Avatar billede fengzebabz Nybegynder
20. maj 2009 - 20:54 Der er 12 kommentarer

Hjælp! Vira fundet: W32.Tenga + W32.Cutwail-H

Hej Ekspert-folks.

Jeg har fået virus. Avast Antivirus poppede op og sagde at jeg var blevet inficeret med en virus. Nu er der konstant en "Jonas.exe" (det samme som mit username) som hopper op og ned på process-listen. Jeg tog en boot scan og den fandt W32.Tenga, hvorefter den flyttede dem til "chest".

Hvordan får jeg det fjernet med de rette programmer? Jeg har scannet med Malware Antibytes, SuperAntiSpyware og Hijack This, og I får lige nogle logs:

——————MALWARE-log——————-

Malwarebytes' Anti-Malware 1.36
Database version: 2157
Windows 5.1.2600 Service Pack 3

20-05-2009 18:13:34
mbam-log-2009-05-20 (18-13-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 175013
Time elapsed: 53 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digiwet.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Jonas\Local Settings\Temp\pdfupd.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\digiwet.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\Temp\wpv011241292389.exe (Trojan.Agent) -> No action taken.

—————SUPER ANTISPYWARE-LOG————-

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Genereret 05/20/2009 at 06:49 PM

Applikation Version : 4.26.1002

Kerne Regler Database Version : 3902
Spore Regler Database Version: 1848

Scan type    : Komplet Skan
Total skanningstid : 00:25:07

Skannet poster i hukommelse    : 606
Trusler i hukommelse fundet  : 0
Registrerings poster skannet  : 5864
Registrerings trusler fundet : 0
Fil poster skannet    : 20300
Fil trusler fundet  : 0



—————HIJACK THIS-LOG—————-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25:21, on 20-05-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Alwil Software\Avast423\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast423\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\PROGRA~1\ALWILS~1\Avast423\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
D:\Program Files\VOIPlay\voiplay.exe
C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Jonas\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Alwil Software\Avast423\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast423\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jonas\My Documents\Downloads\HiJackThis (1).exe
C:\Documents and Settings\Jonas\Jonas.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 83.140.176.146 thepiratebay.org http://www.thepiratebay.org
O1 - Hosts: 83.140.176.148 static.thepiratebay.org
O1 - Hosts: 83.140.176.150 upload.thepiratebay.org
O1 - Hosts: 83.140.176.149 rss.thepiratebay.org
O1 - Hosts: 83.140.176.157 captcha.thepiratebay.org
O1 - Hosts: 83.140.176.156 torrents.thepiratebay.org
O1 - Hosts: 77.247.176.134 tracker.thepiratebay.org open.tracker.thepiratebay.org
O1 - Hosts: 77.247.176.151 tpb.tracker.thepiratebay.org
O1 - Hosts: 77.247.176.153 eztv.tracker.thepiratebay.org vtv.tracker.thepiratebay.org a.tracker.thepiratebay.org
O1 - Hosts: 77.247.176.154 vip.tracker.thepiratebay.org tv.tracker.thepiratebay.org
O1 - Hosts: 88.80.6.166 mx.thepiratebay.org ns1.thepiratebay.org
O1 - Hosts: 83.140.176.159 ns0.thepiratebay.org
O1 - Hosts: 85.17.40.33 ns2.thepiratebay.org
O1 - Hosts: 217.75.120.120 ns3.thepiratebay.org
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast423\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AtiTrayTools] "D:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "D:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [VOIPlay] "D:\Program Files\VOIPlay\voiplay.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jonas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\Jonas\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Jonas] C:\Documents and Settings\Jonas\Jonas.exe /i
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport; to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools' menuitem: S&end; to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast423\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast423\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast423\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast423\ashWebSv.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


End of file - 8186 bytes


På forhånd tak!

MVH
Jonas
Avatar billede f-arn Guru
20. maj 2009 - 21:36 #1
Hent og gem Combofix på dit skrivebord:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe



Højreklik på skrivebordet og vælg ny->tekstdokument og kopier  indholdet mellem  linierne ind og gem filen som CFScript.txt

Du skal sikre dig at den ikke kommer til at hedde CFScript.txt.txt


--------------

Killall::

Snapshot::

File::
C:\Documents and Settings\Jonas\Jonas.exe

Hosts::

-------------

Start hijackthis, klik på "do  a system scan only" og sæt flueben ved følgende.

O4 - HKCU\..\Run: [Jonas] C:\Documents and Settings\Jonas\Jonas.exe /i

Luk så alle andre vinduer og klik "fix checked"


Da Combofix kan konflikte med din antivirus er det vigtigt at du deaktiverer den.

Tag så fat i CFScript.txt med musen, og før den hen over Combofix-filen, hvorefter du "giver slip" med musen.
http://www.fromsej.saknet.dk/billeder/cfscript.gif


Så skulle Combofix gerne give sig til at arbejde. Muligvis vil den kræve en genstart, hvilket du skal tillade. Du bør ikke klikke på vinduet imens værktøjet kører, idet det kan få din computer til at fryse.
Når Combofix er færdig, og efter det (muligvis) har genstartet, skulle der gerne åbnes en logfil: combofix.txt som ligger her C:\ Combofix txt

Indholdet af denne fil må du gerne lægge herind.
Avatar billede fengzebabz Nybegynder
20. maj 2009 - 22:23 #2
Perfekt, f-arn. God guiding.


----- COMBOFIX-LOG -----

ComboFix 09-05-20.01 - Jonas 20-05-2009 22:03.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.45.1033.18.1022.446 [GMT 2:00]
Kører fra: c:\documents and settings\Jonas\Desktop\ComboFix.exe
Kommandoer benyttet :: c:\documents and settings\Jonas\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090519-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!

FILE ::
c:\documents and settings\Jonas\Jonas.exe
.

(((((((((((((((((((((((((((((((((((((((  Andet, der er slettet  )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jonas\Application Data\inst.exe
c:\documents and settings\Jonas\Jonas.exe
c:\windows\system32\drivers\acpi32.sys
c:\windows\system32\msconfig.exe

.
(((((((((((((((((((((((((((((((((((((((  Drivers/Tjenester  )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACPI32
-------\Service_acpi32


(((((((((((((((((((((((((((((  Filer skabt fra 2009-04-20 til 2009-05-20  )))))))))))))))))))))))))))))))))))
.

2009-05-20 15:13 . 2009-05-20 15:13    --------    d-----w    c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-20 15:13 . 2009-05-20 15:13    --------    d-----w    c:\documents and settings\Jonas\Application Data\SUPERAntiSpyware.com
2009-05-20 15:11 . 2009-05-20 15:11    --------    d-----w    c:\documents and settings\Jonas\Application Data\Malwarebytes
2009-05-20 15:11 . 2009-04-06 13:32    15504    ----a-w    c:\windows\system32\drivers\mbam.sys
2009-05-20 15:11 . 2009-04-06 13:32    38496    ----a-w    c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 15:11 . 2009-05-20 15:11    --------    d-----w    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 23:34 . 2009-05-18 23:34    --------    d-----w    c:\documents and settings\All Users\Application Data\id Software
2009-05-08 23:06 . 2009-05-08 23:06    410984    ----a-w    c:\windows\system32\deploytk.dll
2009-05-07 19:00 . 2009-05-07 19:00    --------    d-----w    c:\documents and settings\Jonas\Application Data\Octoshape
2009-04-25 22:58 . 1999-11-14 13:41    86016    ----a-w    c:\windows\unvise32.exe
2009-04-22 01:00 . 2009-03-10 20:18    453512    ----a-w    c:\windows\system32\KB905474\wgasetup.exe
2009-04-22 01:00 . 2009-04-22 01:00    --------    d-----w    c:\windows\system32\KB905474
2009-04-22 01:00 . 2009-03-10 20:26    1403264    ----a-w    c:\windows\system32\KB905474\wganotifypackageinner.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 15:12 . 2007-05-19 19:19    --------    d-----w    c:\program files\Common Files\Wise Installation Wizard
2009-05-19 21:50 . 2009-04-20 15:45    138944    ----a-w    c:\windows\system32\drivers\PnkBstrK.sys
2009-05-19 21:50 . 2009-04-20 15:45    189784    ----a-w    c:\windows\system32\PnkBstrB.exe
2009-05-18 23:34 . 2009-04-20 15:45    22328    ----a-w    c:\documents and settings\Jonas\Application Data\PnkBstrK.sys
2009-05-18 23:34 . 2009-04-20 15:45    2246144    ----a-w    c:\windows\system32\pbsvc.exe
2009-05-08 23:06 . 2007-05-13 21:51    --------    d-----w    c:\program files\Java
2009-05-08 14:40 . 2008-11-25 14:05    --------    d-----w    c:\program files\Spybot - Search & Destroy
2009-04-20 15:49 . 2009-04-20 15:45    75064    ----a-w    c:\windows\system32\PnkBstrA.exe
2009-04-19 20:25 . 2006-11-20 08:50    143872    ----a-w    c:\windows\system32\drivers\usbport.sys
2009-04-19 20:25 . 2009-04-19 20:25    55808    ----a-w    c:\windows\devcon.exe
2009-04-19 20:06 . 2009-04-19 18:43    --------    d-----w    c:\program files\Unlocker
2009-04-19 19:38 . 2007-05-14 14:20    16864    ----a-w    c:\windows\system32\spupdsvc.exe
2009-04-19 19:38 . 2006-04-12 01:27    2066042    ----a-w    c:\windows\system32\ntkrnlpa.exe
2009-04-19 19:38 . 2004-08-03 23:56    110512    ----a-w    c:\windows\system32\services.exe
2009-04-19 19:38 . 2001-08-23 12:00    34848    ----a-w    c:\windows\system32\sc.exe
2009-04-19 19:33 . 2008-07-10 13:28    --------    d-----w    c:\program files\Norton Security Scan
2009-04-19 19:24 . 2009-04-19 19:24    --------    d-----w    c:\program files\Hotspot Shield
2009-04-19 19:24 . 2009-04-19 19:24    --------    d-----w    c:\program files\Serv-U
2009-04-19 19:08 . 2009-04-19 19:08    --------    d-----w    c:\program files\Alwil Software
2009-03-06 14:22 . 2004-08-03 23:56    284160    ----a-w    c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2006-11-20 08:50    666112    ----a-w    c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-03 23:56    81920    ----a-w    c:\windows\system32\ieencode.dll
2008-04-07 07:07 . 2007-06-02 11:52    67696    ----a-w    c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 07:07 . 2007-06-02 11:52    54376    ----a-w    c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 07:07 . 2007-06-02 11:52    34952    ----a-w    c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 07:07 . 2007-06-02 11:52    46720    ----a-w    c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 07:07 . 2007-06-02 11:52    172144    ----a-w    c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

  • 2009-04-19 19:38    2066170    C97077C0F4C4E7EFE4E655778514DEE2    c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33    2066048    4AC58F03EB94A72809949D757FC39D80    c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 13:39    2066048    A25E9B86EFFB2AF33BF51E676B68BFB0    c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
  • 2006-11-20 08:57    2058368    D20855E9A650415E4F65E0CE249839BD    c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-08-14 09:33    2066048    4AC58F03EB94A72809949D757FC39D80    c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31    2065792    109F8E3E3C82E337BB71B6BC9B895D61    c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
  • 2007-02-27 23:15    2059392    4D3DBDCCBF97F5BA1E74F322B155C3BA    c:\windows\$NtUninstallKB956841_0$\ntkrnlpa.exe
  • 2009-04-19 19:38    2066042    2280F2E13CAD828B3B915337CF22A8BF    c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31    2065792    109F8E3E3C82E337BB71B6BC9B895D61    c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
  • 2009-04-19 19:38    2066042    2280F2E13CAD828B3B915337CF22A8BF    c:\windows\system32\ntkrnlpa.exe
  • 2009-04-19 19:38    2066042    2280F2E13CAD828B3B915337CF22A8BF    c:\windows\system32\dllcache\ntkrnlpa.exe

  • 2009-04-19 19:38    110512    C412D6838A253D06B90334DE9CEA71FE    c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 00:12    108544    0E776ED5F7CC9F94299E70461B7B8185    c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 00:12    108544    0E776ED5F7CC9F94299E70461B7B8185    c:\windows\ServicePackFiles\i386\services.exe
  • 2009-04-19 19:38    110512    D1F469364AF8A7DA6A463E2F4B1E894D    c:\windows\system32\services.exe
  • 2009-04-19 19:38    110512    D1F469364AF8A7DA6A463E2F4B1E894D    c:\windows\system32\dllcache\services.exe
.
(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-12-01 20:12    204248    ----a-w    c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"AtiTrayTools"="d:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2008-09-15 585728]
"FreeRAM XP"="d:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 1591808]
"VOIPlay"="d:\program files\VOIPlay\voiplay.exe" [2009-03-17 1259296]
"Google Update"="c:\documents and settings\Jonas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-19 133104]
"Octoshape Streaming Services"="c:\documents and settings\Jonas\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-20 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-08 148888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"avast!"="d:\progra~1\ALWILS~1\Avast423\ashDisp.exe" [2009-02-05 81000]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-17 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-05-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-05-20 16:22    356352    ----a-w    d:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ      autocheck autochk *\0SsiEfr.ex

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Hurtigstart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Hurtigstart.lnk
backup=c:\windows\pss\Adobe Reader Hurtigstart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonas^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Jonas\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonas^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Jonas\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonas^Start Menu^Programs^Startup^Registration Prince of Persia T2T.LNK]
path=c:\documents and settings\Jonas\Start Menu\Programs\Startup\Registration Prince of Persia T2T.LNK
backup=c:\windows\pss\Registration Prince of Persia T2T.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"SavRoam"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\counter-strike\\hl.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\day of defeat\\hl.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\team fortress classic\\hl.exe"=
"d:\\Program Files\\Hamachi\\hamachi.exe"=
"d:\\Team17\\Worms World Party\\wwp.exe"=
"d:\\Program Files\\TVU Player\\TVUPlayer.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\half-life\\hl.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\ricochet\\hl.exe"=
"d:\\Ting og sager\\Spil\\Need for Speed Underground 2\\speed2.exe"=
"d:\\Program Files\\Steam\\steamapps\\dicxo\\counter-strike\\hl.exe"=
"d:\\Program Files\\Steam\\steamapps\\dicxo\\day of defeat\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\HLSW\\hlsw.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Q3Ademo\\quake3.exe"=
"d:\\Program Files\\Steam\\steamapps\\dicxo\\half-life\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9477:TCP"= 9477:TCP:BitComet 9477 TCP
"9477:UDP"= 9477:UDP:BitComet 9477 UDP
"66:TCP"= 66:TCP:FileZilla port

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [07-01-2003 11:01 77056]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [19-04-2009 21:44 114768]
R1 atitray;atitray;d:\program files\Ray Adams\ATI Tray Tools\atitray.sys [08-09-2008 20:32 18336]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [29-02-2008 16:03 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [29-02-2008 16:03 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19-04-2009 21:44 20560]
R3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [09-05-2007 20:28 45568]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [16-02-2006 16:51 4096]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S4 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec AntiVirus\SavRoam.exe [?]
.
Indhold af mappen 'Planlagte Opgaver'

2009-05-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1960408961-682003330-1003.job
- c:\documents and settings\Jonas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-19 19:34]

2009-05-20 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 20:18]
.
.
------- Yderligere scanning -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jonas\Application Data\Mozilla\Firefox\Profiles\xor18r9n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.dk/ig
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLITIKKER ----

// This one makes a huge difference. Last value in milliseconds (default is 250)
FF - user.js: nglayout.initialpaint.delay - 0
// Enable pipelining:
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 100.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 22:07
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\S-1-5-21-299502267-1960408961-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9f,bb,51,73,e8,c0,1d,0f,ef,23,cb,bc,98,bd,98,45,5c,9f,0e,19,fd,57,0d,
  79,10,09,f0,1a,ff,d4,05,f5,b6,2e,73,01,9b,00,5d,8e,c2,05,d8,fa,c0,f9,50,c8,\
"??"=hex:cc,5b,db,82,08,34,e4,eb,84,dd,d5,8e,72,cb,22,a6
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'winlogon.exe'(1188)
d:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4020)
d:\program files\VOIPlay\hud_hook_2060.dll
d:\program files\Ray Adams\ATI Tray Tools\raphook.dll
.
------------------------ Andre kørende processer ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
d:\program files\Alwil Software\Avast423\aswUpdSv.exe
d:\program files\Alwil Software\Avast423\ashServ.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
d:\program files\Alwil Software\Avast423\ashMaiSv.exe
d:\program files\Alwil Software\Avast423\ashWebSv.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Gennemført tid: 2009-05-20 22:09 - maskinen blev genstartet
ComboFix-quarantined-files.txt  2009-05-20 20:09

Pre-Kørsel: 11.375.837.184 bytes free
Post-Kørsel: 11.274.285.056 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
262    --- E O F ---    2009-05-14 01:02
20. maj 2009 - 23:27 #3
*SUK* ->
d:\Program Files\BitComet\BitComet.exe
d:\Program Files\LimeWire\LimeWire.exe
Avatar billede fengzebabz Nybegynder
21. maj 2009 - 03:22 #4
Konstruktivt.
Avatar billede f-arn Guru
21. maj 2009 - 07:24 #5
Find og upload disse filer hos Jotti eller Virustotal:

c:\windows\system32\ntkrnlpa.exe
c:\windows\system32\services.exe

http://virusscan.jotti.org/ - http://www.virustotal.com/en/indexf.html

Du skal måske slå vis skjulte filer oog mapper til.

Hvis du ikke ved hvordan så se her:
http://www.it-artikler.dk/2008/03/05/vis-skjulte-filer-og-mapper/

Kopier resultatet herind

Har du en original Windows xp cd? Du får med stor sandsynlighed brug for genoprettelseskonsollen.
Avatar billede fengzebabz Nybegynder
21. maj 2009 - 13:09 #6
----- SCAN AF c:\windows\system32\ntkrnlpa.exe -----

AntiVir    7.9.0.168    2009.05.20    HEUR/Malware
McAfee-GW-Edition    6.7.6    2009.05.21    Heuristic.Malware

Det er de to der blev fundet.


----- SCAN AF c:\windows\system32\services.exe -----

File services.exe received on 05.21.2009 13:07:23 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)


Desværre. ComboFix.exe spurgte også efter recovery console, men jeg har den ikke. Er det nødvendigt? Og behøver den cd være original?
Avatar billede f-arn Guru
21. maj 2009 - 14:22 #7
Du kan nok få combofix til at lave genoprettelseskonsollen. Hent en ny og følg instruktionerne, men sig ja når den tilbyder at installere genoprettelseskonsollen. Det jeg mente med xp spørgsmålet var om du havde en xp cd eller bare en genopretnings cd. Inden du kører Combofix bør du tage en Backup af e-mail, dokumenter og andet du vil gemme da det kan gå galt.
Avatar billede f-arn Guru
21. maj 2009 - 14:24 #8
Denne gang nøjes du bare med at Starte combofix. Intet CFScript.txt
Avatar billede fengzebabz Nybegynder
21. maj 2009 - 14:43 #9
ComboFix siger den ikke kan finde en downloadsti til konsollen? Så er det vel nødvendigt med en XP cd?

Du får lige ComboFix-loggen:

----- COMBOFIX ------

ComboFix 09-05-20.A0 - Jonas 21-05-2009 14:38.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.45.1033.18.1022.589 [GMT 2:00]
Kører fra: c:\documents and settings\Jonas\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090520-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

advarsel -DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
.

(((((((((((((((((((((((((((((  Filer skabt fra 2009-04-21 til 2009-05-21  )))))))))))))))))))))))))))))))))))
.

2009-05-20 15:13 . 2009-05-20 15:13    --------    d-----w    c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-20 15:13 . 2009-05-20 15:13    --------    d-----w    c:\documents and settings\Jonas\Application Data\SUPERAntiSpyware.com
2009-05-20 15:11 . 2009-05-20 15:11    --------    d-----w    c:\documents and settings\Jonas\Application Data\Malwarebytes
2009-05-20 15:11 . 2009-04-06 13:32    15504    ----a-w    c:\windows\system32\drivers\mbam.sys
2009-05-20 15:11 . 2009-04-06 13:32    38496    ----a-w    c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 15:11 . 2009-05-20 15:11    --------    d-----w    c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 23:34 . 2009-05-18 23:34    --------    d-----w    c:\documents and settings\All Users\Application Data\id Software
2009-05-08 23:06 . 2009-05-08 23:06    410984    ----a-w    c:\windows\system32\deploytk.dll
2009-05-07 19:00 . 2009-05-07 19:00    --------    d-----w    c:\documents and settings\Jonas\Application Data\Octoshape
2009-04-25 22:58 . 1999-11-14 13:41    86016    ----a-w    c:\windows\unvise32.exe
2009-04-22 01:00 . 2009-03-10 20:18    453512    ----a-w    c:\windows\system32\KB905474\wgasetup.exe
2009-04-22 01:00 . 2009-04-22 01:00    --------    d-----w    c:\windows\system32\KB905474
2009-04-22 01:00 . 2009-03-10 20:26    1403264    ----a-w    c:\windows\system32\KB905474\wganotifypackageinner.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 15:12 . 2007-05-19 19:19    --------    d-----w    c:\program files\Common Files\Wise Installation Wizard
2009-05-19 21:50 . 2009-04-20 15:45    138944    ----a-w    c:\windows\system32\drivers\PnkBstrK.sys
2009-05-19 21:50 . 2009-04-20 15:45    189784    ----a-w    c:\windows\system32\PnkBstrB.exe
2009-05-18 23:34 . 2009-04-20 15:45    22328    ----a-w    c:\documents and settings\Jonas\Application Data\PnkBstrK.sys
2009-05-18 23:34 . 2009-04-20 15:45    2246144    ----a-w    c:\windows\system32\pbsvc.exe
2009-05-08 23:06 . 2007-05-13 21:51    --------    d-----w    c:\program files\Java
2009-05-08 14:40 . 2008-11-25 14:05    --------    d-----w    c:\program files\Spybot - Search & Destroy
2009-04-20 15:49 . 2009-04-20 15:45    75064    ----a-w    c:\windows\system32\PnkBstrA.exe
2009-04-19 20:25 . 2006-11-20 08:50    143872    ----a-w    c:\windows\system32\drivers\usbport.sys
2009-04-19 20:25 . 2009-04-19 20:25    55808    ----a-w    c:\windows\devcon.exe
2009-04-19 20:06 . 2009-04-19 18:43    --------    d-----w    c:\program files\Unlocker
2009-04-19 19:38 . 2007-05-14 14:20    16864    ----a-w    c:\windows\system32\spupdsvc.exe
2009-04-19 19:38 . 2006-04-12 01:27    2066042    ----a-w    c:\windows\system32\ntkrnlpa.exe
2009-04-19 19:38 . 2004-08-03 23:56    110512    ----a-w    c:\windows\system32\services.exe
2009-04-19 19:38 . 2001-08-23 12:00    34848    ----a-w    c:\windows\system32\sc.exe
2009-04-19 19:33 . 2008-07-10 13:28    --------    d-----w    c:\program files\Norton Security Scan
2009-04-19 19:24 . 2009-04-19 19:24    --------    d-----w    c:\program files\Hotspot Shield
2009-04-19 19:24 . 2009-04-19 19:24    --------    d-----w    c:\program files\Serv-U
2009-04-19 19:08 . 2009-04-19 19:08    --------    d-----w    c:\program files\Alwil Software
2009-03-06 14:22 . 2004-08-03 23:56    284160    ----a-w    c:\windows\system32\pdh.dll
2008-04-07 07:07 . 2007-06-02 11:52    67696    ----a-w    c:\program files\mozilla firefox\components\jar50.dll
2008-04-07 07:07 . 2007-06-02 11:52    54376    ----a-w    c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-07 07:07 . 2007-06-02 11:52    34952    ----a-w    c:\program files\mozilla firefox\components\myspell.dll
2008-04-07 07:07 . 2007-06-02 11:52    46720    ----a-w    c:\program files\mozilla firefox\components\spellchk.dll
2008-04-07 07:07 . 2007-06-02 11:52    172144    ----a-w    c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

  • 2009-04-19 19:38    2066170    C97077C0F4C4E7EFE4E655778514DEE2    c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33    2066048    4AC58F03EB94A72809949D757FC39D80    c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 13:39    2066048    A25E9B86EFFB2AF33BF51E676B68BFB0    c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
  • 2006-11-20 08:57    2058368    D20855E9A650415E4F65E0CE249839BD    c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-08-14 09:33    2066048    4AC58F03EB94A72809949D757FC39D80    c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31    2065792    109F8E3E3C82E337BB71B6BC9B895D61    c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
  • 2007-02-27 23:15    2059392    4D3DBDCCBF97F5BA1E74F322B155C3BA    c:\windows\$NtUninstallKB956841_0$\ntkrnlpa.exe
  • 2009-04-19 19:38    2066042    2280F2E13CAD828B3B915337CF22A8BF    c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31    2065792    109F8E3E3C82E337BB71B6BC9B895D61    c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
  • 2009-04-19 19:38    2066042    2280F2E13CAD828B3B915337CF22A8BF    c:\windows\system32\ntkrnlpa.exe
  • 2009-04-19 19:38    2066042    2280F2E13CAD828B3B915337CF22A8BF    c:\windows\system32\dllcache\ntkrnlpa.exe

  • 2009-04-19 19:38    110512    C412D6838A253D06B90334DE9CEA71FE    c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 00:12    108544    0E776ED5F7CC9F94299E70461B7B8185    c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 00:12    108544    0E776ED5F7CC9F94299E70461B7B8185    c:\windows\ServicePackFiles\i386\services.exe
  • 2009-04-19 19:38    110512    D1F469364AF8A7DA6A463E2F4B1E894D    c:\windows\system32\services.exe
  • 2009-04-19 19:38    110512    D1F469364AF8A7DA6A463E2F4B1E894D    c:\windows\system32\dllcache\services.exe
.
(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-12-01 20:12    204248    ----a-w    c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"AtiTrayTools"="d:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2008-09-15 585728]
"FreeRAM XP"="d:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 1591808]
"VOIPlay"="d:\program files\VOIPlay\voiplay.exe" [2009-03-17 1259296]
"Google Update"="c:\documents and settings\Jonas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-19 133104]
"Octoshape Streaming Services"="c:\documents and settings\Jonas\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-20 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-08 148888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"avast!"="d:\progra~1\ALWILS~1\Avast423\ashDisp.exe" [2009-02-05 81000]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2006-11-17 577536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2009-05-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-05-20 16:22    356352    ----a-w    d:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ      autocheck autochk *\0SsiEfr.ex

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Hurtigstart.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Hurtigstart.lnk
backup=c:\windows\pss\Adobe Reader Hurtigstart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonas^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Jonas\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonas^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Jonas\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jonas^Start Menu^Programs^Startup^Registration Prince of Persia T2T.LNK]
path=c:\documents and settings\Jonas\Start Menu\Programs\Startup\Registration Prince of Persia T2T.LNK
backup=c:\windows\pss\Registration Prince of Persia T2T.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"SavRoam"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\counter-strike\\hl.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\The All-Seeing Eye\\eye.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\day of defeat\\hl.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\team fortress classic\\hl.exe"=
"d:\\Program Files\\Hamachi\\hamachi.exe"=
"d:\\Team17\\Worms World Party\\wwp.exe"=
"d:\\Program Files\\TVU Player\\TVUPlayer.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\half-life\\hl.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"d:\\Program Files\\Steam\\steamapps\\kingzey\\ricochet\\hl.exe"=
"d:\\Ting og sager\\Spil\\Need for Speed Underground 2\\speed2.exe"=
"d:\\Program Files\\Steam\\steamapps\\dicxo\\counter-strike\\hl.exe"=
"d:\\Program Files\\Steam\\steamapps\\dicxo\\day of defeat\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\HLSW\\hlsw.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Q3Ademo\\quake3.exe"=
"d:\\Program Files\\Steam\\steamapps\\dicxo\\half-life\\hl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9477:TCP"= 9477:TCP:BitComet 9477 TCP
"9477:UDP"= 9477:UDP:BitComet 9477 UDP
"66:TCP"= 66:TCP:FileZilla port

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [07-01-2003 11:01 77056]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [19-04-2009 21:44 114768]
R1 atitray;atitray;d:\program files\Ray Adams\ATI Tray Tools\atitray.sys [08-09-2008 20:32 18336]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\SASDIFSV.SYS [29-02-2008 16:03 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [29-02-2008 16:03 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19-04-2009 21:44 20560]
R3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [09-05-2007 20:28 45568]
R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [16-02-2006 16:51 4096]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S4 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec AntiVirus\SavRoam.exe [?]
.
Indhold af mappen 'Planlagte Opgaver'

2009-05-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-299502267-1960408961-682003330-1003.job
- c:\documents and settings\Jonas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-19 19:34]

2009-05-20 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 20:18]
.
.
------- Yderligere scanning -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jonas\Application Data\Mozilla\Firefox\Profiles\xor18r9n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.dk/ig
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLITIKKER ----

// This one makes a huge difference. Last value in milliseconds (default is 250)
FF - user.js: nglayout.initialpaint.delay - 0
// Enable pipelining:
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 100.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 14:40
Windows 5.1.2600 Service Pack 3 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
--------------------- LÅSTE REGISTRERINGS NØGLER ---------------------

[HKEY_USERS\S-1-5-21-299502267-1960408961-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9f,bb,51,73,e8,c0,1d,0f,ef,23,cb,bc,98,bd,98,45,5c,9f,0e,19,fd,57,0d,
  79,10,09,f0,1a,ff,d4,05,f5,b6,2e,73,01,9b,00,5d,8e,c2,05,d8,fa,c0,f9,50,c8,\
"??"=hex:cc,5b,db,82,08,34,e4,eb,84,dd,d5,8e,72,cb,22,a6
.
--------------------- DLLs startet under kørende Processer ---------------------

- - - - - - - > 'winlogon.exe'(1188)
d:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(484)
d:\program files\VOIPlay\hud_hook_2060.dll
d:\program files\Ray Adams\ATI Tray Tools\raphook.dll
.
Gennemført tid: 2009-05-21 14:41
ComboFix-quarantined-files.txt  2009-05-21 12:41
ComboFix2.txt  2009-05-20 20:09

Pre-Kørsel: 11.254.853.632 bytes free
Post-Kørsel: 11.239.653.376 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
231    --- E O F ---    2009-05-14 01:02
Avatar billede fengzebabz Nybegynder
21. maj 2009 - 14:44 #10
Og forresten, tak for hjælpen indtil videre. Dejligt at der findes mennesker, som gider tage sig tid til at hjælpe andre med problemer! Sweet.
Avatar billede f-arn Guru
21. maj 2009 - 17:34 #11
Hent en af disse filer. (husk at vælge sproget svarende til sproget på dit styresystem):

UK: http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en

DK: http://www.microsoft.com/downloads/details.aspx?displaylang=da&FamilyID=15491f07-99f7-4a2d-983d-81c2137ff464

Træk så med musen den nye fil hen over combofix, og giv slip. Herefter skulle Combofix gerne give sig til at installere Gendannelseskonsollen.
Avatar billede f-arn Guru
25. maj 2009 - 09:01 #12
Lykkedes det?
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester