Avatar billede eltoro Nybegynder
17. januar 2009 - 18:32 Der er 10 kommentarer og
1 løsning

HiJackThis log hjælp

Hej eksperter

Jeg får en meddelelse(c:\windows\system32\mswsock.dll)fra windows defender, der siger at "some known application trying to make some changes to your system; Altså, mswsock.dll. Og det sker så snart jeg har oprettet forbindelse til nettet( gennem 3G).Skal siges at pc'en kører normalt. Der er ikke nogen synlige skader.Jeg har scannet pc'en med Malwarebyte, og den fandt en enkelt nøgle i regbasen. Men meddelelsen kommer stadig.Her er en log fra HiJackThis.
Takker på forhånd
eltoro
Avatar billede eltoro Nybegynder
17. januar 2009 - 18:33 #1
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16:51, on 17-01-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\3\3Connect\Wilog.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
D:\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.imesh.com/dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = FaridSoft
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RegRecall] "C:\Program Files\RegRecall\RegRecall.exe" -boot
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231064851280&h=90bb69d4c49828c76440e5eaa4b05848/&filename=jinstall-6u11-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{978C0059-9DB7-4331-9F11-D9D04104CA72}: NameServer = 80.251.201.177 80.251.201.178
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: %NVSVC.name% (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7438 bytes
Avatar billede eltoro Nybegynder
17. januar 2009 - 18:38 #2
Lidt info om pc'en:
Hp pavilion dv9332ea
Intel duo 1,8
2 gig ram
Vista ultimate sp1
Avatar billede ejvindh Ekspert
19. januar 2009 - 09:45 #3
-- Hent Combofix fra et af disse links, og gem den på dit skrivebord:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

-- Kopiér indholdet mellem de bølgede linier ind i et notepad-vindue, og gem indholdet i samme mappe, som Combofix ligger med navnet CFScript.txt. Når du gemmer, skal du sikre, at der under "filtyper" står "alle filer".

~~~~~~~~~~~~~~~~~~~~~~~~~~
FileLook::
c:\windows\system32\mswsock.dll
~~~~~~~~~~~~~~~~~~~~~~~~~~
Tag så fat i den nye fil med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen. Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når combofix er færdig, og efter det har genstartet, skulle der gerne åbnes en logfil: combofix.txt
Indholdet af denne fil må du gerne lægge herind til gennemsyn
Avatar billede eltoro Nybegynder
19. januar 2009 - 19:57 #4
ComboFix 09-01-19.01 - Farid 2009-01-19 19:48:31.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate  6.0.6001.1.1252.1.1033.18.2045.1300 [GMT 1:00]
Kører fra: d:\programs\ComboFix\ComboFix.exe
Kommandoer benyttet :: d:\programs\ComboFix\CFScript.txt
* Dannede nyt systemgendannelsespunkt
.

(((((((((((((((((((((((((((((((((((((((  Andet, der er slettet  )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Forrige Kørsel -------
.
c:\windows\system32\OGACheckControl.dll
D:\explorer.exe

.
(((((((((((((((((((((((((((((  Filer skabt fra 2008-12-19 til 2009-01-19  )))))))))))))))))))))))))))))))))))
.

2009-01-18 17:34 . 2009-01-18 18:12    <DIR>    d--------    c:\users\All Users\SecTaskMan
2009-01-18 17:34 . 2009-01-18 18:12    <DIR>    d--------    c:\programdata\SecTaskMan
2009-01-18 17:34 . 2009-01-18 17:34    <DIR>    d--------    c:\program files\Security Task Manager
2009-01-17 20:48 . 2008-06-20 02:14    781,344    --a------    c:\windows\System32\PresentationNative_v0300.dll
2009-01-17 20:48 . 2008-06-20 02:14    622,080    --a------    c:\windows\System32\icardagt.exe
2009-01-17 20:48 . 2008-06-20 02:14    326,160    --a------    c:\windows\System32\PresentationHost.exe
2009-01-17 20:48 . 2008-06-20 02:14    105,016    --a------    c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-01-17 20:48 . 2008-06-20 02:14    97,800    --a------    c:\windows\System32\infocardapi.dll
2009-01-17 20:48 . 2008-06-20 02:14    43,544    --a------    c:\windows\System32\PresentationHostProxy.dll
2009-01-17 20:48 . 2008-06-20 02:14    37,384    --a------    c:\windows\System32\infocardcpl.cpl
2009-01-17 20:48 . 2008-06-20 02:14    11,264    --a------    c:\windows\System32\icardres.dll
2009-01-17 20:44 . 2008-07-27 19:03    282,112    --a------    c:\windows\System32\mscoree.dll
2009-01-17 20:44 . 2008-07-27 19:03    158,720    --a------    c:\windows\System32\mscorier.dll
2009-01-17 20:44 . 2008-07-27 19:03    96,760    --a------    c:\windows\System32\dfshim.dll
2009-01-17 20:44 . 2008-07-27 19:03    83,968    --a------    c:\windows\System32\mscories.dll
2009-01-17 20:44 . 2008-07-27 19:03    41,984    --a------    c:\windows\System32\netfxperf.dll
2009-01-17 20:30 . 2009-01-17 20:30    <DIR>    dr-h-----    C:\AHCache
2009-01-17 12:00 . 2009-01-17 12:00    <DIR>    d--------    c:\users\Farid\AppData\Roaming\Malwarebytes
2009-01-17 11:59 . 2009-01-17 11:59    <DIR>    d--------    c:\users\All Users\Malwarebytes
2009-01-17 11:59 . 2009-01-17 11:59    <DIR>    d--------    c:\programdata\Malwarebytes
2009-01-17 11:00 . 2009-01-17 11:00    0    --a------    c:\windows\nsreg.dat
2009-01-16 20:59 . 2009-01-16 20:59    <DIR>    d--------    c:\windows\nvtmpinst
2009-01-16 19:56 . 2009-01-16 19:56    <DIR>    d--------    C:\NVIDIA
2009-01-16 13:19 . 2009-01-16 13:19    0    -rahs----    c:\windows\System32\drivers\103C_HP_cNB_Pavilion dv9000 (GF722EA#UUW)_Y5335KV_0U_QCNF71246BK_EU_4A_I30BD_SQuanta_V66.37_F.16_T070202_WV1-1_L409_M2046_J160_7Intel_86F6_91.83_#090116_N8086109A;80864222_(GF722EA#UUW)_XMOBILE_CN10_Z_2Rev 1.MRK
2009-01-16 11:23 . 2009-01-17 21:05    <DIR>    d--------    c:\users\All Users\Retrospect
2009-01-16 11:23 . 2009-01-17 21:05    <DIR>    d--------    c:\programdata\Retrospect
2009-01-16 11:22 . 2009-01-16 11:22    <DIR>    d--------    c:\program files\Dantz
2009-01-15 15:31 . 2008-12-16 03:42    288,768    --a------    c:\windows\System32\drivers\srv.sys
2009-01-15 14:07 . 2009-01-15 14:31    <DIR>    d--------    c:\users\All Users\Spybot - Search & Destroy
2009-01-15 14:07 . 2009-01-15 14:31    <DIR>    d--------    c:\programdata\Spybot - Search & Destroy
2009-01-15 13:11 . 2009-01-15 13:11    <DIR>    d----c---    c:\users\All Users\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-01-15 13:11 . 2009-01-15 13:11    <DIR>    d----c---    c:\programdata\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-01-14 16:09 . 2009-01-14 16:09    <DIR>    d--------    c:\users\All Users\2E28B
2009-01-14 16:09 . 2009-01-14 16:09    <DIR>    d--------    c:\programdata\2E28B
2009-01-14 16:08 . 2008-09-25 14:20    483,328    --a------    c:\windows\System32\actskn45.ocx
2009-01-10 21:05 . 2009-01-10 21:05    <DIR>    d----c---    c:\windows\System32\DRVSTORE
2009-01-10 21:05 . 2008-08-25 16:48    40,496    --a------    c:\windows\System32\drivers\hotcore3.sys
2009-01-10 21:04 . 2009-01-10 21:04    <DIR>    d--------    c:\program files\Paragon Software
2009-01-09 20:13 . 2009-01-10 15:30    <DIR>    d--------    c:\program files\Conduit
2009-01-09 20:12 . 2009-01-18 08:47    <DIR>    d--------    c:\users\Farid\AppData\Roaming\Babylon
2009-01-09 20:12 . 2009-01-18 08:47    <DIR>    d--------    c:\users\All Users\Babylon
2009-01-09 20:12 . 2009-01-18 08:47    <DIR>    d--------    c:\programdata\Babylon
2009-01-09 20:12 . 2009-01-09 20:12    <DIR>    d--------    c:\program files\Babylon
2009-01-09 19:42 . 2009-01-18 08:42    69    --a------    c:\windows\NeroDigital.ini
2009-01-09 12:25 . 2009-01-09 12:25    <DIR>    d--------    c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-09 12:24 . 2009-01-09 12:24    <DIR>    d--------    c:\program files\MSXML 4.0
2009-01-08 11:48 . 2009-01-08 11:48    4    --a------    c:\windows\vx86036.dat
2009-01-08 11:47 . 2009-01-08 11:47    <DIR>    d--------    c:\users\All Users\CrypKey
2009-01-08 11:47 . 2009-01-08 11:47    <DIR>    d--------    c:\programdata\CrypKey
2009-01-08 11:47 . 1999-06-18 21:49    165,888    --a------    c:\windows\Ckconfig.exe
2009-01-08 11:47 . 2008-05-08 00:29    122,880    --a------    c:\windows\System32\Crypserv.exe
2009-01-08 11:47 . 1996-05-03 17:21    27,648    -ra------    c:\windows\Setup_ck.exe
2009-01-08 11:47 . 2008-03-17 17:45    19,584    --a------    c:\windows\System32\Ckldrv.sys
2009-01-08 11:47 . 1996-05-03 15:36    18,432    --a------    c:\windows\Setup_ck.dll
2009-01-08 11:47 . 1995-07-04 18:33    11,776    --a------    c:\windows\Ckrfresh.exe
2009-01-08 11:47 . 2009-01-08 11:48    1,680    --a------    c:\windows\System32\esnecil.nlp
2009-01-08 11:47 . 2009-01-08 19:23    1,680    --a------    c:\windows\System32\esnecil.ind
2009-01-08 11:47 . 2009-01-08 11:47    71    --a------    c:\windows\Crypkey.ini
2009-01-07 10:30 . 2009-01-07 10:30    <DIR>    d--------    c:\users\All Users\LightScribe
2009-01-07 10:30 . 2009-01-07 10:30    <DIR>    d--------    c:\programdata\LightScribe
2009-01-07 10:17 . 2009-01-07 15:17    <DIR>    d--------    c:\users\Farid\AppData\Roaming\Nero
2009-01-06 14:01 . 2009-01-07 15:15    <DIR>    d--------    c:\users\All Users\Nero
2009-01-06 14:01 . 2009-01-07 15:15    <DIR>    d--------    c:\programdata\Nero
2009-01-06 14:01 . 2009-01-09 12:34    <DIR>    d--------    c:\program files\Nero
2009-01-06 14:01 . 2009-01-07 15:16    <DIR>    d--------    c:\program files\Common Files\Nero
2009-01-06 12:42 . 2009-01-06 13:13    <DIR>    d--------    c:\users\Farid\AppData\Roaming\RegRecall
2009-01-06 12:41 . 2009-01-06 12:41    <DIR>    d--------    c:\program files\RegRecall
2009-01-05 15:02 . 2009-01-09 14:15    280    --a------    c:\windows\System32\PDBootState
2009-01-05 11:51 . 2009-01-05 11:51    0    --ah-----    c:\windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-01-05 11:44 . 2009-01-05 11:44    <DIR>    d--------    c:\users\Farid\AppData\Roaming\Birdstep Technology
2009-01-04 17:00 . 2008-09-23 13:20    13,576    --a------    c:\windows\System32\wnaspi32.dll
2009-01-04 15:00 . 2009-01-04 15:00    <DIR>    d--------    c:\users\All Users\Raxco
2009-01-04 15:00 . 2009-01-04 15:00    <DIR>    d--------    c:\programdata\Raxco
2009-01-04 15:00 . 2009-01-04 15:00    <DIR>    d--------    c:\program files\Common Files\Raxco
2009-01-04 14:59 . 2009-01-04 15:00    <DIR>    d--------    c:\program files\Raxco
2009-01-04 12:39 . 2009-01-04 12:39    <DIR>    d--------    c:\program files\Microsoft SQL Server Compact Edition
2009-01-04 12:39 . 2006-11-29 13:06    3,426,072    --a------    c:\windows\System32\d3dx9_32.dll
2009-01-04 12:38 . 2009-01-04 12:38    <DIR>    d--------    c:\windows\PCHEALTH
2009-01-04 12:36 . 2009-01-04 12:36    <DIR>    d--------    c:\users\All Users\WLInstaller
2009-01-04 12:36 . 2009-01-04 12:36    <DIR>    d--------    c:\programdata\WLInstaller
2009-01-04 12:36 . 2009-01-09 12:25    <DIR>    d--------    c:\program files\Windows Live
2009-01-04 12:36 . 2009-01-04 12:38    <DIR>    d--hsc---    c:\program files\Common Files\WindowsLiveInstaller
2009-01-04 12:27 . 2009-01-04 12:27    <DIR>    d--------    c:\users\Farid\AppData\Roaming\Yahoo!
2009-01-04 12:26 . 2009-01-04 12:28    <DIR>    d--------    c:\users\All Users\Yahoo!
2009-01-04 12:26 . 2009-01-04 12:28    <DIR>    d--------    c:\programdata\Yahoo!
2009-01-04 12:26 . 2009-01-04 14:32    <DIR>    d--------    c:\program files\Yahoo!
2009-01-04 12:09 . 2009-01-04 12:09    <DIR>    d--------    c:\users\Farid\AppData\Roaming\Logitech
2009-01-04 12:09 . 2009-01-04 12:09    <DIR>    d--------    c:\users\All Users\LogiShrd
2009-01-04 12:09 . 2009-01-04 12:09    <DIR>    d--------    c:\programdata\LogiShrd
2009-01-04 12:08 . 2009-01-04 12:08    0    --ah-----    c:\windows\System32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-01-04 12:08 . 2009-01-04 12:08    0    --ah-----    c:\windows\System32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-01-04 12:07 . 2009-01-04 12:07    <DIR>    d--------    c:\users\All Users\Logitech
2009-01-04 12:07 . 2009-01-04 12:07    <DIR>    d--------    c:\programdata\Logitech
2009-01-04 12:07 . 2009-01-04 12:07    <DIR>    d--------    c:\program files\Logitech
2009-01-04 12:07 . 2009-01-04 12:07    <DIR>    d--------    c:\program files\Common Files\Logishrd
2009-01-04 12:07 . 2008-01-09 12:26    301,656    --a------    c:\windows\System32\BtCoreIf.dll
2009-01-04 12:07 . 2008-01-09 12:27    170,512    --a------    c:\windows\System32\kemutb.dll
2009-01-04 12:07 . 2008-01-09 12:28    141,840    --a------    c:\windows\System32\KemUtil.dll
2009-01-04 12:07 . 2008-01-09 12:28    117,264    --a------    c:\windows\System32\KemWnd.dll
2009-01-04 12:07 . 2008-01-09 12:28    76,304    --a------    c:\windows\System32\KemXML.dll
2009-01-04 11:54 . 2008-08-17 11:33    678,408    --a------    c:\windows\System32\gpprefcl.dll
2009-01-04 11:53 . 2008-12-04 02:42    1,079,840    --a------    c:\windows\System32\nvcpluir.dll
2009-01-04 11:53 . 2008-12-04 02:42    313,888    --a------    c:\windows\System32\nvexpbar.dll
2009-01-04 11:52 . 2009-01-04 11:52    <DIR>    d--------    c:\program files\Synaptics
2009-01-04 11:52 . 2009-01-04 11:52    0    --ah-----    c:\windows\System32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-01-04 11:46 . 2008-12-13 07:23    1,659,392    --a------    c:\windows\System32\mshtml.tlb
2009-01-04 11:34 . 2009-01-04 11:34    171,136    -rahs----    C:\grldr
2009-01-04 11:27 . 2009-01-04 11:27    <DIR>    d--------    c:\windows\Sun
2009-01-04 11:27 . 2009-01-04 11:27    <DIR>    d--------    c:\program files\Java
2009-01-04 11:27 . 2009-01-04 11:27    410,984    --a------    c:\windows\System32\deploytk.dll
2009-01-04 10:43 . 2009-01-04 10:43    240,128    --a------    c:\windows\System32\drivers\royal.sys
2009-01-04 10:08 . 2007-07-22 08:38    766,216    --a------    c:\windows\Windows_Vista_Activation_Tool.exe
2009-01-04 02:38 . 2009-01-03 17:43    <DIR>    d--------    c:\windows\Panther
2009-01-03 23:47 . 2009-01-03 23:47    <DIR>    d--------    C:\PerfLogs
2009-01-03 23:30 . 2009-01-03 23:06    152,576    --a------    c:\windows\System32\SPWizUI.dll
2009-01-03 23:30 . 2009-01-03 23:06    47,560    --a------    c:\windows\System32\SPReview.exe
2009-01-03 23:15 . 2008-01-18 23:33    599,552    --a------    c:\windows\System32\vsp1cln.exe
2009-01-03 23:15 . 2008-01-18 23:33    193,024    --a------    c:\windows\System32\recdisc.exe
2009-01-03 23:15 . 2008-01-18 23:36    142,336    --a------    c:\windows\System32\spp.dll
2009-01-03 23:15 . 2008-01-18 23:36    28,160    --a------    c:\windows\System32\sxproxy.dll
2009-01-03 23:15 . 2008-01-18 23:36    6,656    --a------    c:\windows\System32\sdspres.dll
2009-01-03 23:07 . 2008-01-18 23:33    44,032    --a------    c:\windows\System32\cbsra.exe
2009-01-03 23:06 . 2009-01-03 23:06    <DIR>    d--------    C:\aa1f186845fa875fd26e4d
2009-01-03 23:06 . 2009-01-03 23:31    196,608    --a------    c:\windows\SPInstall.etl
2009-01-03 22:55 . 2009-01-03 22:55    <DIR>    d--------    c:\program files\Real

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 14:33    ---------    d-----w    c:\program files\Windows Mail
2009-01-03 22:54    174    --sha-w    c:\program files\desktop.ini
2009-01-03 22:48    ---------    d-----w    c:\program files\Windows Sidebar
2009-01-03 22:48    ---------    d-----w    c:\program files\Windows Photo Gallery
2009-01-03 22:48    ---------    d-----w    c:\program files\Windows Journal
2009-01-03 22:48    ---------    d-----w    c:\program files\Windows Defender
2009-01-03 22:48    ---------    d-----w    c:\program files\Windows Collaboration
2009-01-03 22:48    ---------    d-----w    c:\program files\Windows Calendar
2009-01-03 22:39    82,432    ----a-w    c:\windows\System32\axaltocm.dll
2009-01-03 22:39    101,888    ----a-w    c:\windows\System32\ifxcardm.dll
2009-01-03 21:18    541,696    ----a-w    c:\windows\AppPatch\AcLayers.dll
2009-01-03 21:18    52,736    ----a-w    c:\windows\AppPatch\iebrshim.dll
2009-01-03 21:18    460,288    ----a-w    c:\windows\AppPatch\AcSpecfc.dll
2009-01-03 21:18    2,560    ----a-w    c:\windows\AppPatch\AcRes.dll
2009-01-03 21:18    2,154,496    ----a-w    c:\windows\AppPatch\AcGenral.dll
2009-01-03 21:18    173,056    ----a-w    c:\windows\AppPatch\AcXtrnal.dll
2009-01-03 21:04    801,280    ----a-w    c:\windows\System32\NaturalLanguage6.dll
2008-12-04 01:42    131,072    ----a-w    c:\windows\System32\nvcod135.dll
.

((((((((((((((((((((((((((((((((((((((((((((  Look  )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.


---- c:\windows\system32\mswsock.dll ----
Company: Microsoft Corporation
File Description: Microsoft Windows Sockets 2.0 Service Provider
File Version: 6.0.6001.18000 (longhorn_rtm.080118-1840)
Product Name: Microsoft© Windows© Operating System
Copyright: ¸ Microsoft Corporation. All rights reserved.
Original file name: mswsock.dll
MD5: 89fd0595eea4e505cabefcf7008f2612


(((((((((((((((((((((((((((((  snapshot@2009-01-19_19.22.42,73  )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-19 18:07:03    2,048    --sha-w    c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-01-19 18:40:56    2,048    --sha-w    c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-01-19 18:07:03    2,048    --sha-w    c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-01-19 18:40:56    2,048    --sha-w    c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-01-19 18:08:29    262,144    --sha-w    c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-01-19 18:42:21    262,144    --sha-w    c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-01-19 18:42:21    262,144    ---ha-w    c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-01-19 18:08:24    262,144    --sha-w    c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-01-19 18:41:43    262,144    --sha-w    c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-01-19 18:41:43    262,144    ---ha-w    c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-01-19 18:07:06    16,384    --sha-w    c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-19 18:40:57    16,384    --sha-w    c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-19 18:07:06    32,768    --sha-w    c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-19 18:40:57    32,768    --sha-w    c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-19 18:07:06    16,384    --sha-w    c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-19 18:40:57    16,384    --sha-w    c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-19 18:11:50    101,250    ----a-w    c:\windows\System32\perfc009.dat
+ 2009-01-19 18:45:26    101,250    ----a-w    c:\windows\System32\perfc009.dat
- 2009-01-19 18:11:50    587,178    ----a-w    c:\windows\System32\perfh009.dat
+ 2009-01-19 18:45:26    587,178    ----a-w    c:\windows\System32\perfh009.dat
- 2009-01-19 18:08:45    7,666    ----a-w    c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-353937619-999573262-902908056-1000_UserData.bin
+ 2009-01-19 18:42:37    7,666    ----a-w    c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-353937619-999573262-902908056-1000_UserData.bin
- 2009-01-19 18:08:45    71,590    ----a-w    c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-19 18:42:37    71,606    ----a-w    c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-01-19 18:08:44    33,868    ----a-w    c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-01-19 18:42:36    33,868    ----a-w    c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-03 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"RegRecall"="c:\program files\RegRecall\RegRecall.exe" [2007-12-25 3761392]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-08-16 3178720]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-08-24 612896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-24 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-24 92704]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-04 789008]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2008-10-23 442368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuSubFolders"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)
"NoUserFolderInStartMenu"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ      PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-353937619-999573262-902908056-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E9FCA8E0-55ED-44B7-A22E-81D0444C0525}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{C7F2A193-7ABD-4AE2-9932-0FB7511F2E56}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{58F0ADA4-0FFD-48A3-A330-0C1E3D09E99E}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{0FA6DCF5-67B5-4690-9385-954E2B4FEA32}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{92B9C1E7-2B80-47CB-AAB5-F8C72CE18351}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{0BCC0F86-A2D4-460C-8EB7-1E27F890B812}"= UDP:c:\program files\iMesh Applications\iMesh\iMesh.exe:iMesh
"{106A81A9-A47A-4695-9284-CEE90D657CBA}"= TCP:c:\program files\iMesh Applications\iMesh\iMesh.exe:iMesh
"{ED0DDDFB-4285-4BEF-9460-2EC0D88860DD}"= UDP:c:\program files\Kazaa\kazaa.exe:Kazaa
"{25A9983C-9D31-49AC-8E03-B4BB5C025314}"= TCP:c:\program files\Kazaa\kazaa.exe:Kazaa

R0 hotcore3;Hotcore helper;c:\windows\System32\drivers\hotcore3.sys [2009-01-10 40496]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [2008-09-25 3666432]
R4 IAANTMON;Intel(R) Matrix Storage Event Monitor;c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe [2009-01-03 354840]
S0 OemBiosDevice;Royalty OEM Bios Extension;c:\windows\System32\drivers\royal.sys [2009-01-04 240128]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{500f3236-db15-11dd-9ea2-001b24031f66}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{619497a8-d9b9-11dd-a2ba-001b24031f66}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{619497ca-d9b9-11dd-a2ba-001b24031f66}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{754d5549-d9de-11dd-8b1b-001b24031f66}]
\shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cd6c8a7-db11-11dd-a711-806e6f6e6963}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8cd6c8dd-db11-11dd-a711-001b24031f66}]
\shell\AutoRun\command - H:\AutoRun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Indhold af mappen 'Planlagte Opgaver'

2009-01-19 c:\windows\Tasks\RegRecall Scheduled Scan.job
- c:\program files\RegRecall\RegRecall.exe [2007-12-25 19:30]

2009-01-19 c:\windows\Tasks\RegRecall Scheduled Scan.job
- c:\program files\RegRecall [2009-01-06 12:41]

2009-01-19 c:\windows\Tasks\User_Feed_Synchronization-{AEE476AA-1C01-46A2-8074-D674192E2D8D}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 11:05]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://search.imesh.com/dk/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
FF - ProfilePath - c:\users\Farid\AppData\Roaming\Mozilla\Firefox\Profiles\ayl0cwgl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?hl=da
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 19:50:39
Windows 6.0.6001 Service Pack 1 NTFS

scanner skjulte processer ... 

Tÿdÿ [-8] 0x00300000

scanner skjulte autostarter ...

scanner skjulte filer ... 


c:\users\Farid\AppData\Local\Temp\catchme.dll 53248 bytes executable

scanning gennemført med succes
skjulte filer: 1

**************************************************************************
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'Explorer.exe'(5176)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Gennemført tid: 2009-01-19 19:52:05
ComboFix-quarantined-files.txt  2009-01-19 18:52:03

Pre-Kørsel: 12,423,499,776 bytes free
Post-Kørsel: 12,305,661,952 bytes free

311    --- E O F ---    2009-01-17 14:23:31
Avatar billede eltoro Nybegynder
19. januar 2009 - 19:59 #5
hej ejvindh
Der kommer ikke nogen genstart efter programmet er kørt. Det er som om combofix kan ikke gøre arbejdet færdigt.
Avatar billede eltoro Nybegynder
19. januar 2009 - 20:05 #6
Nu kommer der også en meddelelse fra defender, der siger; "C:\programfiles\Internet Explorer\ieexplorer" has made some changes eller noget i den stil. Er det vigtigt at jeg skal gemme den downloadede Combofix.exe på skrivebordet, altså "C" drevet?
19. januar 2009 - 22:24 #7
\program files\Kazaa\kazaa.exe - Hmmm...
Avatar billede ejvindh Ekspert
20. januar 2009 - 00:15 #8
Der er ikke tegn på infektion i dine logs. Men det ser ud til at du har installeret noget nyt software for nyligt. Nu kender jeg ikke Defender så godt, men prøv lige at give tilladelser til de ting, der bliver alarmeret for lige nu, og se så om ikke advarslerne efterhånden stilner af.

Derudover vil jeg (som karise_larry også antyder) anbefale at du holder dig fra Kazaa. Kazaa er nok én af de mest inficerede fildelingsklienter, der findes.
Avatar billede eltoro Nybegynder
20. januar 2009 - 18:08 #9
ok, tak for hjælpen. Også til karise larry.Og, yes; Det hele startede med at installerede kazaa.Selvom jeg afinstallerede den minutter efter, skaden var gjort.
Avatar billede eltoro Nybegynder
20. januar 2009 - 18:13 #10
advarslerne er ikke noget problem. Jeg har givet "ordre" til defender at jeg ikke vil se dem:-) men bare det, at jeg ved der er et eller andet som ikke tilhør systemmet, irriterer mig. Men jeg vil gøre som anbefalet og ser hvad der sker. Endnu engang tak for hjælpen
Avatar billede ejvindh Ekspert
20. januar 2009 - 21:24 #11
Velbekomme :-)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester