CIO Tech Eksperten IT-JOB IT-Kurser Events Podcast Søg
Cookie ikon
Avatar billede emilfini Nybegynder
09. september 2006 - 12:43 Der er 7 kommentarer og
2 løsninger

tsa -diverse logs er der

SUPERAntiSpyware Scan Log
Generated 09/08/2006 at 10:23 PM

Core Rules Database Version : 3077
Trace Rules Database Version: 1113

Memory threats detected  : 0
Registry threats detected : 19
File threats detected    : 36

Adware.Tracking Cookie
    D:\Documents and Settings\Emil\Cookies\emil@adbrite[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@adverts.loadedinc[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@partypoker[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@614779[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@directtrack[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@rapidresponse.directtrack[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@xiti[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@atdmt[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@tacoda[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@www.sexnoveller[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@ad1.emediate[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@clicktorrent[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@checkstat[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@ad.ofir[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@cgi-bin[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@www.sexdating[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@adopt.euroclick[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@ads.realtechnetwork[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@stats[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@toplist[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@burstnet[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@e2.emediate[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@admarketplace[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@track.adform[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@ads2.jubii[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@1068632757[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@sexnoveller[2].txt
    D:\Documents and Settings\Emil\Cookies\emil@sexdating[1].txt
    D:\Documents and Settings\Emil\Cookies\emil@adfair[2].txt

Trojan.cmdService
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService#Type
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#0
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#Count
    HKLM\SYSTEM\CurrentControlSet\Services\cmdService\Enum#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE#NextInstance
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Service
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Legacy
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ConfigFlags
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#Class
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#ClassGUID
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000#DeviceDesc

Browser Hijacker.Deskbar
    HKCR\DBTB00001.DeskbarEnabler
    HKCR\DBTB00001.DeskbarEnabler\CLSID
    HKCR\DBTB00001.DeskbarEnabler.1
    HKCR\DBTB00001.DeskbarEnabler.1\CLSID

Trojan.WinSysBan
    D:\Documents and Settings\Emil\Lokale indstillinger\Temporary Internet Files\Content.IE5\C9YHUF8N\kybrdff_16[1].exe

Adware.NicTech Networks
    D:\WINDOWS\system32\djvacm.#ll
    D:\WINDOWS\system32\fpjm0311e.#ll
    D:\WINDOWS\system32\maimsg.#ll
    D:\WINDOWS\system32\nptui2.#ll
    D:\WINDOWS\system32\uhhisapi.#ll

Trojan.Unknown Origin
    D:\WINDOWS\system32\taa03017.#ll

















outlook.exe;d:\programmer\outlook;Trojan.MulDrop.3290;Deleted.;
winlog.exe;D:\WINDOWS\System32;Win32.HLLW.MyBot;Deleted.;
w002f8cd.dll;D:\WINDOWS\System32;Trojan.DownLoader.10919;Deleted.;
Update.exe;D:\Programmer\Fælles filer\{B80B7071-0A63-1030-1028-04060204002d};Trojan.DownLoader.12291;Deleted.;
Dc2.exe;C:\RECYCLER\S-1-5-21-1004336348-839522115-1441588008-1003;Adware.DollarRevenue;Renamed.;
Dc4.exe;C:\RECYCLER\S-1-5-21-1004336348-839522115-1441588008-1003;Trojan.Click.1408;Deleted.;
Gorillaz - Demon Days - (Retail) - 2005 - AutoExtract.exe;C:\RECYCLER\S-1-5-21-57989841-179605362-682003330-1003\Df14;Trojan.DownLoader.2667;Incurable.Moved.;
A0043168.exe;C:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP158;Trojan.DownLoader.10918;Deleted.;
A0043227.exe;C:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP159;Adware.DollarRevenue;Renamed.;
A0043653.exe;C:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Adware.DollarRevenue;Renamed.;
A0043654.exe;C:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Trojan.Click.1408;Deleted.;
A0043655.exe;C:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Trojan.DownLoader.2667;Incurable.Moved.;
temp.fr04AC;D:\Documents and Settings\Emil\Lokale indstillinger\Temp;Adware.Look2me;Renamed.;
temp.fr1B7C;D:\Documents and Settings\Emil\Lokale indstillinger\Temp;Adware.Look2me;Renamed.;
ac3[1].txt;D:\Documents and Settings\Emil\Lokale indstillinger\Temporary Internet Files\Content.IE5\CLUH6V4X;Adware.Runk;Renamed.;
dfndrff_16[1].exe;D:\Documents and Settings\Emil\Lokale indstillinger\Temporary Internet Files\Content.IE5\YLOXKF23;Trojan.Click.1408;Deleted.;
nwnmff_16[1].exe;D:\Documents and Settings\Emil\Lokale indstillinger\Temporary Internet Files\Content.IE5\YLOXKF23;Adware.DollarRevenue;Renamed.;
v.tmp;D:\Programmer\outlook;Trojan.MulDrop.3290;Deleted.;
A0040957.exe;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP156;Adware.SaveNow;Renamed.;
A0042054.exe;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP157;Adware.Surfside;Renamed.;
A0042056.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP157;Adware.Surfside;Renamed.;
A0042077.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP157;Adware.Look2me;Renamed.;
A0042125.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP157;Adware.Look2me;Renamed.;
A0042136.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP157;Adware.Look2me;Renamed.;
A0043142.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP158;Adware.Look2me;Renamed.;
A0043148.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP158;Adware.Look2me;Renamed.;
A0043159.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP158;Adware.Look2me;Renamed.;
A0043170.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP158;Adware.Softomate;Renamed.;
A0043245.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP161;Adware.Look2me;Renamed.;
A0043476.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP161;Adware.Look2me;Renamed.;
A0043481.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP161;Adware.Look2me;Renamed.;
A0043491.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP162;Adware.Look2me;Renamed.;
A0043496.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP162;Adware.Look2me;Renamed.;
A0043504.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP163;Adware.Look2me;Renamed.;
A0043509.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP163;Adware.Look2me;Renamed.;
A0043543.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP163;Adware.Look2me;Renamed.;
A0043548.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP163;Adware.Look2me;Renamed.;
A0043550.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP163;Adware.Look2me;Renamed.;
A0043555.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP163;Adware.Look2me;Renamed.;
A0043560.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP163;Adware.Look2me;Renamed.;
A0043634.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Adware.Look2me;Renamed.;
A0043638.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Adware.Look2me;Renamed.;
A0043642.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Adware.Look2me;Renamed.;
A0043646.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Adware.Look2me;Renamed.;
A0043649.exe;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Trojan.MulDrop.3290;Deleted.;
A0043650.exe;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Win32.HLLW.MyBot;Deleted.;
A0043651.dll;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Trojan.DownLoader.10919;Deleted.;
A0043652.exe;D:\System Volume Information\_restore{796E85CB-12B4-4300-BCE1-CB49EB733878}\RP164;Trojan.DownLoader.12291;Deleted.;
djvacm.dll;D:\WINDOWS\system32;Adware.Look2me;Renamed.;
fpjm0311e.dll;D:\WINDOWS\system32;Adware.Look2me;Renamed.;
maimsg.dll;D:\WINDOWS\system32;Adware.Look2me;Renamed.;
nptui2.dll;D:\WINDOWS\system32;Adware.Look2me;Renamed.;
taa03017.dll;D:\WINDOWS\system32;Adware.Runk;Renamed.;
uhhisapi.dll;D:\WINDOWS\system32;Adware.Look2me;Renamed.;
mirc.exe;E:\mIRC;Program.mIRC.616;Renamed.;







Logfile of HijackThis v1.99.1
Scan saved at 22:32:43, on 08-09-2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\RunDll32.exe
D:\Programmer\Winamp\winampa.exe
D:\Programmer\Logitech\iTouch\iTouch.exe
D:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
D:\Programmer\DAEMON Tools\daemon.exe
D:\programmer\powerstrip\pstrip.exe
D:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Programmer\MSN Messenger\MsnMsgr.Exe
D:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
D:\WINDOWS\System32\notepad.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Emil\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ofir.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\programmer\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] D:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RemoteControl] D:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PowerStrip] d:\programmer\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [taa03017] RUNDLL32.EXE w002f8cd.dll,n 004030130000000a002f8cd
O4 - HKCU\..\Run: [MsnMsgr] "D:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Google Search - res://d:\programmer\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\programmer\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\programmer\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\programmer\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\programmer\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\programmer\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697517} (NsvPlayX Control) - http://www.mmradio.org/embed22/nsvplayx_vp3_aac.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Group Policy - D:\WINDOWS\system32\j8n20i5oe8.dll
O20 - Winlogon Notify: SASWinLogon - D:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Programmer\Sygate\SPF\smc.exe
Avatar billede ejvindh Ekspert
09. september 2006 - 13:00 #1
-- Hent Combofix, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/combofix.exe

--  Kør så combofix.exe, som du hentede tidligere, og følg anvisningerne.
Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind.
Avatar billede emilfini Nybegynder
09. september 2006 - 13:12 #2
Emil - 06-09-09 13:13:48,51
ComboFix 06.09.07 - Running from: D:\Documents and Settings\Emil\Skrivebord

Microsoft Windows XP [version 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((((  Look2Me's Log  ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{7979B14F-6319-489A-A719-3728A327150F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7979B14F-6319-489A-A719-3728A327150F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7979B14F-6319-489A-A719-3728A327150F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7979B14F-6319-489A-A719-3728A327150F}\InprocServer32]
@="D:\\WINDOWS\\system32\\tncfgwmi.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{56275F62-1B39-4A52-8F8A-FD4F21BCAAF0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56275F62-1B39-4A52-8F8A-FD4F21BCAAF0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56275F62-1B39-4A52-8F8A-FD4F21BCAAF0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{56275F62-1B39-4A52-8F8A-FD4F21BCAAF0}\InprocServer32]
@="D:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{73EC8987-B8CF-4A3B-8F8C-664C5A632654}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73EC8987-B8CF-4A3B-8F8C-664C5A632654}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73EC8987-B8CF-4A3B-8F8C-664C5A632654}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{73EC8987-B8CF-4A3B-8F8C-664C5A632654}\InprocServer32]
@="D:\\WINDOWS\\system32\\ppisdecd.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{6C2A82DE-2A4C-4FB6-BB79-107128B34E20}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C2A82DE-2A4C-4FB6-BB79-107128B34E20}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C2A82DE-2A4C-4FB6-BB79-107128B34E20}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6C2A82DE-2A4C-4FB6-BB79-107128B34E20}\InprocServer32]
@="D:\\WINDOWS\\system32\\iWssdo.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

D:\WINDOWS\system32\iWssdo.dll
D:\WINDOWS\system32\uyrvpa.dll


Granting sedebugprivilege to Administratorer  ... successful


((((((((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\system32\bszip.dll
D:\WINDOWS\system32\cmd.com
D:\WINDOWS\system32\netstat.com
D:\WINDOWS\system32\ping.com
D:\WINDOWS\system32\regedit.com
D:\WINDOWS\system32\taskkill.com
D:\WINDOWS\system32\tracert.com
D:\Documents and Settings\LocalService\Application Data\NetMon
D:\Programmer\Deskbar
D:\Programmer\outlook
D:\Programmer\F‘lles filer\{B80B7071-0A63-1030-1028-04060204002d}


(((((((((((((((((((((((((((((((  Files Created from 2006-08-09 to 2006-09-09  ))))))))))))))))))))))))))))))))))


2006-09-08    20:55    0    ---hs----    D:\WINDOWS\system32\tasklist.com
2006-09-05    20:33    40,960    --a------    D:\WINDOWS\system32\psfind.dll
2006-09-04    16:26    1,233    --a------    D:\WINDOWS\system32\taa03017.sys
2006-09-04    16:22    2,560    --a------    D:\WINDOWS\_MSRSTRT.EXE
2006-09-02    10:43    98,304    --a------    D:\WINDOWS\system32\CmdLineExt.dll
2006-09-02    10:39    1,060,864    --a------    D:\WINDOWS\system32\mfc71.dll


((((((((((((((((((((((((((((((((((((((((((((((((  Find3M Report  )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-09 13:14    --------    d--------    D:\Programmer\F‘lles filer
2006-09-09 13:05    --------    d--------    D:\Programmer\Mozilla Firefox
2006-09-08 22:26    --------    d--------    D:\Programmer\SUPERAntiSpyware
2006-09-08 20:43    --------    d--------    D:\Documents and Settings\Emil\Application Data\SUPERAntiSpyware.com
2006-09-08 20:42    --------    d--------    D:\Programmer\F‘lles filer\Wise Installation Wizard
2006-09-08 17:30    --------    d--------    D:\Documents and Settings\Emil\Application Data\Registry Booster
2006-09-05 20:29    --------    d--h-----    D:\Programmer\InstallShield Installation Information
2006-09-04 19:46    --------    d--------    D:\Programmer\PokerRoom.com
2006-09-04 18:07    --------    d--------    D:\Programmer\EA GAMES
2006-09-04 16:37    2560    --a------    D:\WINDOWS\_MSRSTRT.EXE
2006-09-04 16:35    --------    d--------    D:\Programmer\F‘lles filer\mqrk
2006-09-04 16:23    --------    d--------    D:\Programmer\BearShare
2006-09-03 12:46    --------    d--h-----    D:\Programmer\WindowsUpdate
2006-09-02 23:05    --------    d--------    D:\Programmer\DAEMON Tools
2006-09-02 11:18    --------    d--------    D:\Programmer\Internet Explorer
2006-08-20 14:11    --------    d--------    D:\Programmer\BitComet
2006-08-07 17:26    --------    d--------    D:\Documents and Settings\Emil\Application Data\Mozilla
2006-07-12 19:57    --------    d--------    D:\Programmer\Teamspeak2_RC2
2006-07-12 19:57    --------    d--------    D:\Documents and Settings\Emil\Application Data\teamspeak2
2006-06-17 20:03    2829    --a------    D:\WINDOWS\War3Unin.pif
2006-06-17 20:03    139264    --a------    D:\WINDOWS\War3Unin.exe


((((((((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="D:\\Programmer\\Winamp\\winampa.exe"
"zBrowser Launcher"="D:\\Programmer\\Logitech\\iTouch\\iTouch.exe"
"RemoteControl"="D:\\Programmer\\CyberLink\\PowerDVD\\PDVDServ.exe"
"NeroCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"DAEMON Tools"="\"D:\\Programmer\\DAEMON Tools\\daemon.exe\" -lang 1033"
"PowerStrip"="d:\\programmer\\powerstrip\\pstrip.exe"
"SmcService"="D:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="D:\\Programmer\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"D:\\Programmer\\MSN Messenger\\MsnMsgr.Exe\" /background"
"SUPERAntiSpyware"="D:\\Programmer\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Min aktuelle startside"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,c0,03,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
  00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
  00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
 
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon


Completion time: 09-09-2006 13:15:49.56
ComboFix.txt
Avatar billede ejvindh Ekspert
09. september 2006 - 13:31 #3
-- Prøv at gå ind på følgende hjemmeside:
http://virusscan.jotti.org/

Klik på Gennemse, og klik dig så frem til D:\WINDOWS\system32\taa03017.sys

Klik så Submit. Så kommer der en lille log over forskellige scanninger frem. Den må du gerne klippe ind i næste svar.

-- Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

-- Pak Avenger-programmet ud og dobbeltklik på avenger.exe

-- Sæt en prik i "Input Script Manually" og klik på Luppen - nu dukker der et lille vindue op, hvor du skal kopiere indholdet mellem de stiplede linier ind:

-----------------------------
Files to delete:
D:\WINDOWS\system32\tasklist.com

registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{AEB6717E-7E19-11d0-97EE-00C04FD91972}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}
-----------------------------

-- Klik på Trafiklyset i Avenger. Programmet vil opfordre dig til at genstarte computeren straks, hvilket du skal gøre. Programmet vil lukke din computer, slette filerne og starte computeren igen.

-- Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

-- Du må også gerne lave en ny log med Hijackthis, som du lægger herind til check.
Avatar billede emilfini Nybegynder
09. september 2006 - 13:37 #4
File:      taa03017.sys
Status:    
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5     0a102ed9d959cf282028be94fdbaf604
Packers detected:    
-
Scanner results
AntiVir    
Found nothing
ArcaVir    
Found nothing
Avast    
Found nothing
AVG Antivirus    
Found nothing
BitDefender    
Found nothing
ClamAV    
Found nothing
Dr.Web    
Found nothing
F-Prot Antivirus    
Found nothing
Fortinet    
Found nothing
Kaspersky Anti-Virus    
Found nothing
NOD32    
Found nothing
Norman Virus Control    
Found nothing
UNA    
Found nothing
VirusBuster    
Found nothing
VBA32    
Found nothing
Avatar billede emilfini Nybegynder
09. september 2006 - 13:39 #5
Statistics
Last file scanned at least one scanner reported something about: 119.exe, detected by:

Scanner     Malware name
AntiVir     Delta-1128
ArcaVir     Delta.1128
Avast     Delta-1128
AVG Antivirus     X
BitDefender     Delta.1128
ClamAV     Delta.1128
Dr.Web     Delta.1128
F-Prot Antivirus     Delta.1128
Fortinet     Delta.1128
Kaspersky Anti-Virus     Virus.DOS.Delta.1128
NOD32     X
Norman Virus Control     X
UNA     DOS.Delta.1128
VirusBuster     X
VBA32     Unknown.ComVirus
Avatar billede fazli Nybegynder
09. september 2006 - 13:44 #6
http://www.eksperten.dk/spm/731188

Jeg formoder Ejvindh kører videre ;)
Avatar billede emilfini Nybegynder
09. september 2006 - 13:47 #7
Logfile of HijackThis v1.99.1
Scan saved at 13:50:59, on 09-09-2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Programmer\Sygate\SPF\smc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\Programmer\Winamp\winampa.exe
D:\Programmer\Logitech\iTouch\iTouch.exe
D:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
D:\Programmer\DAEMON Tools\daemon.exe
D:\programmer\powerstrip\pstrip.exe
D:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\System32\RUNDLL32.EXE
D:\Programmer\MSN Messenger\MsnMsgr.Exe
D:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\system32\notepad.exe
D:\Programmer\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Emil\Skrivebord\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ofir.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinampAgent] D:\Programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RemoteControl] D:\Programmer\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PowerStrip] d:\programmer\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Programmer\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "D:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &Google Search - res://d:\programmer\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\programmer\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\programmer\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\programmer\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\programmer\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\programmer\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697517} (NsvPlayX Control) - http://www.mmradio.org/embed22/nsvplayx_vp3_aac.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: SASWinLogon - D:\Programmer\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - D:\Programmer\Sygate\SPF\smc.exe
Avatar billede emilfini Nybegynder
09. september 2006 - 13:47 #8
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wckrfsdi

*******************

Script file located at: \??\D:\WINDOWS\System32\jjefyjv^.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

File D:\WINDOWS\system32\tasklist.com deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.


Could not delete registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{5AE067D3-9AFB-48E0-8
Deletion of registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks|{5AE067D3-9AFB-48E0-8 failed!
Status: 0xc0000034


Completed script processing.

*******************

Finished!  Terminate.
Avatar billede ejvindh Ekspert
09. september 2006 - 21:18 #9
Loggene er rene. Har du også fået løst dit problem? Den scanning af 119.exe hvad er det for noget?

For at gøre arbejdet helt færdig:
Det kan være en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse (http://www.spywarefri.dk/virusscannere.htm#alle) - genstart din computer - aktiver systemgendannelse.
Og så kan det også være en god ide at skjule dine systemfiler og -mapper igen, så du ikke ved en fejl kommer til at slette en vigtig fil. Det gør du samme sted, hvor du satte det til at vise alle filer, denne gang vælger du bare: Vis ikke skjulte filer og mapper.

Det kan også være en god ide at få renset ud i dine midlertidige filer. Det kan gøres på en hurtig og nem måde med denne fil
www.spywareinfo.dk/download/cleantempxp2k.bat
---------------------------

For at forhindre gentagelser, vil jeg anbefale dig at lægge nogle små programmer ind, som forhindrer spyware i at komme ind i første omgang. Du finder links og gode råd her:
http://www.spywarefri.dk/manualer/sikkerhedspakke.htm

Jeg vil også foreslå, at du læser denne artikel om hvordan du kan undgå at blive inficeret i fremtiden:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel Indlæg Oprettet Seneste aktivitet
Findes der mon et Antivirus program, som ikke, konstant, reklamerer, for at købe ? Af Ikke-ekspert i Virus 21 22/06/202419:22 23/06/202412:54
Anbefaling af antivirusprogram med firewall Af OnePlusFan i Virus 23 07/05/202421:02 13/05/202419:48
trusler Af gerhardpet i Virus 4 26/01/202410:02 27/01/202408:32
Kan ikke fjerne virus Af mik28 i Virus 16 09/01/202416:37 10/01/202419:59
virusscanning Af JetteD i Virus 2 10/11/202312:55 10/11/202316:36
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester



Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
I går 13:35 NVIDIA Sheild Pro Af FCK i Musik & videoafspillere
I går 13:01 Undgå matriksformel? Af Dan Elgaard i Excel
13/0921:33 Ingen reaktion på Kraks Kort Af ErikHg i Søgemaskiner
13/0921:06 iTop Screen Recorder Free Dansk Af eksmojo i Andet software
13/0912:29 Kan ikke fide SSD cards Af JohnVamos i PC
White papers
Flere white papers »


Premium
Teaser billede
Sådan får hackerne med ny fidus adgang til dit system for kun 10 dollar: Næsten umuligt at beskytte sig
Læs mere »
Kommunernes it-forbrug stiger: Sådan har Odense Kommune holdt sine udgifter til it-licenser og it-konsulenter nede
Tidligere Cibicom-topchef Michael Meister har landet nyt job: Skal være administrerende direktør
Styrelse kom med tastefejl til at lægge tre år for meget på it-kontrakt til 350 millioner kroner
Se alle »
Computerworld
Teaser billede
iPhone 16 og 16 Pro slippes løs: Her er de to afgørende nyheder
Læs mere »
Om lidt går det løs: Så banebrydende bliver iPhone 16
Apple ændrer grundlæggende på den måde, som din iPhone skal opdateres på
Test: Her får du lynhurtig wi-fi 7 bredbånd til lavpris
Se alle »
CIO
Teaser billede
Nu kommer næste store version af Copilot
Læs mere »
Syv vigtige teknologier, som alle CIO'er bør forholde sig til - kommer til at sætte dagsordenen
Søstrene Grene skifter Microsoft ud med SAP og rykker for første gang i clouden i stor ERP-transformation
Microsoft har fundet 79 sårbarheder i Windows – du bør opdatere straks
Se alle »
Job & Karriere
Teaser billede
Pludselig exit fra Schultz kom som en overraskelse for Merete Søby: Derfor stoppede samarbejdet
Læs mere »
Merete Søby fratræder med omgående virkning som CEO for Schultz efter blot tre måneder på posten
Professor: "Det er på høje tid at opløse virksomhedernes it-afdelinger"
Kom tæt på Danmarks nye digitaliserings-minister: 33-årige Caroline Stage Olsen er tidligere tobaks-lobbyist - har været aktiv i politik siden hun var helt ung
Se alle »
White paper
Teaser billede
AI’s rolle i fremtidens projektledelse
Læs mere »
Sæt turbo på din cloudperformance og minimér risikoen for DDoS-angreb
Opdag fordelene ved cloud-baseret backup og recovery
Guide: Sådan udvikler du en moderne netværksstrategi
Se alle »

Events
Flere events »
White papers
Flere white papers »
IT-Kurser
Se alle vores it-kurser »