|
| MEGA led HiJack !!! Fra : molokyle | Vist : 1093 gange 350 point Dato : 20-10-07 16:55 |
|
ØV, ØV ..og 3 gange ØV !!!
Jeg har 'reddet' mig en MEGA led HiJack som sætter Google ind som startside
Den forhindre mig i at køre 'Joblisten' med en meddelelse om;
at funktionen er spærret af administrator !!!
ActiveX tilladelser er totalt 'fucked' op !
Med jævne mellemrum dukker en dialogbox op:
Citat [Windows Security Alert]
Warning! Potential Spyware Operation!
Your computor is making unathorized copies of your system and
Internet files. Run full scan to prevent any unathorized access
to your files. Click YES to download spyware remover...
[Ja] [Nej] |
Gu' vil jeg røv...
Det er en trojaner: Trojan.Qhost.my
..som hverken Superantispyware, AVG eller Ewido kan fjerne !!!
..ej heller vil Superantispyware og SpywareBlaster forhindre den i, at skifte startside
Den ligger i : C:\WINDOWS\SYSTEM32\DRIVERS\etc\hosts biblioteket.
Skidtet er kommet via en JAVA 'ting' som jeg uforvarende 'kom til' at klikke [Ja] til ..noget med en autorisation som så ud til at komme fra Sun !
Intallerede sig vha. (3) ... Simple...???...AL fil/-er
Hva' nu ???
HJÆLP !
</MOLOKYLE>
| |
| Kommentar Fra : arlet |
Dato : 20-10-07 16:58 |
| | |
| Kommentar Fra : molokyle |
Dato : 20-10-07 17:31 |
|
arlet ->
SuperAntiSpyware log ...fra tidligere scanning idag:
Citat SUPERAntiSpyware Scan Log
Generated 10/20/2007 at 04:08 PM
Application Version : 3.5.1016
Core Rules Database Version : 3328
Trace Rules Database Version: 1329
Scan type : Complete Scan
Total Scan Time : 01:10:27
Memory items scanned : 173
Memory threats detected : 0
Registry items scanned : 4919
Registry threats detected : 2
File items scanned : 31988
File threats detected : 0
Trojan.Net-AVP/AVT
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\system32\WinAvXX.exe ]
HKU\S-1-5-21-1844237615-813497703-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Run#WinAVX [ C:\WINDOWS\system32\WinAvXX.exe ] |
Kører lige Combofix...
the1best -> Kryds fingre...
Alt er KAOS her i butikken ...ikke engang animerede GIF'er virker ..og der spørges konstant efter div. ActiveX og andre 'services' ..selv hér på kandu.dk
</MOLOKYLE>
| |
| Kommentar Fra : IPM |
Dato : 20-10-07 17:46 |
| | |
| Kommentar Fra : molokyle |
Dato : 20-10-07 18:00 |
|
Her er mine underbukser hængt til tørre:
Citat ComboFix 07-10-17.8@ - Molo 2007-10-20 17:47:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1030.18.242 [GMT 2:00]
Running from: C:\Documents and Settings\Henrik Motensen\Skrivebord\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\autorun.exe
C:\Documents and Settings\Henrik Motensen\Menuen Start\Programmer\Start\system.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_IPRIP
((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.
2007-10-20 17:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 12:54 <DIR> d-------- C:\Programmer\SUPERAntiSpyware
2007-10-20 10:02 15,155 --a------ C:\WINDOWS\rofs115.exe
2007-10-20 09:44 15,155 --a------ C:\WINDOWS\rofs175.exe
2007-10-20 09:43 15,155 --a------ C:\WINDOWS\rofs163.exe
2007-10-20 09:43 15,155 --a------ C:\WINDOWS\rofs137.exe
2007-10-20 08:12 15,155 --a------ C:\WINDOWS\rofs162.exe
2007-10-20 08:12 7,432 --a------ C:\WINDOWS\xlavra3.exe
2007-09-20 05:21 4,382,752 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2007-09-20 05:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 15:54 54,476 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-20 10:54 --------- d-----w C:\Programmer\Fælles filer\Wise Installation Wizard
2007-10-20 10:54 --------- d-----w C:\Documents and Settings\Henrik Motensen\Application Data\SUPERAntiSpyware.com
2007-10-20 07:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-20 07:43 --------- d-----w C:\Programmer\SpywareBlaster
2007-10-04 19:50 --------- d-----w C:\Programmer\Java
2007-09-14 15:13 --------- d-----w C:\Programmer\Apple Software Update
2007-09-06 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-06 15:54 --------- d-----w C:\Programmer\Fælles filer\Apple
2007-09-06 15:54 --------- d-----r C:\Programmer\Fælles filer
2007-09-06 14:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 14:14 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-09-02 14:08 --------- d-----w C:\Programmer\Mp3Rec
2007-08-24 05:54 --------- d-----w C:\Programmer\Opera
2007-08-21 06:17 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-20 16:39 --------- d--h--w C:\Programmer\InstallShield Installation Information
2007-08-20 16:16 --------- d-----w C:\Programmer\Infogrames Interactive
2007-07-30 17:19 92,504 -c--a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2005-05-10 18:54 266 --sh--w C:\Programmer\desktop.ini
2005-05-10 18:54 10,984 -c-ha-w C:\Programmer\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 16:07]
"Zone Labs Client"="C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 14:00]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-10-20 17:26]
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Post-it© Software Notes Lite.lnk - C:\Programmer\3M\PSNLite\PsnLite.exe [2003-10-09 15:08:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL 2007-10-20 17:27 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\sulimo.dat
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Hurtigstart.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Hurtigstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader Hurtigstart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Pinnacle Scheduler.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Pinnacle Scheduler.lnk
backup=C:\WINDOWS\pss\Pinnacle Scheduler.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Henrik Motensen^Menuen Start^Programmer^Start^Registration-PCTV.lnk]
path=C:\Documents and Settings\Henrik Motensen\Menuen Start\Programmer\Start\Registration-PCTV.lnk
backup=C:\WINDOWS\pss\Registration-PCTV.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Programmer\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programmer\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
"C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 15:13:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe
"2007-10-20 03:57:50 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D2D8FA16-FC69-4CB1-9A04-1FE51CD498AB}.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 17:57:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-20 18:04:02 - machine was rebooted
.
--- E O F --- |
</COMBOFIX LOG>
| |
| Kommentar Fra : molokyle |
Dato : 20-10-07 18:15 |
|
..og mine G-strengs Herre-trusser
Citat Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:19:34, on 20-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programmer\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Henrik Motensen\Skrivebord\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Programmer\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129889235747
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37610.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMSAccess - Unknown owner - C:\Programmer\CDBurnerXP Pro 3\Tools\NMSAccess.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe
--
End of file - 6497 bytes |
</HIJACKTHIS LOG>
| |
| Kommentar Fra : molokyle |
Dato : 20-10-07 18:46 |
|
Hmmm.... ser ud til at problemet 'gik væk' ..efter, at ha' kørt combofix
..og sat Internet Explorers' sikkerhedsindstillinger til standard : Mellem-Høj
</MOLOKYLE>
| |
| Kommentar Fra : stl_s |
Dato : 20-10-07 20:50 |
| | |
| Kommentar Fra : Caine |
Dato : 21-10-07 01:21 |
| | |
| Kommentar Fra : molokyle |
Dato : 21-10-07 07:43 |
|
Rapport fra SmitFraudFix i fejlsikret tilstand:
Citat SmitFraudFix v2.240
Scan done at 6:56:13,58, 21-10-2007
Run from C:\Documents and Settings\Henrik Motensen\Skrivebord\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{481F7913-DA7C-4628-813C-773C93836916}: DhcpNameServer=193.162.159.194 193.162.145.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{481F7913-DA7C-4628-813C-773C93836916}: DhcpNameServer=193.162.159.194 193.162.145.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{481F7913-DA7C-4628-813C-773C93836916}: DhcpNameServer=193.162.159.194 193.162.145.130
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=193.162.159.194 193.162.145.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=193.162.159.194 193.162.145.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=193.162.159.194 193.162.145.130
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End |
..og fra HiJackThis i normal tilstand:
Citat Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 07:46:41, on 21-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\3M\PSNLite\PsnLite.exe
C:\Programmer\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\Documents and Settings\Henrik Motensen\Skrivebord\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Programmer\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129889235747
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37610.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMSAccess - Unknown owner - C:\Programmer\CDBurnerXP Pro 3\Tools\NMSAccess.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe
--
End of file - 5897 bytes |
</MOLOKYLE>
| |
| Kommentar Fra : arlet |
Dato : 21-10-07 10:09 |
|
Hej Molokyle.
Så er jeg tilbage.. Kan jeg også få en ny combofix log, så vi kan få de evt sidste rester væk..
| |
| Kommentar Fra : molokyle |
Dato : 21-10-07 14:40 |
|
arlet -> Yes 'deer' ...of course ..my little dove ... ( Citat: W.C. Fields )
Here U R :
Citat ComboFix 07-10-17.8@ - Molo 2007-10-21 14:05:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1030.18.248 [GMT 2:00]
Running from: C:\Documents and Settings\Henrik Motensen\Skrivebord\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.
2007-10-21 06:37 1,954 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-20 17:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 12:54 <DIR> d-------- C:\Programmer\SUPERAntiSpyware
2007-10-20 10:02 15,155 --a------ C:\WINDOWS\rofs115.exe
2007-10-20 09:44 15,155 --a------ C:\WINDOWS\rofs175.exe
2007-10-20 09:43 15,155 --a------ C:\WINDOWS\rofs163.exe
2007-10-20 09:43 15,155 --a------ C:\WINDOWS\rofs137.exe
2007-10-20 08:12 15,155 --a------ C:\WINDOWS\rofs162.exe
2007-10-20 08:12 7,432 --a------ C:\WINDOWS\xlavra3.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 12:11 4,712,480 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-21 06:50 58,100 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-20 10:54 --------- d-----w C:\Programmer\Fælles filer\Wise Installation Wizard
2007-10-20 10:54 --------- d-----w C:\Documents and Settings\Henrik Motensen\Application Data\SUPERAntiSpyware.com
2007-10-20 07:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-20 07:43 --------- d-----w C:\Programmer\SpywareBlaster
2007-10-04 19:50 --------- d-----w C:\Programmer\Java
2007-09-20 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-14 15:13 --------- d-----w C:\Programmer\Apple Software Update
2007-09-06 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-06 15:54 --------- d-----w C:\Programmer\Fælles filer\Apple
2007-09-06 15:54 --------- d-----r C:\Programmer\Fælles filer
2007-09-06 14:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 14:14 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-09-02 14:08 --------- d-----w C:\Programmer\Mp3Rec
2007-08-24 05:54 --------- d-----w C:\Programmer\Opera
2007-08-21 06:17 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-07-30 17:19 92,504 -c--a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2005-05-10 18:54 266 --sh--w C:\Programmer\desktop.ini
2005-05-10 18:54 10,984 -c-ha-w C:\Programmer\folder.htt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 16:07]
"Zone Labs Client"="C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 14:00]
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Post-it© Software Notes Lite.lnk - C:\Programmer\3M\PSNLite\PsnLite.exe [2003-10-09 15:08:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL 2007-10-20 17:27 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Hurtigstart.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Hurtigstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader Hurtigstart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Pinnacle Scheduler.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Pinnacle Scheduler.lnk
backup=C:\WINDOWS\pss\Pinnacle Scheduler.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Henrik Motensen^Menuen Start^Programmer^Start^Registration-PCTV.lnk]
path=C:\Documents and Settings\Henrik Motensen\Menuen Start\Programmer\Start\Registration-PCTV.lnk
backup=C:\WINDOWS\pss\Registration-PCTV.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Programmer\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programmer\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
"C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 15:13:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe
"2007-10-21 05:33:36 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D2D8FA16-FC69-4CB1-9A04-1FE51CD498AB}.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 14:11:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-21 14:14:13
C:\ComboFix2.txt ... 2007-10-20 18:04
.
--- E O F --- |
..og jeg kan STADIG ik' se animerede GIF'er i IE7 !
I andre billedvisningsprogrammer (XnView og det 'indbyggede': Windows Billed- og faxfremviser) virker det ok.
..min skrivebords-baggrundsfarve er skiftet tilbage til Windows Classic' blå (..jeg kører også Windows layout klassisk 'skrivebordstema') i stedet for sort som jeg havde valgt før, men betyder intet.
Startsiden ændrede sig ved kørsel af føromtalte SmitFraudFix til Windows MSN's startside, men den har jeg uden problemer atter sat tilbage til about:blank
Hold da kæft en masse bøvl for såd'n et enkelt lille uopmærksomt klik
Hva' handler Trojan.Qhost.my skidtet iøvrigt om? ..og hvem står bag?
</MOLOKYLE>
| |
| Kommentar Fra : arlet |
Dato : 21-10-07 14:50 |
|
Ja, og der er stadig noget..
Kopiér indholdet mellem de stiplede linier ind i et notepad-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt.
Når du gemmer, skal du sikre, at der under "filtyper" står "alle filer".
-------------------------
File::
C:\WINDOWS\rofs115.exe
C:\WINDOWS\rofs175.exe
C:\WINDOWS\rofs163.exe
C:\WINDOWS\rofs137.exe
C:\WINDOWS\rofs162.exe
C:\WINDOWS\xlavra3.exe
-------------------------
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen. - http://www.fromsej.saknet.dk/billeder/cfscript.gif
Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Kopier indholdet af Combofix.txt her ind sammen med en ny hijackthis log
Vi renser først computeren helt, så må vi kigge på de andre problemer bagefter, okay??
| |
| Kommentar Fra : molokyle |
Dato : 21-10-07 15:44 |
|
Hø hø... Dét ku' jeg da godt selv regne ud ...altså
Præcis som dén 'flabethed' stl_s kom med tidligere:
Citat 2. Genstart i fejlsikret tilstand. Hvis du ikke ved hvordan, så kig her (Scroll ned til "Sådan får du adgang til fejlsikret tilstand") http://kimludvigsen.dk/tips-windows-fejlsikret.html |
Ok. Back to basic...
ComboFix log ...MED opstart vha. CFScript.txt:
Citat ComboFix 07-10-17.8@ - Molo 2007-10-21 15:26:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1030.18.228 [GMT 2:00]
Running from: C:\Documents and Settings\Henrik Motensen\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Henrik Motensen\Skrivebord\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\rofs115.exe
C:\WINDOWS\rofs137.exe
C:\WINDOWS\rofs162.exe
C:\WINDOWS\rofs163.exe
C:\WINDOWS\rofs175.exe
C:\WINDOWS\xlavra3.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\rofs115.exe
C:\WINDOWS\rofs137.exe
C:\WINDOWS\rofs162.exe
C:\WINDOWS\rofs163.exe
C:\WINDOWS\rofs175.exe
C:\WINDOWS\xlavra3.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.
2007-10-21 06:37 1,954 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-10-20 17:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 12:54 <DIR> d-------- C:\Programmer\SUPERAntiSpyware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 13:31 4,771,872 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-21 12:15 58,436 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-20 10:54 --------- d-----w C:\Programmer\Fælles filer\Wise Installation Wizard
2007-10-20 10:54 --------- d-----w C:\Documents and Settings\Henrik Motensen\Application Data\SUPERAntiSpyware.com
2007-10-20 07:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-20 07:43 --------- d-----w C:\Programmer\SpywareBlaster
2007-10-04 19:50 --------- d-----w C:\Programmer\Java
2007-09-20 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-14 15:13 --------- d-----w C:\Programmer\Apple Software Update
2007-09-06 16:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-06 15:54 --------- d-----w C:\Programmer\Fælles filer\Apple
2007-09-06 15:54 --------- d-----r C:\Programmer\Fælles filer
2007-09-06 14:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 14:14 1,086,952 ----a-w C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-09-02 14:08 --------- d-----w C:\Programmer\Mp3Rec
2007-08-24 05:54 --------- d-----w C:\Programmer\Opera
2007-08-21 06:17 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-07-30 17:19 92,504 -c--a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 17:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 17:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 17:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 17:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 17:19 271,224 ----a-w C:\WINDOWS\SYSTEM32\mucltui.dll
2007-07-30 17:19 207,736 ----a-w C:\WINDOWS\SYSTEM32\muweb.dll
2007-07-30 17:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 17:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 17:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2005-05-10 18:54 266 --sh--w C:\Programmer\desktop.ini
2005-05-10 18:54 10,984 -c-ha-w C:\Programmer\folder.htt
.
((((((((((((((((((((((((((((( snapshot@2007-10-20_18.02.50.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-21 12:18:18 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_14c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 16:07]
"Zone Labs Client"="C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 14:00]
C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Post-it© Software Notes Lite.lnk - C:\Programmer\3M\PSNLite\PsnLite.exe [2003-10-09 15:08:32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL 2007-10-20 17:27 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Hurtigstart.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Hurtigstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader Hurtigstart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menuen Start^Programmer^Start^Pinnacle Scheduler.lnk]
path=C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\Pinnacle Scheduler.lnk
backup=C:\WINDOWS\pss\Pinnacle Scheduler.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Henrik Motensen^Menuen Start^Programmer^Start^Registration-PCTV.lnk]
path=C:\Documents and Settings\Henrik Motensen\Menuen Start\Programmer\Start\Registration-PCTV.lnk
backup=C:\WINDOWS\pss\Registration-PCTV.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Programmer\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Programmer\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
"C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 15:13:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe
"2007-10-21 05:33:36 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D2D8FA16-FC69-4CB1-9A04-1FE51CD498AB}.job"
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 15:33:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-21 15:36:03
C:\ComboFix2.txt ... 2007-10-21 14:14
C:\ComboFix3.txt ... 2007-10-20 18:04
.
--- E O F --- |
..OG en HiJackThis log ..EFTER en obligatorisk genstart:
Citat Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:42:17, on 21-10-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Programmer\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\CDBurnerXP Pro 3\Tools\NMSAccess.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Henrik Motensen\Skrivebord\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programmer\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Programmer\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129889235747
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37610.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto.CAB
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMSAccess - Unknown owner - C:\Programmer\CDBurnerXP Pro 3\Tools\NMSAccess.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Web Update Service by PowerProgrammer (WebUpdate) - Data Perceptions / PowerProgrammer - C:\WINDOWS\system32\WebUpdateSvc.exe
--
End of file - 6115 bytes |
</MOLOKYLE>
| |
| Kommentar Fra : arlet |
Dato : 21-10-07 15:51 |
|
Så ser det noget bedre ud..
Hvordan står det så til med dine problemer??
| |
| Kommentar Fra : stl_s |
Dato : 21-10-07 16:02 |
|
Citat Præcis som dén 'flabethed' stl_s kom med tidligere: |
OHOOH, fornærmet HEHE . Ja, du må også lide under mine standardvejledninger. Ingen særbehandling her .
Og nu har jeg snart sagt det så mange gange til dig. AVG SUCKS!!! Kyl det ud, og smut ind og kig på vores sikkerhedspakke, så vi ikke skal ligge og rense dig i tide og utide http://www.malwarecheck.dk/forum/viewtopic.php?t=156
| |
| Kommentar Fra : molokyle |
Dato : 21-10-07 16:10 |
|
arlet -> Tjaeh... det kører sgu meget gnidningsløst, men STADIG ingen understøttelse af animerede GIF89a i IE. De vises præcis som GIF87 ..altså 1. frame.
Noget jeg har overset?
stl_s -> Tjaeh... efter dagens morderligt 'spændende' begivenheder, så ka' det da overvejes ...måske, at kigge efter en anden sikkerheds-'ting' end AVG.
Avast evt.?
</MOLOKYLE>
| |
| Accepteret svar Fra : arlet | Modtaget 350 point Dato : 21-10-07 16:18 |
|
Jeg havde et meget lille håb at dit problem måske bare forsvandt, når vi rensede dig, for jeg har ikke umiddelbart noget løsning på det problem..
Måske stl_s har et løsningsforslag eller andre??
| |
| Kommentar Fra : stl_s |
Dato : 21-10-07 16:28 |
| | |
| Kommentar Fra : molokyle |
Dato : 21-10-07 16:28 |
|
Det har jeg selv !
Flueben ved: 'Afspil animationer på websider' *
(* Kræver genstart af Explorer.)
..under:
Funktioner (Værktøjer ALT + u) -> Internetindstillinger -> fanen; "Avanceret"
</MOLOKYLE>
| |
| Kommentar Fra : molokyle |
Dato : 21-10-07 16:31 |
|
stl_s -> Avast vil være en stor forbedring... læste jeg som:
ALT vil være en stor forbedring
..men for gammelt venskab skyld ?
..vil jeg lade arlet få påængårnø !
</MOLOKYLE>
| |
| Godkendelse af svar Fra : molokyle |
Dato : 21-10-07 16:33 |
|
arlet - Giv lidt påængår til stl_s
..men behold bare stjernerne
</MOLOKYLE>
| |
| Kommentar Fra : arlet |
Dato : 21-10-07 16:36 |
| | |
| Du har følgende muligheder | |
|
Eftersom du ikke er logget ind i systemet, kan du ikke skrive et indlæg til dette spørgsmål.
Hvis du ikke allerede er registreret, kan du gratis blive medlem, ved at trykke på "Bliv medlem" ude i menuen.
| |
|
|