Avatar billede mingus Nybegynder
07. november 2007 - 17:03 Der er 7 kommentarer

log's fra ''Nye våben''

Jeg har fulgt Fromsej's guideline for hvordan man sletter en trojansk hest v.h.a. ''nye våben'' og her er hvad jeg har fået af logs...

ComboFix 07-11-07.3 - Malik Chemnitz 07-11-2007 15:05:05.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.45.1030.18.391 [GMT 1:00]
Running from: C:\Documents and Settings\Malik Chemnitz\Skrivebord\Crapcleaner\ComboFix.exe
* Created a new restore point
.


(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\svchost.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c0081409.dat
C:\WINDOWS\system32\ixdaibov.dllbox
C:\z.exe

.
(((((((((((((((((((((((((((((((((((((((  Drivers/Services  )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


(((((((((((((((((((((((((  Files Created from 2007-10-07 to 2007-11-07  )))))))))))))))))))))))))))))))
.

2007-11-07 14:12    114,316    ---hs----    C:\WINDOWS\system32\mpqss.ini2
2007-11-07 13:34    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-07 13:33    <DIR>    d--------    C:\Programmer\SUPERAntiSpyware
2007-11-07 13:33    <DIR>        C:\Programmer\Fælles filer\Wise Installation Wizard
2007-11-07 13:33    <DIR>    d--------    C:\Documents and Settings\Malik Chemnitz\Application Data\SUPERAntiSpyware.com
2007-11-07 13:15    <DIR>    d--------    C:\Programmer\CCleaner
2007-11-07 12:32    <DIR>    d--------    C:\Documents and Settings\Malik Chemnitz\Application Data\AVG7
2007-11-07 12:31    <DIR>    d--------    C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-07 12:31    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-07 12:19    <DIR>    d--------    C:\Programmer\Registry Defender
2007-11-07 00:07    0    --a------    C:\z.dat
2007-11-06 23:45    87,104    --a------    C:\WINDOWS\system32\bogagkhw.dll
2007-11-06 23:43    81,472    --a------    C:\WINDOWS\system32\drepicor.dll
2007-11-06 23:41    100,066    ---hs----    C:\WINDOWS\system32\mpqss.bak2
2007-11-06 11:41    6,465    ---hs----    C:\WINDOWS\system32\mpqss.bak1
2007-11-06 11:34    147,456    --a------    C:\WINDOWS\system32\vbzip10.dll
2007-11-06 11:32    82    --a------    C:\n.bat
2007-11-05 11:19    <DIR>    d-a------    C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-29 16:48    <DIR>    d--------    C:\Programmer\Winamp Toolbar
2007-10-29 16:48    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2007-10-24 23:02    <DIR>    d--------    C:\Documents and Settings\Malik Chemnitz\Shared
2007-10-24 23:02    <DIR>    d--------    C:\Documents and Settings\Malik Chemnitz\Incomplete
2007-10-24 23:02    <DIR>    d--------    C:\Documents and Settings\Malik Chemnitz\Application Data\LimeWire
2007-10-19 19:41    <DIR>    d--------    C:\Documents and Settings\Malik Chemnitz\Application Data\InterVideo
2007-10-10 19:29    584,192    -----c---    C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 16:16    <DIR>    d--------    C:\Documents and Settings\Malik Chemnitz\Application Data\uTorrent
2007-10-07 21:03    <DIR>    d--------    C:\Programmer\Erusoft Audio CD Ripper
2007-10-07 20:36    <DIR>    d--------    C:\fcr_output
2007-10-07 09:43    12    --a------    C:\WINDOWS\bthservsdp.dat
2007-10-07 09:12    274,432    --a------    C:\WINDOWS\system32\drivers\bthport.sys
2007-10-07 09:12    274,432    --a--c---    C:\WINDOWS\system32\dllcache\bthport.sys
2007-10-07 09:12    18,944    --a------    C:\WINDOWS\system32\drivers\BTHUSB.SYS
2007-10-07 09:12    18,944    --a--c---    C:\WINDOWS\system32\dllcache\bthusb.sys

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 13:55    ---------    d-----w    C:\Documents and Settings\Malik Chemnitz\Application Data\Skype
2007-11-07 13:52    ---------    d-----w    C:\Programmer\Fælles filer\Symantec Shared
2007-11-07 12:33    ---------    d-----w    C:\Programmer\Fælles filer
2007-11-07 11:38    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-07 11:15    ---------    d-----w    C:\Programmer\Symantec
2007-11-07 10:42    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-07 10:10    ---------    d-----w    C:\Programmer\Norton Security Scan
2007-11-05 10:23    ---------    d-----w    C:\Programmer\Winamp
2007-10-26 00:49    ---------    d-----w    C:\Documents and Settings\Malik Chemnitz\Application Data\Apple Computer
2007-10-11 04:50    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-06 15:38    ---------    d-----w    C:\Programmer\iTunes
2007-10-06 15:36    ---------    d-----w    C:\Programmer\iPod
2007-10-06 15:32    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-06 15:31    ---------    d-----w    C:\Programmer\Fælles filer\Apple
2007-10-06 15:31    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Apple
2007-10-06 05:34    ---------    d-----w    C:\Programmer\MioNet
2007-10-05 14:41    ---------    d-----w    C:\Programmer\Fælles filer\ArcSoft
2007-10-05 14:40    ---------    d--h--w    C:\Programmer\InstallShield Installation Information
2007-10-05 14:40    ---------    d-----w    C:\Programmer\Fælles filer\SPC500NC
2007-10-05 14:39    ---------    d-----w    C:\Programmer\Philips
2007-10-03 15:11    ---------    d-----w    C:\Programmer\Fælles filer\Adobe
2007-10-03 14:56    ---------    d-----w    C:\Documents and Settings\Malik Chemnitz\Application Data\AdobeUM
2007-09-22 18:52    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Nero
2007-09-21 16:15    ---------    d-----w    C:\Programmer\Nero
2007-09-21 16:15    ---------    d-----w    C:\Programmer\Fælles filer\Simple Star Shared
2007-09-21 16:15    ---------    d-----w    C:\Documents and Settings\Malik Chemnitz\Application Data\Nero
2007-09-21 16:10    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Simple Star Shared
2007-09-21 16:08    ---------    d-----w    C:\Documents and Settings\Malik Chemnitz\Application Data\Simple Star
2007-09-20 23:22    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-09-20 23:08    ---------    d-----w    C:\Programmer\Bonjour
2007-09-20 22:54    ---------    d-----w    C:\Programmer\Fælles filer\Macrovision Shared
2007-09-20 18:59    ---------    d-----w    C:\Programmer\Sony Ericsson
2007-09-20 14:56    ---------    d-----w    C:\Programmer\TEXTware
2007-09-20 14:48    ---------    d--h--r    C:\Documents and Settings\Malik Chemnitz\Application Data\SecuROM
2007-09-20 05:13    ---------    d-----w    C:\Programmer\IDM
2007-09-19 18:36    ---------    d-----w    C:\Programmer\TGTSoft
2007-09-19 15:32    ---------    d-----w    C:\Programmer\VstPlugins
2007-09-19 15:32    ---------    d-----w    C:\Programmer\Image-Line
2007-09-19 15:31    ---------    d-----w    C:\Programmer\ASIO4ALL v2
2007-09-19 10:07    ---------    d-----w    C:\Documents and Settings\Malik Chemnitz\Application Data\ArcSoft
2007-09-19 09:53    ---------    d-----w    C:\Programmer\MAGIX
2007-09-15 12:59    ---------    d-----w    C:\Programmer\Google
2007-09-15 12:40    ---------    d-----w    C:\Programmer\Fælles filer\Microsoft Shared
2007-09-15 12:38    ---------    d-----w    C:\Programmer\Fælles filer\System
2007-09-15 12:33    ---------    d-----w    C:\Programmer\MSBuild
2007-09-14 23:36    138    ----a-w    C:\Documents and Settings\Malik Chemnitz\Application Data\wklnhst.dat
2007-09-13 18:09    ---------    d-----w    C:\Documents and Settings\Malik Chemnitz\Application Data\Ahead
2007-09-07 06:19    ---------    d-----w    C:\Programmer\Arto
2007-09-07 06:19    ---------    d-----w    C:\Documents and Settings\Malik Chemnitz\Application Data\Arto
2007-09-04 18:51    229,057    ----a-w    C:\WINDOWS\Alcohol_Toolbar_Uninstaller_3656.exe
.

(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A628F9F-E722-4540-BBDE-10F69AB181DE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"SynTPEnh"="C:\Programmer\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 00:32]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 23:49 C:\WINDOWS\RTHDCPL.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 14:29 C:\WINDOWS\agrsmmsg.exe]
"THotkey"="C:\Programmer\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 14:02]
"TPSMain"="TPSMain.exe" [2005-08-03 15:42 C:\WINDOWS\system32\TPSMain.exe]
"NDSTray.exe"="NDSTray.exe" []
"Tvs"="C:\Programmer\TOSHIBA\Tvs\TvsTray.exe" [2005-11-30 12:25]
"SmoothView"="C:\Programmer\TOSHIBA\TOSHIBA-zoomfunktion\SmoothView.exe" [2005-05-12 13:44]
"TFncKy"="TFncKy.exe" []
"TDispVol"="TDispVol.exe" [2005-09-16 13:48 C:\WINDOWS\system32\TDispVol.exe]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-10-06 05:20]
"IntelZeroConfig"="C:\Programmer\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 11:37]
"IntelWireless"="C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 10:41]
"CFSServ.exe"="CFSServ.exe" []
"GrooveMonitor"="C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"QuickTime Task"="C:\Programmer\K-Lite Codec Pack\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Programmer\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-27 12:00 C:\WINDOWS\system32\bthprops.cpl]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-07 12:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 12:00]
"TOSCDSPD"="C:\Programmer\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-12 10:38]
"DVDXGhost"="E:\Chemnitz\Pro\DVD X Ghost\DVDXGhost.EXE" []
"Skype"="C:\Programmer\Skype\Phone\Skype.exe" [2007-09-13 12:31]
"MsnMsgr"="C:\Programmer\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55]
"AlcoholAutomount"="C:\Programmer\Alcohol Soft\Alcohol 120\axcmd.exe" [2006-11-20 05:00]
"ArtoNotifier"="C:\Programmer\Arto\Notifier\ArtoNotifier.exe" [2006-10-10 16:33]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-04-23 15:46]

C:\Documents and Settings\Malik Chemnitz\Menuen Start\Programmer\Start\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Programmer\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 19:24:54]
RegistryDefender.lnk - C:\Programmer\Registry Defender\RegistryDefender.exe [2007-04-03 11:47:44]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
VPro500.lnk - C:\WINDOWS\VPro500.exe [2007-10-05 15:39:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"= C:\WINDOWS\system32\opnmmki.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ixdaibov]
ixdaibov.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmmki]
opnmmki.dll

R2 MioNet;MioNet Service;C:\Programmer\MioNet\MioNetManager.exe -s C:\Programmer\MioNet\wrapper.conf
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe
S3 SPC610NC;Philips SPC500NC Webcam;C:\WINDOWS\system32\DRIVERS\SPC610NC.SYS
S3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9cfbae5c-5178-11dc-b677-00a0d1457c69}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-02 17:09:24 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Programmer\Norton Security Scan\Nss.exe
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-07 15:18:49 - machine was rebooted
.
    --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 14:59:05, on 07-11-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\Programmer\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programmer\MioNet\MioNetManager.exe
C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\MioNet\jvm\bin\MioNet.exe
C:\Programmer\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programmer\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmer\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programmer\TOSHIBA\Tvs\TvsTray.exe
C:\Programmer\TOSHIBA\TOSHIBA-zoomfunktion\SmoothView.exe
C:\Programmer\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmer\TOSHIBA\TOSHIBA-programmer\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programmer\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programmer\TOSHIBA\ConfigFree\CFSServ.exe
C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programmer\K-Lite Codec Pack\QuickTime\QTTask.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programmer\Skype\Phone\Skype.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Arto\Notifier\ArtoNotifier.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\VPro500.exe
C:\Programmer\Registry Defender\RegistryDefender.exe
C:\Programmer\Skype\Plugin Manager\skypePM.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\ATI Technologies\ATI.ACE\cli.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Malik Chemnitz\Skrivebord\Crapcleaner\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {9A628F9F-E722-4540-BBDE-10F69AB181DE} - (no file)
O3 - Toolbar: Alcohol Toolbar - {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - C:\Programmer\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ixdaibov.dll (file missing)
O4 - HKLM\..\Run: [ATICCC] "C:\Programmer\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Programmer\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Tvs] C:\Programmer\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programmer\TOSHIBA\TOSHIBA-zoomfunktion\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programmer\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programmer\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmer\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [DVDXGhost] E:\Chemnitz\Pro\DVD X Ghost\DVDXGhost.EXE
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programmer\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ArtoNotifier] C:\Programmer\Arto\Notifier\ArtoNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Programmer\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: RegistryDefender.lnk = C:\Programmer\Registry Defender\RegistryDefender.exe
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VPro500.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\programmer\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Programmer\Fælles filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\FLLESF~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0081409.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: ixdaibov - ixdaibov.dll (file missing)
O20 - Winlogon Notify: opnmmki - opnmmki.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmer\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\heerpwkd.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmer\Fælles filer\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Programmer\MioNet\MioNetManager.exe
O23 - Service: Norton Protection Center Service (NSCService) - Unknown owner - C:\Programmer\Fælles filer\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programmer\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programmer\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programmer\Toshiba\TOSHIBA Applet\TAPPSRV.exe


********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
07-11-2007 15:02:06,75

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 15:02:07
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea132781e]
"001b59b6fb5f"=hex:b5,58,3b,4d,97,88,14,8f,3a,06,ca,b6,e8,6f,8d,45
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:bc,bf,6e,bf,6f,41,fb,fb,37,fd,89,a2,17,cd,c3,86,e9,79,3b,48,46,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000ea132781e]
"001b59b6fb5f"=hex:b5,58,3b,4d,97,88,14,8f,3a,06,ca,b6,e8,6f,8d,45
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:bc,bf,6e,bf,6f,41,fb,fb,37,fd,89,a2,17,cd,c3,86,e9,79,3b,48,46,..

scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000232

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/07/2007 at 02:47 PM

Application Version : 3.7.1018

Core Rules Database Version : 3222
Trace Rules Database Version: 1233

Scan type      : Complete Scan
Total Scan Time : 00:51:02

Memory items scanned      : 756
Memory threats detected  : 1
Registry items scanned    : 6076
Registry threats detected : 5
File items scanned        : 43296
File threats detected    : 15

Adware.Vundo Variant
    C:\WINDOWS\SYSTEM32\SSQPM.DLL
    C:\WINDOWS\SYSTEM32\SSQPM.DLL
    HKLM\Software\Classes\CLSID\{9A628F9F-E722-4540-BBDE-10F69AB181DE}
    HKCR\CLSID\{9A628F9F-E722-4540-BBDE-10F69AB181DE}
    HKCR\CLSID\{9A628F9F-E722-4540-BBDE-10F69AB181DE}\InprocServer32
    HKCR\CLSID\{9A628F9F-E722-4540-BBDE-10F69AB181DE}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A628F9F-E722-4540-BBDE-10F69AB181DE}

Adware.Tracking Cookie
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@atdmt[2].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@int.sitestat[4].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@imrworldwide[1].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@int.sitestat[3].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@mediaplex[2].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@adtech[2].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@serving-sys[1].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@bs.serving-sys[1].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@doubleclick[1].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@track.adform[1].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@adtech[1].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@mediaplex[1].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@sexyd8[2].txt
    C:\Documents and Settings\Malik Chemnitz\Cookies\malik_chemnitz@www.clickxchange[1].txt
Avatar billede mingus Nybegynder
07. november 2007 - 17:05 #1
Er der mon nogen derude der lige kan tage sig tid til at læse/tyde dem?
Avatar billede fromsej Praktikant
07. november 2007 - 17:39 #2
Hent Ccleaner her:
http://www.filehippo.com/download_ccleaner/
Installer Ccleaner, husk at fjerne fluebenet udfor installation af Yahoo toolbar.
Start programmet, fjern fluebenet i cookies.
Klik på kør Cleaner og lad den fjerne hvad den finder.
Klik så på Problemer ovre i venstre side (den blå terning), klik på Skan efter problemer, når den er færdig, klik på Udbedre valgte problemer, lav evt. en backup af registreringsdatabasen, klik så på udbedre alle valgte problemer.
Klik på OK, klik på Luk når den er færdig.
Genstart.
---------------------------------------
Kør Hijackthis, scan, sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O2 - BHO: (no name) - {9A628F9F-E722-4540-BBDE-10F69AB181DE} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\ixdaibov.dll (file missing)
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0081409.dat
O20 - Winlogon Notify: ixdaibov - ixdaibov.dll (file missing)
O20 - Winlogon Notify: opnmmki - opnmmki.dll (file missing)

---------------------------------------
Kopiér indholdet mellem de bølgede linier ind i et notepad-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt. Når du gemmer, skal du sikre, at der under "filtyper" står "alle filer".

~~~~~~~~~~~~~~~~~~~~~~~~~~
Killall::

File::
C:\WINDOWS\system32\mpqss.ini2
C:\z.dat
C:\WINDOWS\system32\bogagkhw.dll
C:\WINDOWS\system32\drepicor.dll
C:\WINDOWS\system32\mpqss.bak2
C:\WINDOWS\system32\mpqss.bak1
C:\WINDOWS\system32\vbzip10.dll
C:\n.bat
C:\WINDOWS\system32\opnmmki.dll
C:\WINDOWS\system32\ixdaibov.dll
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\__c0081409.dat

Folder::
"C:\Documents and Settings\Malik Chemnitz\Shared"
"C:\Documents and Settings\Malik Chemnitz\Incomplete"
"C:\Documents and Settings\Malik Chemnitz\Application Data\LimeWire"
"C:\Documents and Settings\Malik Chemnitz\Application Data\uTorrent"

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ixdaibov]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmmki]
~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif
Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
---------------------------------------
Vi skal se en frisk hijackthislog, samt den nye combofixlog.
Avatar billede fromsej Praktikant
07. november 2007 - 17:40 #3
Afinstaller først uTorrent og Limewire i Tilføj/fjern programmer.
Drop fildeling >> http://spywarefri.dk/forum/topic.asp?TOPIC_ID=40284
Avatar billede thesurfer Nybegynder
07. november 2007 - 17:40 #4
Du har oprettet spørgsmålet i en forkert katergori. Denne kategori er forbeholdt Eksperten-relaterede emner, og ikke andet.

Læs følgende instruktioner grundigt igennem, før du fortsætter:


Ved flyt af spørgsmål:
Husk at MARKERE dit navn i boksen til venstre, og klikke på ACCEPTER-knappen, EFTER at du har lagt et SVAR.
Derefter opretter du spørgsmålet, i den rette kategori. Derefter lægger du et link til det nye spørgsmål, i dette spørgsmål.


Efter at have læst instruktionerne grundig igennem, flyt dit spørgsmål til:

http://www.eksperten.dk/spm/Sikkerhed/Generelt/
Avatar billede fromsej Praktikant
07. november 2007 - 18:25 #5
Thesurfer >> Principielt er jeg enig, men af to grunde kan vi lige så godt køre den færdig her.
1. Jeg er i gang.
2. Jeg havde ikke set at det var den forkerte kategori. ;-)
Avatar billede thesurfer Nybegynder
07. november 2007 - 21:24 #6
Da jeg er igang med hovedopgaven i skolen, og har mega travlt, er jeg ikke Pro-medlem (via Top 100) som sædvaneligt, og så ikke at der var kommet indlæg.. :-)

Jeg gad ikke til at skrive endnu et indlæg, for at forklare det.. :-)

Men der er ikke noget i vejen for, at man kunne flytte spørgsmålet alligevel, da I kun er i "start-fasen" af oprydningen/clearing af loggen.. :-)
Avatar billede fromsej Praktikant
07. november 2007 - 21:56 #7
Nej, selvfølgelig kan det flyttes.*S*

Hovedopgave, det lyder hårdt, al mulig held og lykke herfra. :-)
(Husk at lave backup regelmæssigt!!!)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Alle kurser indenfor Microsoft 365 – både til begyndere og øvede.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester