Lord Baconost Skrevet 21. juni 2008 Rapporter Del Skrevet 21. juni 2008 (endret) Svigermor har Pc med masse spyware og popups med reklame som dukker opp uavhenig om nettleseren er aktiv eller ikke . Har fulgt langversjonen etter å først ha scannet med NOD antivirus. Kan noen hjelpe meg å sjekke disse loggene som jeg har utført i denne rekkefølgen fra SAS, Combofix, HJT og sist DSS : SAS og Combofix: SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 06/22/2008 at 06:00 PM Application Version : 4.15.1000 Core Rules Database Version : 3487 Trace Rules Database Version: 1478 Scan type : Complete Scan Total Scan Time : 00:15:12 Memory items scanned : 360 Memory threats detected : 3 Registry items scanned : 3639 Registry threats detected : 14 File items scanned : 11703 File threats detected : 6 Trojan.Vundo-Variant/Small-GEN C:\WINDOWS\SYSTEM32\YAYASPIY.DLL C:\WINDOWS\SYSTEM32\YAYASPIY.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7588F3E3-0F4B-4680-B225-BB186E940EFB} HKCR\CLSID\{7588F3E3-0F4B-4680-B225-BB186E940EFB} HKCR\CLSID\{7588F3E3-0F4B-4680-B225-BB186E940EFB}\InprocServer32 HKCR\CLSID\{7588F3E3-0F4B-4680-B225-BB186E940EFB}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF12140C-0DB4-4681-A6C9-FF06A8106F7F} HKCR\CLSID\{FF12140C-0DB4-4681-A6C9-FF06A8106F7F} HKCR\CLSID\{FF12140C-0DB4-4681-A6C9-FF06A8106F7F}\InprocServer32 HKCR\CLSID\{FF12140C-0DB4-4681-A6C9-FF06A8106F7F}\InprocServer32#ThreadingModel HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{7588F3E3-0F4B-4680-B225-BB186E940EFB} Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\yayAsPIY Adware.Vundo Variant/Resident C:\WINDOWS\SYSTEM32\PMNNLFXW.DLL C:\WINDOWS\SYSTEM32\PMNNLFXW.DLL Trojan.Downloader-NewJuan/VM C:\WINDOWS\SYSTEM32\MQPGALOA.DLL C:\WINDOWS\SYSTEM32\MQPGALOA.DLL Adware.Tracking Cookie C:\Documents and Settings\Sølvi Mortensen\Cookies\sølvi mortensen@atdmt[1].txt Adware.Vundo Variant/Rel HKLM\SOFTWARE\Microsoft\aoprndtws HKLM\SOFTWARE\Microsoft\FCOVM HKLM\SOFTWARE\Microsoft\RemoveRP HKU\S-1-5-21-2603466749-2068983365-1829074164-1005\Software\Microsoft\rdfa Adware.Lop C:\DOCUMENTS AND SETTINGS\SøLVI MORTENSEN\PROGRAMDATA\ACEBITSSITE\SURF SOFTWARE SIZE.EXE C:\WINDOWS\Prefetch\SURF SOFTWARE SIZE.EXE-05105783.pf ComboFix 08-06-20.4 - 2008-06-22 18:12:30.1 - FAT32x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.114 [GMT 2:00] Running from: C:\Documents and Settings\\Skrivebord\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\Quarantine C:\WINDOWS\system32\afclrfem.ini C:\WINDOWS\system32\ahfgnxyy.dll C:\WINDOWS\system32\bgarslxv.dll C:\WINDOWS\system32\eusxtnve.dll C:\WINDOWS\system32\jvbpyeqw.ini C:\WINDOWS\system32\ktsgrraa.dll C:\WINDOWS\system32\ljfgrlmj.dll C:\WINDOWS\system32\luhoeybw.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mefrlcfa.dll C:\WINDOWS\system32\rxcxxobb.ini C:\WINDOWS\system32\shmirkhe.dll C:\WINDOWS\system32\tfwrlftv.dll C:\WINDOWS\system32\wwuttrbp.ini C:\WINDOWS\system32\WxFLnnmp.ini C:\WINDOWS\system32\WxFLnnmp.ini2 C:\WINDOWS\system32\yqmyamyf.dll C:\WINDOWS\system32\yyxngfha.ini C:\WINDOWS\system32\aarrgstk.ini D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 ))))))))))))))))))))))))))))))) . 2008-06-22 17:38 . 2008-06-22 17:38 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware 2008-06-22 17:38 . 2008-06-22 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com 2008-06-22 17:37 . 2008-06-22 17:37 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard 2008-06-22 17:25 . 2008-06-22 17:25 <DIR> d-------- C:\Programfiler\CCleaner 2008-06-22 08:46 . 2008-06-22 08:47 84,288 --a------ C:\WINDOWS\system32\wqeypbvj.dll 2008-06-22 08:43 . 2008-06-22 08:43 40,960 --a------ C:\WINDOWS\system32\qqfmoomg.dll 2008-06-22 08:39 . 2008-06-22 08:40 90,464 --a------ C:\WINDOWS\system32\hctkihfd.dll 2008-06-22 08:34 . 2008-06-22 08:34 90,320 --a------ C:\WINDOWS\system32\qcaeiybk.dll 2008-06-20 22:42 . 2008-06-20 22:43 84,176 --a------ C:\WINDOWS\system32\pbrttuww.dll 2008-06-20 22:39 . 2008-06-20 22:39 40,960 --a------ C:\WINDOWS\system32\aupjlkki.dll 2008-06-20 22:36 . 2008-06-20 22:37 90,320 --a------ C:\WINDOWS\system32\ncgvxjev.dll 2008-06-19 22:41 . 2008-06-19 22:41 40,960 --a------ C:\WINDOWS\system32\jgneomui.dll 2008-06-18 22:43 . 2008-06-18 22:43 40,960 --a------ C:\WINDOWS\system32\luubddtb.dll 2008-06-18 21:28 . 2008-06-18 21:28 <DIR> d--hs---- C:\FOUND.010 2008-06-17 22:50 . 2008-06-17 22:50 40,960 --a------ C:\WINDOWS\system32\tluvqrax.dll 2008-06-12 08:19 . 2008-04-14 17:54 272,256 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-12 08:19 . 2008-04-14 17:54 272,256 --------- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-04 00:03 . 2008-06-04 00:03 <DIR> d-------- C:\Programfiler\acebitssite . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 05:16 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 05:16 1,290,752 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll 2008-04-17 10:52 18,432 ----a-w C:\WINDOWS\system32\dllcache\iedw.exe 2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\dllcache\mswstr10.dll 2008-03-25 04:52 166,688 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-25 04:52 166,688 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fdd2aaa-3089-4f94-8d97-756216bbbc78}] C:\WINDOWS\system32\mqpgaloa.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360] "MsnMsgr"="C:\Programfiler\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352] "deleteshow"="C:\DOCUME~1\SØLVIM~1\PROGRA~1\ACEBIT~1\SURF SOFTWARE SIZE.exe" [ ] "SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [] "SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 23:44 98394] "SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 23:43 688218] "SoundMan"="SOUNDMAN.EXE" [2005-02-23 18:13 77824 C:\WINDOWS\SOUNDMAN.EXE] "AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 19:50 88363 C:\WINDOWS\AGRSMMSG.exe] "SiSPower"="SiSPower.dll" [2005-02-25 19:35 49152 C:\WINDOWS\system32\SiSPower.dll] "SiS Windows KeyHook"="C:\WINDOWS\system32\keyhook.exe" [2005-03-04 13:13 32768] "PCMService"="C:\Programfiler\Arcade\PCMService.exe" [2005-03-09 18:59 49152] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 20:00 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 20:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 20:00 455168] "LManager"="C:\Programfiler\Launch Manager\QtZgAcer.EXE" [2005-03-28 12:30 315392] "eRecoveryService"="C:\Windows\System32\Check.exe" [2005-03-23 10:01 245760] "nod32kui"="C:\Programfiler\Eset\nod32kui.exe" [2006-02-05 19:27 917504] "SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] "HelpBindRuleSurf"="C:\Documents and Settings\All Users\Programdata\AntiFileHelpBind\MeowStart.exe" [ ] "09541673"="C:\WINDOWS\system32\bboxxcxr.dll" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360] C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\ Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-07 22:00:56 331776] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programfiler\\Windows Live Messenger Khalid Edition v5.0\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"= "C:\\Programfiler\\MSN Messenger\\livecall.exe"= R3 int15.sys;int15.sys;C:\Programfiler\acer\eRecovery\int15.sys [2005-01-13 14:46] R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;C:\WINDOWS\system32\DRIVERS\sisnicxp.sys [2004-11-05 01:43] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-22 18:16:54 Windows 5.1.2600 Service Pack 2 FAT NTAPI scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Acer\eManager\anbmServ.exe C:\Programfiler\Eset\nod32krn.exe C:\WINDOWS\system32\rundll32.exe C:\Programfiler\acer\eRecovery\Monitor.exe . ************************************************************************** . Completion time: 2008-06-22 18:18:49 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-22 16:18:44 Pre-Run: 30,889,115,648 byte ledig Post-Run: 30,838,652,928 byte ledig 136 --- E O F --- 2008-06-13 07:55:55 HJT: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:39:22, on 22.06.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Acer\eManager\anbmServ.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\keyhook.exe C:\Programfiler\Arcade\PCMService.exe C:\Programfiler\Eset\nod32krn.exe C:\Programfiler\Launch Manager\QtZgAcer.EXE C:\Programfiler\Eset\nod32kui.exe C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\sistray.exe C:\Programfiler\acer\eRecovery\Monitor.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: {87cbbb61-2657-79d8-49f4-9803aaa2ddf5} - {5fdd2aaa-3089-4f94-8d97-756216bbbc78} - C:\WINDOWS\system32\mqpgaloa.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe O4 - HKLM\..\Run: [PCMService] "C:\Programfiler\Arcade\PCMService.exe" O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [LManager] C:\Programfiler\Launch Manager\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [HelpBindRuleSurf] C:\Documents and Settings\All Users\Programdata\AntiFileHelpBind\MeowStart.exe O4 - HKLM\..\Run: [09541673] rundll32.exe "C:\WINDOWS\system32\bboxxcxr.dll",b O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [deleteshow] C:\DOCUME~1\SØLVIM~1\PROGRA~1\ACEBIT~1\SURF SOFTWARE SIZE.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe -- End of file - 5413 bytes Til sist DSS: Deckard's System Scanner v20071014.68 Run by on 2008-06-22 18:46:24 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 71: 2008-06-22 16:46:31 UTC - RP674 - Deckard's System Scanner Restore Point 70: 2008-06-22 16:29:07 UTC - RP673 - Software Distribution Service 3.0 69: 2008-06-22 16:12:03 UTC - RP672 - ComboFix created restore point 68: 2008-06-22 15:38:02 UTC - RP671 - Installed SUPERAntiSpyware Free Edition 67: 2008-06-22 07:24:57 UTC - RP670 - Kontrollpunkt for system -- First Restore Point -- 1: 2008-06-14 17:49:23 UTC - RP604 - Kontrollpunkt for system Backed up registry hives. Performed disk cleanup. Total Physical Memory: 447 MiB (512 MiB recommended). -- HijackThis (run as ) ------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:47:04, on 22.06.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Acer\eManager\anbmServ.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\keyhook.exe C:\Programfiler\Arcade\PCMService.exe C:\Programfiler\Eset\nod32krn.exe C:\Programfiler\Launch Manager\QtZgAcer.EXE C:\Programfiler\Eset\nod32kui.exe C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\sistray.exe C:\Programfiler\acer\eRecovery\Monitor.exe C:\Documents and Settings\Sølvi Mortensen\Skrivebord\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Sølvi Mortensen.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: {87cbbb61-2657-79d8-49f4-9803aaa2ddf5} - {5fdd2aaa-3089-4f94-8d97-756216bbbc78} - C:\WINDOWS\system32\mqpgaloa.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe O4 - HKLM\..\Run: [PCMService] "C:\Programfiler\Arcade\PCMService.exe" O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [LManager] C:\Programfiler\Launch Manager\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [HelpBindRuleSurf] C:\Documents and Settings\All Users\Programdata\AntiFileHelpBind\MeowStart.exe O4 - HKLM\..\Run: [09541673] rundll32.exe "C:\WINDOWS\system32\bboxxcxr.dll",b O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [deleteshow] C:\DOCUME~1\SØLVIM~1\PROGRA~1\ACEBIT~1\SURF SOFTWARE SIZE.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe -- End of file - 5426 bytes Endret 22. juni 2008 av Anaesthesis Lenke til kommentar
norbat Skrevet 21. juni 2008 Rapporter Del Skrevet 21. juni 2008 Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt. Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. File:: C:\WINDOWS\system32\wqeypbvj.dll C:\WINDOWS\system32\qqfmoomg.dll C:\WINDOWS\system32\hctkihfd.dll C:\WINDOWS\system32\qcaeiybk.dll C:\WINDOWS\system32\pbrttuww.dll C:\WINDOWS\system32\aupjlkki.dll C:\WINDOWS\system32\ncgvxjev.dll C:\WINDOWS\system32\jgneomui.dll C:\WINDOWS\system32\luubddtb.dll C:\WINDOWS\system32\tluvqrax.dll Folder:: C:\Documents and Settings\All Users\Programdata\AntiFileHelpBind Registry: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fdd2aaa-3089-4f94-8d97-756216bbbc78}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "deleteshow"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HelpBindRuleSurf"=- "09541673"=- Post ny combofix-logg + ny hjt-logg. Lenke til kommentar
Lord Baconost Skrevet 22. juni 2008 Forfatter Rapporter Del Skrevet 22. juni 2008 (endret) Jeg får ikke postet ? Spoilerne kommer ikke fram.. Endret 22. juni 2008 av Anaesthesis Lenke til kommentar
Lord Baconost Skrevet 22. juni 2008 Forfatter Rapporter Del Skrevet 22. juni 2008 (endret) Takk. Fikk en NOD antivirusvarsel når Combofix kjørte etter at jeg aktivert med tekstfila du postet over. Fikk varsel om endring av en tekstfil som het AV-test.txt, men den ble satt i karantene. Ellers gikk testen bra. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:36:06, on 23.06.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Acer\eManager\anbmServ.exe C:\Programfiler\Eset\nod32krn.exe C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\keyhook.exe C:\Programfiler\Arcade\PCMService.exe C:\Programfiler\Launch Manager\QtZgAcer.EXE C:\Programfiler\Eset\nod32kui.exe C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\sistray.exe C:\Programfiler\acer\eRecovery\Monitor.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [synTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [siSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe O4 - HKLM\..\Run: [PCMService] "C:\Programfiler\Arcade\PCMService.exe" O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [LManager] C:\Programfiler\Launch Manager\QtZgAcer.EXE O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe O4 - HKLM\..\Run: [nod32kui] "C:\Programfiler\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - http://www.pestpatrol.com/pestscan/pestscan.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Programfiler\Eset\nod32krn.exe -- End of file - 5138 bytes Combofix loggen er for stor til å få plass i spoileren.. ComboFix.txt Endret 22. juni 2008 av Anaesthesis Lenke til kommentar
norbat Skrevet 22. juni 2008 Rapporter Del Skrevet 22. juni 2008 Ser fint ut dette Bruk utforsker til å finne og slette mappa: C:\Programfiler\acebitssit Rens ut temp-filer. Til det kan du bruke CCleaner: Last ned CCleaner. Start programmet. Gå til 'Valg'->'Avansert'. Fjern avkryssingen framfor: "bare slett midlertidige filer......." Klikk på 'Renser' og deretter 'Kjør CCleaner'. Fjern combofix ved å skrive combofix /u i kjør-feltet (start->kjør) Kjører pc'n greit? Lenke til kommentar
Lord Baconost Skrevet 22. juni 2008 Forfatter Rapporter Del Skrevet 22. juni 2008 (endret) Tusen takk for hjelpen! Pc`n går som en drøm. Har du noe tips om program som kan installeres for å overvåke / forhindre ny spyware? Jeg har funnet Ad-Aware SE pro installert på Pc`n som fungerer med nyeste definisjoner. Men er den noe å ha? Din fremgangsmåte fant jo over 42 trojanere og andre trusler ? Endret 22. juni 2008 av Anaesthesis Lenke til kommentar
norbat Skrevet 22. juni 2008 Rapporter Del Skrevet 22. juni 2008 Ad-Aware er like bra som det du betaler for det, altså 0 Ad-Aware er et helt kurrant prog. men det finnes langt bedre program, bla SAS. Skal man bruke SAS (og forøvrig de andre gratisprog.) til å overvåke og forhindre malware i å komme inn på pc'n, bør man gå for betalningsversjonene da disse har sanntid-scanning (overvåker datastrømmen kontinuerlig). Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå