Blir ikke kvitt trojansk hest :s

MisfiT83 · 9. desember 2007

Har fått et virus som jeg ikke blir kvitt :S

Har NOD32 virusprogram, og Ad-Aware. Har og prøvd AVG Anti-Rootkit, Panda Anti-Rootkit, RootkitRevealer og McAfee Rootkit Detective.

Fikk viruset når jeg lastet ned et program, og åpnet det, .exe fil (i know, stupid)

Nytter ikke å trykke på slett.

Noen forslag?

Sewero · 9. desember 2007

Hvordan fjerne virus/spyware hvis allerede infisert?

Det finnes veldig mange måter å fjerne virus/spyware på, og det finnes en del vanskelige metoder, men her det grunnleggende:

1: Ta et systemsøk med et antivirusprogram

2: Ta et systemsøk med et antispywareprogram

3: Ta et systemsøk med et rootkit verktøy.

Det kan også være lurt å ta en virusscan med onlinescannere. For forskjellige antivirus kan finne forskjellige infiseringer. Alle onlinescannere er såklart gratis!

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan8/ie.html

http://www.kaspersky.com/kos/english/kavwebscan.html

Syar-2003 · 9. desember 2007

Les teksten fra NOD . Filen er satt i quarantine.

Neste vindu nektes Explorer aksess til filen nettop pga at NOD blokkerer den.

Så ditt antivirus ser ut til å ha gjort jobben sin...

Sletting gjøres vel via NOD (=Purge/emtpy quaratine) .

Barkster · 9. desember 2007

Start maskina i sikkermodus og scann på nytt.

norbat · 9. desember 2007

Post gjerne en hjt-logg:

Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile". Loggfilen kopierer du og poster.

Orochimaru · 9. desember 2007

Prorat er en gammel kjensel ja! Haha! Har du prøvd å laste ned RAT tools eller? x) Eller så er det du som har lastet ned en fil. Denne type Trojansk hest blir produsert i PRORAT Check it out! http://en.wikipedia.org/wiki/Prorat

Den er enkel å fjerne! Lykke til! Følg rådene til NorBat!

MisfiT83 · 9. desember 2007

Hjelper dette?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:26:54, on 09.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Programmer\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Programmer\NOD32\nod32krn.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Acer\eRecovery\Monitor.exe
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
D:\Programmer\NOD32\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Anders Ericson\Skrivebord\utorrent.exe
D:\Programmer\Win Themes\Vista Inspirat 2\RocketDock\RocketDock.exe
D:\Programmer\Win Themes\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\svchost.exe
D:\Programmer\Firefox\firefox.exe
D:\Programmer\Programmer\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eRecoveryService] C:\Programfiler\Acer\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Programmer\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\Anders Ericson\Skrivebord\utorrent.exe"
O4 - HKLM\..\Policies\Explorer\Run: [DirectX For Microsoft® Windows] C:\WINDOWS\system32\fservice.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RocketDock.lnk = D:\Programmer\Win Themes\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = D:\Programmer\Win Themes\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programmer\Ad-Aware 2007\aawservice.exe
O23 - Service: AEOMDF - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ANDERS~1\LOKALE~1\Temp\AEOMDF.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Programmer\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6143 bytes

norbat · 9. desember 2007

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe

O4 - HKLM\..\Policies\Explorer\Run: [DirectX For Microsoft® Windows] C:\WINDOWS\system32\fservice.exe

Hent Avenger og pakk det ut.

Start programmet, sett prikk i "Input Script Manually" og klikk på lupen.

I vinduet som kommer opp kopierer du og limer inn det som er i fet skrift under:

Files to delete:

C:\WINDOWS\services.exe

C:\WINDOWS\system32\fservice.exe

Klikk på Trafikklyset. Restart PC-en.

Etter restart vil det komme en loggfil som forteller hva som har skjedd. Du trenger ikke å poste den.

Hent Combofix, og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Du må ikke klikke på vinduet mens programmet kjører.

Post loggfilen fra combofix. (vanligvis c:\combofix.txt) + ny hjt-logg

MisfiT83 · 9. desember 2007

ComboFix 07-12-09.1 - Anders Ericson 2007-12-10 0:30:16.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.47.1044.18.1140 [GMT 1:00]

Running from: C:\Documents and Settings\Anders Ericson\Skrivebord\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\ktd32.atm

C:\WINDOWS\services.exe

C:\WINDOWS\system\sservice.exe

C:\WINDOWS\system32\fservice.exe

C:\WINDOWS\system32\winkey.dll

.

((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))

.

2007-12-09 22:03 . 2007-12-09 22:03 <DIR> d--hs---- C:\Documents and Settings\Anders Ericson\Siste

2007-12-09 20:30 . 2007-12-09 20:30 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2007-12-09 20:22 . 2007-12-09 20:23 <DIR> d-------- C:\WINDOWS\Sun

2007-12-07 16:49 . 2007-12-07 16:49 <DIR> d-------- C:\Programfiler\Winamp

2007-12-07 00:14 . 2007-12-07 00:14 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Incomplete

2007-12-07 00:11 . 2007-12-07 00:11 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Programdata\LimeWire

2007-12-06 02:25 . 2007-12-09 19:42 105 --a------ C:\WINDOWS\system32\fservice.exe.bat

2007-12-06 02:10 . 2007-12-06 02:10 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Lavasoft

2007-12-06 02:05 . 2007-12-06 02:05 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard

2007-12-06 00:46 . 2007-12-06 00:47 <DIR> d-------- C:\Documents and Settings\NetworkService\Programdata\Xfire

2007-12-06 00:46 . 2007-12-06 00:46 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Programdata\Xfire

2007-12-06 00:23 . 2007-12-06 00:23 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Programdata\Hamachi

2007-12-06 00:23 . 2007-12-06 00:23 25,280 --a------ C:\WINDOWS\system32\drivers\hamachi.sys

2007-12-05 21:46 . 2007-12-05 21:46 <DIR> d-------- C:\Programfiler\MSXML 6.0

2007-12-05 17:38 . 2007-12-05 17:38 268 --ah----- C:\sqmdata03.sqm

2007-12-05 17:38 . 2007-12-05 17:38 244 --ah----- C:\sqmnoopt03.sqm

2007-12-04 22:58 . 2007-12-04 22:58 45 --a------ C:\WINDOWS\system32\initdebug.nfo

2007-12-04 22:57 . 2007-12-04 22:57 <DIR> d-------- C:\Programfiler\MSBuild

2007-12-04 22:54 . 2007-12-04 22:54 65,542 --a------ C:\WINDOWS\BricoPackUninst.cmd

2007-12-04 22:53 . 2007-12-04 22:53 <DIR> d-------- C:\WINDOWS\system32\XPSViewer

2007-12-04 22:53 . 2007-12-04 22:53 3,932,214 --a------ C:\WINDOWS\BricoPack Wallpaper.bmp

2007-12-04 22:50 . 2007-12-04 22:50 <DIR> d-------- C:\Programfiler\Reference Assemblies

2007-12-04 22:50 . 2007-12-04 22:54 6,144 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd

2007-12-04 22:49 . 2007-12-04 22:49 <DIR> d-------- C:\WINDOWS\BricoPacks

2007-12-04 22:49 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll

2007-12-04 22:32 . 2007-12-04 22:32 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Contacts

2007-12-04 22:31 . 2007-12-04 22:31 268 --ah----- C:\sqmdata02.sqm

2007-12-04 22:31 . 2007-12-04 22:31 244 --ah----- C:\sqmnoopt02.sqm

2007-12-04 21:39 . 2007-12-04 21:39 268 --ah----- C:\sqmdata01.sqm

2007-12-04 21:39 . 2007-12-04 21:39 244 --ah----- C:\sqmnoopt01.sqm

2007-12-04 21:19 . 2004-03-26 10:53 <DIR> d-------- C:\TEMP\Fonts

2007-12-04 21:19 . 2004-03-30 11:28 <DIR> d-------- C:\TEMP

2007-12-04 21:19 . 2004-04-02 14:48 388,466 --a------ C:\TEMP\Assault2.exe

2007-12-04 21:19 . 2004-04-02 15:02 298,527 --a------ C:\TEMP\Fonts.exe

2007-12-04 21:19 . 2004-04-02 14:37 532 --a------ C:\TEMP\assault.bat

2007-12-04 17:22 . 2007-12-04 17:22 268 --ah----- C:\sqmdata00.sqm

2007-12-04 17:22 . 2007-12-04 17:22 244 --ah----- C:\sqmnoopt00.sqm

2007-12-04 17:14 . 2007-01-18 13:38 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS

2007-12-04 17:14 . 2007-12-04 17:14 1,533 --a------ C:\WINDOWS\mozver.dat

2007-12-04 17:08 . 2007-12-04 17:08 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE

2007-12-04 17:08 . 2007-12-04 17:08 <DIR> d-------- C:\Programfiler\MSN Messenger

2007-12-04 16:58 . 2007-12-04 16:58 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Programdata\vlc

2007-12-04 00:37 . 2007-08-20 11:03 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll

2007-12-04 00:37 . 2007-04-17 10:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat

2007-12-04 00:37 . 2007-03-08 06:11 1,007,616 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui

2007-12-04 00:37 . 2007-08-20 11:03 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll

2007-12-04 00:37 . 2007-08-20 11:03 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll

2007-12-04 00:37 . 2007-08-20 11:03 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll

2007-12-04 00:37 . 2007-08-20 11:03 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll

2007-12-04 00:37 . 2007-08-20 11:03 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll

2007-12-04 00:37 . 2007-08-17 11:20 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe

2007-12-04 00:36 . 2007-12-04 00:36 <DIR> d-------- C:\WINDOWS\system32\nb-no

2007-12-04 00:28 . 2004-08-04 20:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2007-12-04 00:23 . 2007-12-04 00:23 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Programdata\uTorrent

2007-12-04 00:21 . 2007-12-04 00:19 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys

2007-12-04 00:21 . 2007-12-04 00:19 270,336 --a------ C:\WINDOWS\system32\imon.dll

2007-12-03 23:59 . 2007-12-03 23:59 <DIR> d-------- C:\Programfiler\ATI Technologies

2007-12-03 23:59 . 2007-11-01 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe

2007-12-03 23:58 . 2007-12-03 23:58 <DIR> d-------- C:\ATI

2007-12-03 23:56 . 2007-12-03 23:56 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Programdata\Talkback

2007-12-03 23:56 . 2007-12-03 23:56 0 --a------ C:\WINDOWS\nsreg.dat

2007-12-03 23:50 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe

2007-12-03 23:48 . 2007-12-03 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\eConsole

2007-12-03 23:44 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2007-12-03 23:42 . 2007-12-10 00:28 0 --------- C:\WINDOWS\system32\eRLog.ini

2007-12-03 23:40 . 2005-05-27 11:06 253,952 --a------ C:\WINDOWS\system32\Uninstall_eRecovery.exe

2007-12-03 21:39 . 2007-12-03 21:39 <DIR> d-------- C:\Programfiler\Fellesfiler\ArcSoft

2007-12-03 21:39 . 1995-08-01 04:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL

2007-12-03 21:39 . 2005-02-23 14:58 11,776 --a------ C:\WINDOWS\system32\drivers\afc.sys

2007-12-03 21:38 . 2007-12-03 21:38 <DIR> d-------- C:\Programfiler\Java

2007-12-03 21:38 . 2007-12-03 21:38 <DIR> d-------- C:\Programfiler\Fellesfiler\Java

2007-12-03 21:37 . 2005-10-21 21:36 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS

2007-12-03 21:37 . 2005-10-21 21:36 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS

2007-12-03 21:37 . 2005-10-21 21:36 <DIR> d-------- C:\Documents and Settings\Anders Ericson\WINDOWS

2007-12-03 21:37 . 2005-10-21 21:24 <DIR> dr------- C:\Documents and Settings\Anders Ericson\Start-meny

2007-12-03 21:37 . 2005-10-21 21:24 <DIR> d--h----- C:\Documents and Settings\Anders Ericson\Skrivere

2007-12-03 21:37 . 2005-10-21 21:24 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Skrivebord

2007-12-03 21:37 . 2005-10-21 21:46 <DIR> d-------- C:\Documents and Settings\Anders Ericson\Programdata\Symantec

2007-12-03 21:37 . 2005-10-21 21:24 <DIR> d--h----- C:\Documents and Settings\Anders Ericson\Programdata

2007-12-03 21:37 . 2007-12-04 00:52 <DIR> dr------- C:\Documents and Settings\Anders Ericson\Mine dokumenter

2007-12-03 21:37 . 2005-10-21 21:24 <DIR> d--h----- C:\Documents and Settings\Anders Ericson\Maler

2007-12-03 21:37 . 2005-10-21 21:24 <DIR> d--h----- C:\Documents and Settings\Anders Ericson\Lokale innstillinger

2007-12-03 21:37 . 2007-12-03 21:37 <DIR> dr------- C:\Documents and Settings\Anders Ericson\Favoritter

2007-12-03 21:37 . 2005-10-21 21:24 <DIR> d--h----- C:\Documents and Settings\Anders Ericson\AndrMask

2007-12-03 21:34 . 2004-08-04 01:03 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-04 21:54 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll

2007-12-04 21:54 218,624 ----a-w C:\WINDOWS\system32\dllcache\uxtheme.dll

2007-11-02 05:52 2,644,480 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys

2007-11-02 05:52 2,644,480 ----a-w C:\WINDOWS\system32\dllcache\ati2mtag.sys

2007-11-02 04:57 9,314,304 ----a-w C:\WINDOWS\system32\atioglx2.dll

2007-11-02 04:24 176,128 ----a-w C:\WINDOWS\system32\atiok3x2.dll

2007-11-02 04:10 364,544 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll

2007-11-02 04:09 268,288 ----a-w C:\WINDOWS\system32\dllcache\ati2dvag.dll

2007-11-02 04:09 268,288 ----a-w C:\WINDOWS\system32\ati2dvag.dll

2007-11-02 04:01 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe

2007-11-02 04:01 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll

2007-11-02 04:01 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll

2007-11-02 04:00 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll

2007-11-02 04:00 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll

2007-11-02 03:59 495,616 ----a-w C:\WINDOWS\system32\ati2evxx.exe

2007-11-02 03:58 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL

2007-11-02 03:50 3,133,728 ----a-w C:\WINDOWS\system32\dllcache\ati3duag.dll

2007-11-02 03:50 3,133,728 ----a-w C:\WINDOWS\system32\ati3duag.dll

2007-11-02 03:39 1,602,176 ----a-w C:\WINDOWS\system32\dllcache\ativvaxx.dll

2007-11-02 03:39 1,602,176 ----a-w C:\WINDOWS\system32\ativvaxx.dll

2007-11-02 03:35 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll

2007-11-02 03:26 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll

2007-11-02 03:24 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll

2007-11-02 03:22 49,152 ----a-w C:\WINDOWS\system32\drivers\ati2erec.dll

2007-11-02 03:22 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll

2007-11-02 03:16 499,712 ----a-w C:\WINDOWS\system32\dllcache\ati2cqag.dll

2007-11-02 03:16 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll

2007-10-25 16:44 12,880,384 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll

2007-10-25 09:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe

2004-08-04 19:00 60,416 --sha-w C:\WINDOWS\BricoPacks\SysFiles\80_msimn.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]

"µTorrent"="C:\Documents and Settings\Anders Ericson\Skrivebord\utorrent.exe" [2007-07-22 13:22]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" []

"SoundMan"="SOUNDMAN.EXE" [2005-06-08 08:31 C:\WINDOWS\SOUNDMAN.EXE]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00]

"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00]

"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00]

"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00]

"eRecoveryService"="C:\Programfiler\Acer\eRecovery\Monitor.exe" [2005-06-20 09:03]

"ntiMUI"="C:\Programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 18:15]

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 20:00 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2005-02-24 22:32 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 20:00 C:\WINDOWS\system32\rundll32.exe]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"StartCCC"="C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]

"nod32kui"="D:\Programmer\NOD32\nod32kui.exe" [2007-12-04 00:19]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00]

C:\Documents and Settings\Anders Ericson\Start-meny\Programmer\Oppstart\

RocketDock.lnk - D:\Programmer\Win Themes\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 23:05:02]

UberIcon.lnk - D:\Programmer\Win Themes\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 08:43:08]

R0 viaagp1;VIA AGP Filter;C:\WINDOWS\system32\DRIVERS\viaagp1.sys

R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys

R2 int15.sys;int15.sys;\??\C:\Programfiler\acer\eRecovery\int15.sys

S3 AEOMDF;AEOMDF;C:\DOCUME~1\ANDERS~1\LOKALE~1\Temp\AEOMDF.exe

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]

-> D:\Programmer\Win Themes\Vista Inspirat 2\UberIcon\UberIcon.dll

-> D:\Programmer\Win Themes\Vista Inspirat 2\RocketDock\RocketDock.dll

.

**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-10 00:32:53

Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-12-10 0:33:37 - machine was rebooted

.

--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:35:20, on 10.12.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

D:\Programmer\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Programfiler\Acer\eRecovery\Monitor.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

D:\Programmer\NOD32\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Anders Ericson\Skrivebord\utorrent.exe

D:\Programmer\Win Themes\Vista Inspirat 2\RocketDock\RocketDock.exe

D:\Programmer\Win Themes\Vista Inspirat 2\UberIcon\UberIcon Manager.exe

D:\Programmer\NOD32\nod32krn.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Programmer\Firefox\firefox.exe

D:\Programmer\Programmer\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [eRecoveryService] C:\Programfiler\Acer\eRecovery\Monitor.exe

O4 - HKLM\..\Run: [ntiMUI] C:\Programfiler\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [nod32kui] "D:\Programmer\NOD32\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\Anders Ericson\Skrivebord\utorrent.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: RocketDock.lnk = D:\Programmer\Win Themes\Vista Inspirat 2\RocketDock\RocketDock.exe

O4 - Startup: UberIcon.lnk = D:\Programmer\Win Themes\Vista Inspirat 2\UberIcon\UberIcon Manager.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Programmer\Ad-Aware 2007\aawservice.exe

O23 - Service: AEOMDF - Unknown owner - C:\DOCUME~1\ANDERS~1\LOKALE~1\Temp\AEOMDF.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Programmer\NOD32\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 5938 bytes

norbat · 10. desember 2007

Bruk utforsker til å finne og slett (i fet):

C:\WINDOWS\system32\fservice.exe.bat

Ta en scan med NOD igjen og se om den finner noe og evt. hvor det ligger.

MisfiT83 · 10. desember 2007

Finner ikke /fservice.exe.bat bare /fservice.exe, men har scanna med NOD og Ad-Aware uten at de fant noe.

Betyr det at jeg er kvitt dtitten eller?

norbat · 10. desember 2007

Den /fservice.exe skal bort, så vi prøver følgende:

Last ned SDFix til skrivebordet.

Dobbeltklikk på SDFix.exe og det vil pakke seg ut til ei mappe i C:\SDFix

Restart PC-en i sikker modus (tapp F8 under oppstart, velg sikker modus)

Åpne SDFix-mappa og dobbeltklikk på 'RunThis.bat' for å starte programmet

Velg Y for å starte rensingen

PC-en vil restarte, og SDFix vil fortsette.

Når du har gjort dette, poster du en ny HJT-logg + loggen fra SDFix (vil ligge som Report.txt i SDFix-mappa).

MisfiT83 · 10. desember 2007

SDFix: Version 1.117

Run by Anders Ericson on 10.12.2007 at 18:03

Microsoft Windows XP [Versjon 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting...

Normal Mode:

Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS

No streams found.

C:\WINDOWS\system32

No streams found.

C:\WINDOWS\system32\svchost.exe

No streams found.

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-10 18:06:33

Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services:

------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Documents and Settings\\Anders Ericson\\Skrivebord\\UTORRENT.EXE"="C:\\Documents and Settings\\Anders Ericson\\Skrivebord\\UTORRENT.EXE:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

---------------

Files with Hidden Attributes:

Sun 30 Oct 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTICDMK7.dll"

Sun 30 Oct 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"

Sun 30 Oct 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIMP3.dll"

Sun 30 Oct 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIFCD3.dll"

Sun 30 Oct 2005 1,024 ...HR --- "C:\WINDOWS\system32\NTIBUN4.dll"

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Programfiler\Messenger\msmsgs.exe"

Wed 4 Aug 2004 60,416 A.SH. --- "C:\WINDOWS\BricoPacks\SysFiles\80_msimn.exe"

Finished!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:09:30, on 10.12.2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

D:\Programmer\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

D:\Programmer\NOD32\nod32krn.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Programfiler\Acer\eRecovery\Monitor.exe

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\Programfiler\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE