr.exe - this reference has been left in place

----------

Key=Update

ImagePath=system32\DRIVERS\update.sys - this reference has been left in place

----------

Key=UPS

ImagePath=%SystemRoot%\System32\ups.exe - this reference has been left in place

----------

Key=usbaudio

ImagePath=system32\drivers\usbaudio.sys - this reference has been left in place

----------

Key=usbccgp

ImagePath=system32\DRIVERS\usbccgp.sys - this reference has been left in place

----------

Key=usbehci

ImagePath=system32\DRIVERS\usbehci.sys - this reference has been left in place

----------

Key=usbhub

ImagePath=system32\DRIVERS\usbhub.sys - this reference has been left in place

----------

Key=USBSTOR

ImagePath=system32\DRIVERS\USBSTOR.SYS - this reference has been left in place

----------

Key=usbuhci

ImagePath=system32\DRIVERS\usbuhci.sys - this reference has been left in place

----------

Key=VgaSave

ImagePath=\SystemRoot\System32\drivers\vga.sys - this reference has been left in place

----------

Key=VSS

ImagePath=%SystemRoot%\System32\vssvc.exe - this reference has been left in place

----------

Key=w810bus

ImagePath=system32\DRIVERS\w810bus.sys - this reference has been left in place

----------

Key=w810mdfl

ImagePath=system32\DRIVERS\w810mdfl.sys - this reference has been left in place

----------

Key=w810mdm

ImagePath=system32\DRIVERS\w810mdm.sys - this reference has been left in place

----------

Key=w810mgmt

ImagePath=system32\DRIVERS\w810mgmt.sys - this reference has been left in place

----------

Key=w810obex

ImagePath=system32\DRIVERS\w810obex.sys - this reference has been left in place

----------

Key=Wanarp

ImagePath=system32\DRIVERS\wanarp.sys - this reference has been left in place

----------

Key=wdmaud

ImagePath=system32\drivers\wdmaud.sys - this reference has been left in place

----------

Key=WmiApSrv

ImagePath=C:\WINDOWS\system32\wbem\wmiapsrv.exe - this reference has been left in place

----------

Key=WMPNetworkSvc

ImagePath="C:\Program Files\Windows Media Player\WMPNetwk.exe" - this reference has been left in place

----------

Key=WSTCODEC

ImagePath=system32\DRIVERS\WSTCODEC.SYS - this reference has been left in place

----------

Key=WudfPf

ImagePath=system32\DRIVERS\WudfPf.sys - this reference has been left in place

----------

Key=WudfRd

ImagePath=system32\DRIVERS\wudfrd.sys - this reference has been left in place

----------

 

**************************************************

16:58:49: Scanning -----VXD ENTRIES-----

Checking VMM32 VxD files being loaded

 

**************************************************

16:58:49: Scanning ----- WINLOGON\NOTIFY DLLS -----

Checking DLLs called from the Winlogon\Notify key:

Key=crypt32chain

DLLName=crypt32.dll - this reference has been left in place

----------

Key=cryptnet

DLLName=cryptnet.dll - this reference has been left in place

----------

Key=cscdll

DLLName=cscdll.dll - this reference has been left in place

----------

Key=igfxcui

DLLName=igfxdev.dll - this reference has been left in place

----------

Key=ScCertProp

DLLName=wlnotify.dll - this reference has been left in place

----------

Key=Schedule

DLLName=wlnotify.dll - this reference has been left in place

----------

Key=sclgntfy

DLLName=sclgntfy.dll - this reference has been left in place

----------

Key=SensLogn

DLLName=WlNotify.dll - this reference has been left in place

----------

Key=termsrv

DLLName=wlnotify.dll - this reference has been left in place

----------

Key=wlballoon

DLLName=wlnotify.dll - this reference has been left in place

----------

 

**************************************************

16:58:50: Scanning ----- CONTEXTMENUHANDLERS -----

Key = Offline Files

CLSID = {750fdf0e-2a26-11d1-a3ea-080036587f03}

%SystemRoot%\System32\cscui.dll - this ContextMenuHandler has been left in place

----------

Key = Open With

CLSID = {09799AFB-AD67-11d1-ABCD-00C04FC30936}

%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place

----------

Key = Open With EncryptionMenu

CLSID = {A470F8CF-A1E8-4f65-8335-227475AA5C46}

%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place

----------

Key = Trojan Remover

CLSID = {52B87208-9CCF-42C9-B88E-069281105805}

C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place

----------

Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place

----------

 

**************************************************

16:58:50: Scanning ----- FOLDER\COLUMNHANDLERS -----

Key = {0D2E74C4-3C34-11d2-A27E-00C04FC30871}

%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place

----------

Key = {24F14F01-7B1C-11d1-838f-0000F80461CF}

%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place

----------

Key = {24F14F02-7B1C-11d1-838f-0000F80461CF}

%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place

----------

Key = {66742402-F9B9-11D1-A202-0000F81FEDEE}

%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place

----------

 

**************************************************

16:58:51: Scanning ----- BROWSER HELPER OBJECTS -----

Key = {45AD732C-2CE2-4666-B366-B2214AD57A49}

C:\Program Files\Desktop Sidebar\sbhelp.dll - this Browser Helper Object has been left in place

----------

Key = {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll - this Browser Helper Object has been left in place

----------

 

**************************************************

16:58:51: Scanning ----- SHELLSERVICEOBJECTS -----

Key = PostBootReminder

CLSID = {7849596a-48ea-486e-8937-a2a3009f31a9}

%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place

----------

Key = CDBurn

CLSID = {fbeb8a05-beee-4442-804e-409d6c4515e9}

%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place

----------

Key = WebCheck

CLSID = {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

%SystemRoot%\system32\webcheck.dll - this ShellServiceObject has been left in place

----------

Key = SysTray

CLSID = {35CEC8A3-2BE6-11D2-8773-92E220524153}

C:\WINDOWS\system32\stobject.dll - this ShellServiceObject has been left in place

----------

Key = WPDShServiceObj

CLSID = {AAA288BA-9A4C-45B0-95D7-94D524869DB5}

C:\WINDOWS\system32\WPDShServiceObj.dll - this ShellServiceObject has been left in place

----------

Key = system32

CLSID = {159AE0F4-E771-4036-B97C-9BAA5E439756}

sysprinters.dll - this ShellServiceObject has been left in place

----------

 

**************************************************

16:58:51: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

Value = {438755C2-A8BA-11D1-B96B-00A0C90312E1}

Comment = Browseui preloader

File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place

----------

Value = {8C7461EF-2B13-11d2-BE35-3078302C2030}

Comment = Component Categories cache daemon

File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place

----------

 

**************************************************

16:58:52: Scanning ----- IMAGEFILE DEBUGGERS -----

No "Debugger" entries found.

 

**************************************************

16:58:52: Scanning ----- APPINIT_DLLS -----

The AppInit_DLLs value is blank

 

**************************************************

16:58:52: Scanning ----- SECURITY PROVIDER DLLS -----

msapsspc.dll - this entry has been left in place

----------

schannel.dll - this entry has been left in place

----------

digest.dll - this entry has been left in place

----------

msnsspc.dll - this entry has been left in place

----------

 

**************************************************

16:58:52: Scanning ------ COMMON STARTUP GROUP ------

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

The Common Startup Group attempts to load the following file(s) at boot time:

desktop.ini - this file is expected and has been left in place

--------------------

 

**************************************************

16:58:52: Scanning ------ USER STARTUP GROUPS ------

--------------------

Checking Startup Group for Admin

[C:\Documents and Settings\Admin\START MENU\PROGRAMS\STARTUP]

The Startup Group for Admin attempts to load the following file(s):

desktop.ini - this file is expected and has been left in place

 

**************************************************

16:58:52: Scanning ----- SCHEDULED TASKS -----

Taskname: RegSweep Scheduled Scan.job

File: C:\RegSweep\RegSweep.exe

Parameters: scheduled

Next Run Time: 05.07.2007 03:30:00

Status: The task is ready to run at its next scheduled time

Creator: Admin

Comments: Runs RegSweep to optimize your registry.

C:\RegSweep\RegSweep.exe - this entry has been left in place

----------

 

**************************************************

16:58:52: ----- ADDITIONAL CHECKS -----

PE386 rootkit checks completed

----------

Winlogon registry rootkit checks completed

----------

Heuristic checks for hidden files/drivers completed

----------

 

**************************************************

16:58:53: Scanning ------ DOWNLOADED PROGRAM FILES ------

The following files are located in the DOWNLOADED PROGRAM FILES directory:

C:\WINDOWS\Downloaded Program Files\desktop.ini - this file is expected and has been left in place

C:\WINDOWS\Downloaded Program Files\KooPlayer.ocx - this file has been left in place

 

**************************************************

16:58:53: Scanning ----- RUNNING PROCESSES -----

 

C:\WINDOWS\System32\smss.exe

--------------------

C:\WINDOWS\system32\csrss.exe

--------------------

C:\WINDOWS\system32\winlogon.exe

--------------------

C:\WINDOWS\system32\services.exe

--------------------

C:\WINDOWS\system32\lsass.exe

--------------------

C:\WINDOWS\system32\svchost.exe

--------------------

C:\Program Files\Alwil Software\Avast4\ashServ.exe

--------------------

C:\WINDOWS\Explorer.EXE

--------------------

C:\WINDOWS\system32\igfxtray.exe

--------------------

C:\WINDOWS\system32\hkcmd.exe

--------------------

C:\WINDOWS\system32\igfxpers.exe

--------------------

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

--------------------

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

--------------------

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

--------------------

C:\WINDOWS\system32\spoolsv.exe

--------------------

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

--------------------

C:\Program Files\Windows Sidebar\sidebar.exe

--------------------

C:\WINDOWS\system32\ctfmon.exe

--------------------

C:\Program Files\Skype\Phone\Skype.exe

--------------------

C:\Program Files\Messenger\msmsgs.exe

--------------------

C:\Program Files\WinPop\winpop.exe - appears to contain TROJAN.POPWIN

C:\Program Files\WinPop\winpop.exe - running process located and terminated

--------------------

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

--------------------

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--------------------

C:\Program Files\Windows Sidebar\sidebar.exe

--------------------

C:\WINDOWS\System32\alg.exe

--------------------

C:\Program Files\Common Files\Teleca Shared\Generic.exe

--------------------

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

--------------------

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

--------------------

C:\WINDOWS\system32\wuauclt.exe

--------------------

C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe

--------------------

C:\Program Files\Mozilla Firefox\firefox.exe

--------------------

C:\WINDOWS\Explorer.EXE

--------------------

C:\DOCUME~1\Admin\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis_v2(2).zip\HiJackThis_v2.exe

--------------------

C:\Documents and Settings\Admin\Application Data\Simply Super Software\Trojan Remover\enl16C.exe

FileSize: 1 876 544

[This is a Trojan Remover component]

--------------------

 

**************************************************

17:00:26: Checking AUTOEXEC.BAT file

AUTOEXEC.BAT found in C:\

No malicious entries were found in the AUTOEXEC.BAT file

 

**************************************************

17:00:26: Checking AUTOEXEC.NT file

AUTOEXEC.NT found in C:\WINDOWS\system32

No malicious entries were found in the AUTOEXEC.NT file

 

**************************************************

17:00:26: Checking HOSTS file

No malicious entries were found in the HOSTS file

 

**************************************************

------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page":

http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page":

%SystemRoot%\system32\blank.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page":

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":

http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":

http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page":

http://www.sol.no/

 

**************************************************

=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===

Scan completed at: 04.07.2007 17:00:26

************************************************************

 

 

Lenke til kommentar
_jensen_

_jensen_

Skrevet
  • Forfatter
Skrevet (endret)

F***! :realmad: Nå er jeg lei.. Det er jo ikke borte enda, plutselig så begynte det å blinke her igjen. Ååh! Gidder ikke mer, skjønner ikke noe av de virusprogrammene uansett....

 

Å hva er dette viruset "orm som heter Kelvir" det var det han jeg fikk viruset av sa det var..

Endret av _jensen_
Lenke til kommentar
norbat

norbat

Skrevet
Skrevet (endret)

Det du fjernet med Trojan Remover har lite med viruproblemet ditt.

 

La oss prøve en enkel variant først:

Hent dette fixet: ... og pakk det ut på skrivebordet.

Åpne mappa og kjør programmet (msnfix.bat). Følg veiledningen. Hold MSN lukket under fixet.

 

Veiledningen er som følger:

Velg språk: Trykk E, deretter enter-tasten

Velg R, deretter enter-tasten. Programmet vil nå starte et søk.

Velg R igjen for å starte rensingen (hvis det finner noe under søket)

 

Gi tilbakemelding om det fant og renset noe.

 

Last ned DrWeb (se tidligere post) og følge veiledningen som er gitt.

 

Ikke gi opp :)

Endret av norbat
Lenke til kommentar

Opprett en konto eller logg inn for å kommentere

Du må være et medlem for å kunne skrive en kommentar

Opprett konto

Det er enkelt å melde seg inn for å starte en ny konto!

Start en konto

Logg inn

Har du allerede en konto? Logg inn her.

Logg inn nå
Gå til emneliste
×
×
  • Opprett ny...