CIO Tech Eksperten IT-JOB IT-Kurser Events Podcast Søg
Cookie ikon
Avatar billede harisk Nybegynder
06. april 2009 - 15:55 Der er 9 kommentarer og
1 løsning

hijckths log, reader_s.exe, pc nede i knæ

Hej folks!

Min c er blevet overtaget af så meget crap at jeg ikke kan bruge min pc.
Jeg installerede AVG 8 og forsøgte at rydde op, men det hele gik ad H til. Nu er den væk og her er loggen. Hvis nogen kan fortælle hvad der skal inst. og slettes,er I meget velkommne.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:36:40, on 06-04-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programmer\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\c++.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\dhcp\svchost.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\tdctxte.exe
C:\WINDOWS\system32\3361\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\Programmer\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\BN2.tmp
C:\WINDOWS\TEMP\B026.tmp
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [1350] C:\WINDOWS\system32\1A.tmp.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\svchost.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Programmer\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\svchost.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\ny\reader_s.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/
O4 - HKUS\.DEFAULT\..\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FLLESF~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Åbn på ny baggrundsfane - res://C:\Programmer\Windows Live Toolbar\Components\da-dk\msntabres.dll.mui/229?20538a579fcd4029a4e47ee3aec259d6
O8 - Extra context menu item: Åbn på ny forgrundsfane - res://C:\Programmer\Windows Live Toolbar\Components\da-dk\msntabres.dll.mui/230?20538a579fcd4029a4e47ee3aec259d6
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.biobooking.dk
O15 - Trusted Zone: http://www.toyotaextreme.dk
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} (Util Class) - https://danid.dk/csp/authenticode/csp.exe
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = medialogic.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = medialogic.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmer\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O23 - Service: afisicx  Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Tjenesten Background Intelligent Transfer (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: sopidkc  Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: tdctxte  Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7429 bytes
Avatar billede f-arn Guru
06. april 2009 - 16:24 #1
Hent og installér CCleaner http://www.ccleaner.com/ + http://www.spywarefri.dk/manualer/ccleaner-manual.htm
Under installationen får du tilbudt [Yahoo Toolbar]. Den bør du sige nej til.
Lad programmer foretage en oprydning.

  http://vistaguide.dk/?Artikler/CCleaner-GuideTilOptimeringAfVista/763

-------
Hent "Malwarebytes' Anti-Malware" her: http://www.besttechie.net/tools/mbam-setup.exe
Installer og start programmet, opdater, lav "fuld systemskanning" under fanebladet "skanner".
Bagefter klik på "vis resultater", tryk på "Fjern det valgte" og send loggen herind sammen med en ny hijackthis log
Avatar billede harisk Nybegynder
06. april 2009 - 19:13 #2
så er der et par friske logs her:

malwarelog:
Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

06-04-2009 18:44:59
mbam-log-2009-04-06 (18-44-59).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 106410
Time elapsed: 40 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 29
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geBrsSJc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jnvxsw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\geBsppoM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0f11e282-ccd8-41eb-ad84-b8fa2cb47837} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0f11e282-ccd8-41eb-ad84-b8fa2cb47837} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebsppom (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a768e114-5865-4058-926d-b5b4d0258215} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a768e114-5865-4058-926d-b5b4d0258215} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5293f43e-5039-422e-94d8-a0082bb29e2b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f4e16aa6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5293f43e-5039-422e-94d8-a0082bb29e2b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{5293f43e-5039-422e-94d8-a0082bb29e2b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gebrssjc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\gebrssjc  -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\c++.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\c++.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\geBrsSJc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cJSsrBeg.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cJSsrBeg.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBsppoM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jnvxsw.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\gqknochq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qhconkqg.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\ny\Lokale indstillinger\Temp\7F4A.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\Documents and Settings\ny\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\1BFQLK81\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\ny\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\C9R740VP\qw[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wqhmlaii.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\24B4.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4D46.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\B026.tmp (Backdoor.KeyStart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3361\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c++.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdctxte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\services.ex_ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:51:32, on 06-04-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OE1FSC1SRk9ENC1TWFdSOC1KUlRRQS1KUkNKUS1XRU1CUg&inst=&prod=54&ver=8.5.280
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmer\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programmer\Malwarebytes Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Programmer\Malwarebytes Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} (Util Class) - https://danid.dk/csp/authenticode/csp.exe
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = medialogic.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = medialogic.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmer\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Tjenesten Background Intelligent Transfer (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6654 bytes


Står det slemt til med tingene? Hvad er den næste move?
Avatar billede Computer Hjælp (Gratis) Mester
06. april 2009 - 19:38 #3
UHadada Malwarebytes' fik da sakset en hel del - der skal nok være mere bandit elementer tilbage...
Hvad har du dog haft gang i ???

HiJackThis Log i normal Boot/opstart...

<f-arn>: Du fortsætter bare ...
Avatar billede f-arn Guru
06. april 2009 - 19:50 #4
Er det ikke muligt at starte i normal tilstand? Du glemte at opdatere malwarebytes.

hent: http://www.superantispyware.com/downloads/SUPERAntiSpyware1241.exe

Installer den og lad den opdatere sig selv. Derefter lader du den lave et fuldstændigt system skan og lader den fjerne hvad den finder.

Efter den er færdig vil jeg gerne ha' at du bruger CCleaner til at rense register (den blå terning) inden du laver en ny hjt log som du sender herind.
Avatar billede harisk Nybegynder
07. april 2009 - 13:01 #5
så er der ryddet lidt mere op. Malware fik dræbt masser af ting og sager i normalmode. Antispyware kan jeg ikke køre i normal mode, det resulterer i blå skærm og maskinen genstartes. Det lykkedes mig dog at køre den i safemode.

jeg har kørt ccleaner og rydet op i masser af ting og sager.
Dog har jeg et problem nu, når maskinen starter, feler den i svchost.exe, noget hukkomelse der ikke kan læses. Det samme er gældende for min wireless kort, den fejler også. Der må være meget mere der skal dræbes på maskinen, en virus måske der står og driller lidt??

Hvad gør jeg nu?

Mange tak for hjælpen indtil videre! :-)

Hijackthis:/[b]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:48, on 07-04-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmer\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\Windows Live Toolbar\msntb.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FLLESF~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User '?')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User '?')
O4 - HKUS\.DEFAULT\..\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] 63400A04031D427E16192C214A5D0D2D2035500531252544330C290B26AFDDA5DFE41A302510073256452D3B132807C0DB70DFA3B3A6B42060606020202020602020202060202020202060206035EAF1EEFFE4CF5E62032C213A312B3A49015E2C227C1F233D34113556525913191B35493C38310E710A393028326300402A1C09372E152D006D422C2BÔÛ/ (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmer\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Åbn på ny baggrundsfane - res://C:\Programmer\Windows Live Toolbar\Components\da-dk\msntabres.dll.mui/229?20538a579fcd4029a4e47ee3aec259d6
O8 - Extra context menu item: Åbn på ny forgrundsfane - res://C:\Programmer\Windows Live Toolbar\Components\da-dk\msntabres.dll.mui/230?20538a579fcd4029a4e47ee3aec259d6
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.biobooking.dk
O15 - Trusted Zone: http://www.toyotaextreme.dk
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {9DF01F00-08E7-4DBE-9070-94841463B3FE} (Util Class) - https://danid.dk/csp/authenticode/csp.exe
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} - https://udstedelse.certifikat.tdc.dk/csp/authenticode/tdccsp-0506.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = medialogic.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = medialogic.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmer\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Tjenesten Background Intelligent Transfer (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6732 bytes

[b]malware 1:
Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 3

07-04-2009 10:51:26
mbam-log-2009-04-07 (10-51-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 108906
Time elapsed: 24 minute(s), 12 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 2
Registry Keys Infected: 14
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\Temp\BN3.tmp (Trojan.Kobcka) -> Unloaded process successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\dpcxool64.sys (Spyware.OnlineGames) -> Unloaded process successfully.
C:\WINDOWS\system32\tdctxte.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\3361\SVCHOST.EXE (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\6to4v32.dll (Dialer) -> Delete on reboot.
c:\WINDOWS\system32\Iasv32.dll (Dialer) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\6to4 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ias (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ias (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\6to4v32.dll (Dialer) -> Delete on reboot.
c:\WINDOWS\system32\Iasv32.dll (Dialer) -> Delete on reboot.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Kobcka) -> Quarantined and deleted successfully.
C:\Documents and Settings\ny\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\KWDIV1JB\form[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\abbkjpxt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\at1394.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Kobcka) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3361\SVCHOST.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcxool64.sys (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\tdctxte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


malware 2 (glemte at hente dagens opdateringer):
Malwarebytes' Anti-Malware 1.36
Database version: 1947
Windows 5.1.2600 Service Pack 3

07-04-2009 12:37:46
mbam-log-2009-04-07 (12-37-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106979
Time elapsed: 22 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\BN1.tmp (Trojan.Kobcka) -> Quarantined and deleted successfully.
Avatar billede f-arn Guru
07. april 2009 - 14:27 #6
Find og upload denne fil hos Jotti eller Virustotal:

c:\program Files\ThunMail\testabd.exe

http://virusscan.jotti.org/ - http://www.virustotal.com/en/indexf.html

Kopier resultatet herind.

Hvis min mistanke bekræftes tror jeg ikke der er andet at gøre, end at starte helt forfra.
Avatar billede harisk Nybegynder
07. april 2009 - 15:10 #7
her er status fra jotti:
Scan taken on 07 Apr 2009 13:05:04 (GMT)
A-Squared     Found nothing
AntiVir     Found TR/Agent2.hhw
ArcaVir     Found nothing
Avast             Found Win32:Vitro
AVG Antivirus     Found nothing
BitDefender     Found nothing
ClamAV             Found nothing
CPsecure     Found nothing
Dr.Web             Found Win32.Virut.56
F-Prot Antivirus        Found W32/Virut.AI!Generic
F-Secure Anti-Virus     Found Virus.Win32.Virut.ce
Ikarus                     Found nothing
Kaspersky Anti-Virus     Found Virus.Win32.Virut.ce
NOD32                     Found Win32/Virut.NBM
Norman Virus Control     Found W32/Virut.CF
Panda Antivirus     Found nothing
Quick Heal             Found W32.Virut.G
Sophos Antivirus     Found Mal/WOWPWS-A, W32/Scribble-B
VirusBuster             Found nothing
VBA32                     Found nothing

fra virustotal:
Antivirus      Version      Last Update      Result
a-squared    4.0.0.101    2009.04.07    -
AhnLab-V3    5.0.0.2    2009.04.07    -
AntiVir    7.9.0.138    2009.04.07    TR/Agent2.hhw
Antiy-AVL    2.0.3.1    2009.04.07    -
Authentium    5.1.2.4    2009.04.07    W32/Virut.AI!Generic
Avast    4.8.1335.0    2009.04.06    Win32:Vitro
AVG    8.5.0.285    2009.04.07    -
BitDefender    7.2    2009.04.07    -
CAT-QuickHeal    10.00    2009.04.07    W32.Virut.G
ClamAV    0.94.1    2009.04.07    -
Comodo    1102    2009.04.07    -
DrWeb    4.44.0.09170    2009.04.07    Win32.Virut.56
eSafe    7.0.17.0    2009.04.06    -
eTrust-Vet    31.6.6442    2009.04.07    -
F-Prot    4.4.4.56    2009.04.07    W32/Virut.AI!Generic
F-Secure    8.0.14470.0    2009.04.07    Virus.Win32.Virut.ce
Fortinet    3.117.0.0    2009.04.07    W32/Virut.CE
GData    19    2009.04.07    Win32:Vitro
Ikarus    T3.1.1.49.0    2009.04.07    -
K7AntiVirus    7.10.695    2009.04.07    -
Kaspersky    7.0.0.125    2009.04.07    Virus.Win32.Virut.ce
McAfee    5576    2009.04.06    W32/Virut.n.gen
McAfee+Artemis    5576    2009.04.06    W32/Virut.n.gen
McAfee-GW-Edition    6.7.6    2009.04.07    Trojan.Agent2.hhw
Microsoft    1.4502    2009.04.07    Virus:Win32/Virut.gen!E
NOD32    3992    2009.04.07    Win32/Virut.NBM
Norman    6.00.06    2009.04.07    W32/Virut.CF
nProtect    2009.1.8.0    2009.04.07    -
Panda    10.0.0.14    2009.04.06    -
PCTools    4.4.2.0    2009.04.07    -
Prevx1    V2    2009.04.07    -
Rising    21.24.12.00    2009.04.07    Trojan.PSW.Win32.WoWar.bfc
Sophos    4.40.0    2009.04.07    Mal/WOWPWS-A
Sunbelt    3.2.1858.2    2009.04.06    Virus.Win32.Virut.ce (v)
Symantec    1.4.4.12    2009.04.07    W32.Virut.CF
TheHacker    6.3.4.0.303    2009.04.07    -
TrendMicro    8.700.0.1004    2009.04.07    PAK_Generic.001
VBA32    3.12.10.2    2009.04.07    -
ViRobot    2009.4.7.1682    2009.04.07    Win32.Virut.AL
VirusBuster    4.6.5.0    2009.04.06    -
Avatar billede f-arn Guru
07. april 2009 - 15:32 #8
Ja - det var præcis det jeg var bange for. Virut er absolut en af de allerværste man kan få. Mit råd er en gang killdisk med efterfølgende total nyinstallation af alle programmer. Den inficerer blandt andet .exe, .scr, .htm, .html, .php og .asp filer så pas på hvad du kopierer ud af maskinen.
Avatar billede harisk Nybegynder
07. april 2009 - 16:03 #9
shit... Nårh, det er jo ikke andet at gøre, den skal få en ny omgang OS og alt andet. Denne gang med bedre beskyttelse end før...

Smid en svar og tak for hjælpen. :)
Avatar billede f-arn Guru
07. april 2009 - 16:53 #10
Ja, det er kedeligt. Men jeg tror ikke der er andet at gøre hvis du vil ha' en ren maskine.
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel Indlæg Oprettet Seneste aktivitet
Findes der mon et Antivirus program, som ikke, konstant, reklamerer, for at købe ? Af Ikke-ekspert i Virus 21 22/06/202419:22 23/06/202412:54
Anbefaling af antivirusprogram med firewall Af OnePlusFan i Virus 23 07/05/202421:02 13/05/202419:48
trusler Af gerhardpet i Virus 4 26/01/202410:02 27/01/202408:32
Kan ikke fjerne virus Af mik28 i Virus 16 09/01/202416:37 10/01/202419:59
virusscanning Af JetteD i Virus 2 10/11/202312:55 10/11/202316:36
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester



Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
I går 10:57 Pinnacle videoredigering Af gerhardpet i Billedbehandling
02/0816:51 UNILOGIN i GOOGLE Af lao i Browsere
02/0810:07 Kan det gøres lettere Af densortehingst i Excel
01/0821:49 En app vækker mig om morgenen og giver en vejrudsigt - hvordan stoppe det? Af Philip Kuhlmann i Apps til Android
01/0821:28 visning af heltal som resultat efter beregning Af Brian_Skovgaard i Excel
White papers
Flere white papers »


Premium
Teaser billede
Nvidia efterforskes for brud på konkurrencelov
Læs mere »
Den store cloud-krig raser stadigvæk - og Amazon ser lige nu ud til at have overhånden
Apple præsenter første regnskab siden AI-udmelding: Her er tre bemærkelsesværdige pointer derfra
Sårbarhed kan let give administratorrettigheder til alle: Udnyttes allerede af ransomware-grupper
Se alle »
Computerworld
Teaser billede
Første test: Denne helt nye wunder-CPU vil du have i din næste laptop
Læs mere »
Alvorlig fejl i Intel-chips breder sig: Listen over ramte processor vokser og vokser – og de kan blive permanent beskadigede
’Apple Intelligence’ slippes løs: Her kommer første mulighed for at afprøve Apples kunstige intelligens
Flere statslige it-løsninger ramt af netværksproblemer - ansatte kunne ikke få mail-adgang
Se alle »
CIO
Teaser billede
Stor aftale gør Microsofts datacentre hurtigere - investerer i netværksudstyr
Læs mere »
Telenor skrotter ældre it-system: Nyt system er en hyldevare
Derfor står Danske Bank foran en kæmpe AWS-transformation: Ellers skulle vi bygge en ny infrastruktur for at følge med
NIS2 i Danmark udskydes med flere måneder: Her er den nye dato, hvor loven træder i kraft
Se alle »
Job & Karriere
Teaser billede
Efter 12 år er NNIT's hovedkvarter i Søborg nu ryddet og tomt - alle arbejder hjemme: "Det er med et vist vemod"
Læs mere »
KMD-direktør forlader selskabet: Det skal hun nu
Dansk top-profil trækker sig fra Microsoft: Skal være direktør i TDC Erhverv
IBM Danmark skifter ud i sin øverste ledelse - her er den nye direktion
Se alle »
White paper
Teaser billede
Få mere ud af din cloudinfrastruktur og gør op med de konstant stigende omkostninger
Læs mere »
Sådan: Sikker, hurtig og fleksibel storage til dine kritiske data
Guide: Sådan udvikler du en moderne netværksstrategi
Unbreakable - sådan sikrer du dig vedvarende og uafbrudt adgang til dine data
Se alle »

Events
Flere events »
White papers
Flere white papers »
IT-Kurser
Se alle vores it-kurser »