CIO Tech Eksperten IT-JOB IT-Kurser Events Podcast Søg
Cookie ikon
Avatar billede vejmand Juniormester
05. juni 2009 - 15:01 Der er 13 kommentarer og
1 løsning

Div. logs + problem

Jeg har hjulpet en kammerat med at rense en bærbar efter infektion af div. trojaner og worms.

Herefter ville jeg så installere TDC's Sikkerhedspakke, for at undgå det sker igen, men:
Der kommer en fejlmelding:
....TDC_sikkerhedspakke er ikke et gyldigt Win32-program

Jeg tror måske det er forde jeg ikke har fået det hele med, så her kommer div. logs.

Malwarebytes' Anti-Malware 1.37
Database version: 2224
Windows 6.0.6001 Service Pack 1

03-06-2009 20:30:24
mbam-log-2009-06-03 (20-30-24).txt

Skan type: Fuldstændig skanning (C:\|D:\|)
Objekter skannet: 173644
Tid tilbagelagt: 1 hour(s), 2 minute(s), 1 second(s)

Inficerede Hukommelses Processer: 7
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 5
Inficerede Registeringsdatabase Værdier: 7
Inficerede Registeringsdatabase Filer: 3
Inficerede Mapper: 8
Inficerede Filer: 44

Inficerede Hukommelses Processer:
c:\program files\Internet Antivirus Pro\IAPro.exe (Rogue.Installer) -> Unloaded process successfully.
C:\Windows\pp10.exe (Worm.Kooface) -> Unloaded process successfully.
C:\Windows\System32\SYSDLL.exe (Trojan.Proxy) -> Unloaded process successfully.
C:\Program Files\Internet Antivirus Pro\IAPro.exe (Rogue.Installer) -> Unloaded process successfully.
C:\Program Files\websrvx\websrvx.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Windows\freddy46.exe (Worm.KoobFace) -> Unloaded process successfully.
C:\Users\poul\AppData\Roaming\Microsoft\Windows\winlogon.exe (Trojan.Agent) -> Unloaded process successfully.

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ITGrdEngine (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internet antivirus pro_is1 (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet antivirus pro (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet antivirus pro (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.Kooface) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.Koobface) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft windows logon process (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdll (Worm.Autorun) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Filer:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Inficerede Mapper:
c:\programdata\microsoft\Windows\start menu\Programs\Internet Antivirus Pro (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\Internet Antivirus Pro (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\internet antivirus pro\db (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\Internet Antivirus Pro (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\db (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\Languages (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\websrvx (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\sysloc (Trojan.BHO) -> Quarantined and deleted successfully.

Inficerede Filer:
c:\program files\Internet Antivirus Pro\IAPro.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Windows\pp10.exe (Worm.Kooface) -> Quarantined and deleted successfully.
C:\Windows\System32\SYSDLL.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Windows\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\program files\common files\file.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\program files\common files\InternetAntivirusPro.exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Windows\System32\sysloc\sysloc.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\internet antivirus pro\Internet Antivirus Pro Home Page.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\internet antivirus pro\Internet Antivirus Pro.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\internet antivirus pro\Purchase License.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\internet antivirus pro\settings.ini (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\internet antivirus pro\uill.ini (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\internet antivirus pro\unins000.exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\internet antivirus pro\Uninstall  Internet Antivirus Pro.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\internet antivirus pro\updateloadlist.ini (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\internet antivirus pro\db\config.cfg (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\internet antivirus pro\db\Timeout.inf (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\internet antivirus pro\db\Urls.inf (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\activate.ico (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\Explorer.ico (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\unins000.dat (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\unins001.dat (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\unins001.exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\uninstall.ico (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\working.log (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\db\config.cfg (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\db\DBInfo.ver (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\db\ia080614.db (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\languages\IAEs.lng (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\languages\IAFr.lng (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\languages\IAGer.lng (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\internet antivirus pro\languages\IAIt.lng (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\program files\websrvx\websrvx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\freddy45.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\Windows\freddy46.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\microsoft\internet explorer\quick launch\Internet Antivirus Pro.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\Public\Desktop\Internet Antivirus Pro.lnk (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
c:\Users\poul\AppData\Roaming\Microsoft\Windows\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\st_1243972942.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Windows\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\Windows\sonce122714.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\Windows\sonce122715.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\Windows\sonce123198.dat (Worm.KoobFace) -> Quarantined and deleted successfully.


ComboFix 09-06-04.08 - poul 05-06-2009 14:35.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium  6.0.6001.1.1252.45.1030.18.2814.1944 [GMT 2:00]
Kører fra: c:\users\poul\Desktop\Renseprogrammer\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((  Filer skabt fra 2009-05-05 til 2009-06-05  )))))))))))))))))))))))))))))))))))
.

2009-06-05 12:33 . 2009-06-05 12:38    --------    d-s---w-    \ComboFix
2009-06-03 18:59 . 2009-06-03 19:04    --------    d-sh--w-    \Config.Msi
2009-06-03 14:39 . 2009-06-05 12:35    --------    d-----w-    \Qoobox
2009-06-03 14:39 . 2009-06-03 14:39    --------    d-----w-    C:\32788R22FWJFW.0.tmp
2009-06-03 14:39 . 2009-06-03 14:39    --------    d-----w-    \32788R22FWJFW.0.tmp
2009-06-03 14:38 . 2009-06-03 14:38    --------    d-----w-    c:\users\poul\AppData\Roaming\Malwarebytes
2009-06-03 14:38 . 2009-05-26 11:20    40160    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 14:38 . 2009-06-03 14:38    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2009-06-03 14:38 . 2009-06-03 14:38    --------    d-----w-    c:\programdata\Malwarebytes
2009-06-03 14:38 . 2009-05-26 11:19    19096    ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-06-03 14:37 . 2009-06-03 14:37    --------    d-----w-    c:\program files\CCleaner
2009-06-01 21:45 . 2009-06-01 21:45    --------    d-----w-    c:\users\poul\AppData\Local\Symantec
2009-06-01 16:15 . 2009-06-03 17:22    --------    d-----w-    C:\Internet Antivirus Pro
2009-06-01 16:15 . 2009-06-03 17:22    --------    d-----w-    \Internet Antivirus Pro
2009-06-01 14:54 . 2009-06-01 14:54    1    ----a-w-    c:\windows\dk39fi4fe.dat
2009-05-21 17:55 . 2009-05-21 17:56    --------    d-----w-    c:\program files\ICN Gaming Bar

.
((((((((((((((((((((((((((((((((((((((((  Find3M Rapport  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 11:54 . 2008-01-21 05:51    77202    ----a-w-    c:\windows\system32\perfc006.dat
2009-06-05 11:54 . 2008-01-21 05:51    463344    ----a-w-    c:\windows\system32\perfh006.dat
2009-06-05 11:50 . 2009-03-12 20:38    27744    ----a-w-    c:\programdata\nvModes.dat
2009-06-05 11:50 . 2009-03-12 21:42    2951131136    --sha-w-    \hiberfil.sys
2009-06-05 11:50 . 2009-03-12 21:42    3264933888    --sha-w-    \pagefile.sys
2009-06-03 19:04 . 2008-09-25 19:03    --------    d-----w-    c:\programdata\Symantec
2009-06-03 19:04 . 2008-09-25 19:03    --------    d-----w-    c:\program files\Common Files\Symantec Shared
2009-05-13 01:05 . 2008-09-25 19:27    --------    d-----w-    c:\programdata\Microsoft Help
2009-05-13 01:00 . 2006-11-02 11:18    --------    d-----w-    c:\program files\Windows Mail
2009-04-08 06:41 . 2009-04-08 06:41    --------    d-----w-    c:\programdata\Office Genuine Advantage
2009-04-07 20:45 . 2008-09-25 19:30    --------    d-----w-    c:\program files\Microsoft Works
2009-03-17 03:38 . 2009-04-16 22:11    13824    ----a-w-    c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 22:11    24064    ----a-w-    c:\windows\system32\amxread.dll
2009-03-13 21:28 . 2009-03-13 18:42    0    ----a-w-    c:\users\poul\temp.dat
2009-03-13 18:41 . 2009-03-13 18:41    410984    ----a-w-    c:\windows\system32\deploytk.dll
2009-03-12 20:49 . 2009-03-12 20:49    10    ----a-w-    c:\windows\popcinfo.dat
2009-03-12 17:11 . 2009-03-12 16:59    72112    ----a-w-    c:\users\poul\AppData\Local\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((  SnapShot@2009-06-03_18.50.24  )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-06-05 11:51    42038              c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-06-05 11:52    71254              c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-25 18:15 . 2009-06-03 18:32    16384              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-25 18:15 . 2009-06-05 11:50    16384              c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-25 18:15 . 2009-06-03 18:32    49152              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-25 18:15 . 2009-06-05 11:50    49152              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-25 18:15 . 2009-06-05 11:50    16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-25 18:15 . 2009-06-03 18:32    16384              c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-03-16 20:48    86016              c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-06-03 19:02    86016              c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-06-03 19:02    86016              c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-03-16 20:48    86016              c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-03-16 20:48    51200              c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2009-06-03 19:02    51200              c:\windows\inf\infpub.dat
+ 2009-03-12 17:12 . 2009-06-05 11:52    8584              c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-560307357-2068560209-1669960212-1000_UserData.bin
- 2009-06-03 18:32 . 2009-06-03 18:32    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-05 11:50 . 2009-06-05 11:50    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-06-03 18:32 . 2009-06-03 18:32    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-06-05 11:50 . 2009-06-05 11:50    2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-12 22:58 . 2009-06-04 19:59    203822              c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2009-06-03 18:37    587178              c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-06-05 11:54    587178              c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-06-03 18:37    101250              c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-06-05 11:54    101250              c:\windows\System32\perfc009.dat
+ 2009-04-22 16:05 . 2009-04-22 16:05    406640              c:\windows\Downloaded Program Files\fslauncher.dll
.
(((((((((((((((((((((((((((((((((((  Start steder i reg.basen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Bemærk* tomme linier & lovlige standard linier vises ikke 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C7ADD44-D01F-4D04-B525-AE372B98AFD2}]
2009-05-21 17:56    1295360    ----a-w-    c:\program files\ICN Gaming Bar\Toolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-12 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-13 1033512]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-06 34040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-20 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-20 92704]
"WarReg_PopUp"="c:\program files\eMachines\WR_PopUp\WarReg_PopUp.exe" [2008-05-09 49152]
"LManager"="c:\progra~1\LAUNCH~1\QtZyEmachine.EXE" [2008-06-24 817672]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-03-12 24064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-13 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-08-06 6265376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"InternetSettingsDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AED718BC-E717-4F0C-90C6-1E1382B0777A}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{29D3FB56-FD82-4A68-AC90-80DA8AF512AF}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{49C7438F-BF54-4ACD-92E3-872F05B2FCC0}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{1111F2F9-C923-4B48-8043-F02D0E4D2AA5}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{231D4779-C7E3-46FA-AEA6-54989354C1C9}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{860374B4-474F-4BBA-A9C3-B565FF0A4821}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{9E323130-6223-4EFA-A2D5-0EEBB9AE4E71}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3ACC102A-8D7E-4F22-A0D1-3A95750E1EF7}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [03-03-2008 13:11 16384]
R2 ETService;Empowering Technology Service;c:\program files\eMachines\eMachines Recovery Management\Service\ETService.exe [12-03-2009 19:03 24576]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [06-04-2008 22:42 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [04-04-2008 03:03 131072]
R2 regi;regi;c:\windows\System32\drivers\regi.sys [17-04-2007 21:09 11032]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [26-09-2008 06:02 212992]
S3 GoogleDesktopManager-080708-050100;Google Desktop-administrator 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12-03-2009 19:04 24064]
.
.
------- Yderligere scanning -------
.
uStart Page = hxxp://www.google.dk/ig?hl=da
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0406&s=2&o=vp32&d=0309&m=emg620
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 14:38
Windows 6.0.6001 Service Pack 1 NTFS

scanner skjulte processer ... 

scanner skjulte autostarter ...

scanner skjulte filer ... 

scanning gennemført med succes
skjulte filer: 0

**************************************************************************
.
Gennemført tid: 2009-06-05 14:39
ComboFix-quarantined-files.txt  2009-06-05 12:39
ComboFix2.txt  2009-06-03 18:51

Pre-Kørsel: 109.053.472.768 byte ledig
Post-Kørsel: 109.042.499.584 byte ledig

154    --- E O F ---    2009-05-24 01:25

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:47:08, on 05-06-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Launch Manager\QtZyEmachine.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Users\poul\Desktop\Renseprogrammer\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/ig?hl=da
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0406&s=2&o=vp32&d=0309&m=emg620
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: FCToolbarURLSearchHook Class - {d85adc0e-d2f6-45f6-b037-941a2c96c4ae} - C:\Program Files\ICN Gaming Bar\Helper.dll
R3 - URLSearchHook: (no name) -  - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: FCTBPos00Pos - {8C7ADD44-D01F-4D04-B525-AE372B98AFD2} - C:\Program Files\ICN Gaming Bar\Toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: ICN Gaming Bar - {30BF4CEA-A50C-4947-A685-48D697938BD3} - C:\Program Files\ICN Gaming Bar\Toolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\eMachines\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZyEmachine.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1236969725990&h=530d3ff030b44d6c8e6a7efdbf086c81/&filename=jinstall-6u12-windows-i586-jc.cab
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: Google Desktop-administrator 5.7.808.7150 (GoogleDesktopManager-080708-050100) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

--
End of file - 6486 bytes

På forhånd tak
Avatar billede johnstigers Seniormester
05. juni 2009 - 15:11 #1
I har vel prøvet at hente programmet igen?
Avatar billede Computer Hjælp (Gratis) Mester
05. juni 2009 - 15:11 #2
Lige en hurtig: Har denne PC for nylig faaet 'noget' fra Facebook ?

Toolbar: ICN Gaming Bar ??? Hvad er det ?

Ta' en oprydning's tur med CCleaner (HojreMusseTast - Kor som Administrator...)

Check hos WindowsUpdate: du mangler bla. IE8 + efterfolgende opdateringer...
Avatar billede vejmand Juniormester
05. juni 2009 - 15:17 #3
john_stigers >> Nej, tror du da at det er problemet??
Jeg har læst på nettet at problemet ofte skyldes en infektion, men ellers vil jeg da hente programmet igen.  :-)

karise_larry >> Ja, infektionen er kommet fra Facebook.
Toolbar: ICN Gaming Bar ??? Hvad er det ?
 Aner det ikke, skal den slettes?
Glemte at skrive at jeg har kørt Ccleaner et par gange, den finder ikke mere.

Jeg prøver lige update.

PS: Tak for hurtig respons.  :-)
Avatar billede vejmand Juniormester
05. juni 2009 - 15:20 #4
Der var 3 vigtige opdateringer, er i gang......
Avatar billede Computer Hjælp (Gratis) Mester
05. juni 2009 - 15:25 #5
De fleste infektioner som din MalwareBytes har nappet er netop fra en Facebook app. Set en del gange; ogsaa uden for Eksperten *SUK*

Husk denne: (HojreMusseTast - Kor som Administrator...) ved TDC's Sikkerhedspakke instalationen...

ICN Gaming Bar ??? Ud med den!!!
Avatar billede vejmand Juniormester
05. juni 2009 - 15:29 #6
Ja for sat.., har jo glemt det med "Kør som administrator".

Det prøver jeg lige, når jeg er færdig med opdateringen, og så sletter jeg den bar.
Er det bedst at slette den med HiJackThis?
Avatar billede Computer Hjælp (Gratis) Mester
05. juni 2009 - 15:38 #7
... bedst via [kontrolpanel] osv osv ...
Avatar billede vejmand Juniormester
05. juni 2009 - 16:17 #8
Så er sikkerhedspakken installeret.  :-)
Jeg kørte installationen online, i stedet for at bruge den downloade fil.

Vedr. Update:
Den ville ikke installere IE8 (fejlmelding Fejl 0x80072EFD)
Firewall er deaktiveret og de sider Microsoft anbefaler:
http://update.microsoft.com
http://windowsupdate.microsoft.com
http://update.microsoft.com/microsoftupdate/v6/default.aspx
er tilføjet "Sider du har tillid til".

Den første opdatering blev installeret uden problemer, så bad den mig genstarte for at installere den anden, og det er her det går galt.

Men pyt med det, det må jeg se på senere.

Er det okay med i deler point? John gav mig jo hintet med at hente programmet igen.  :-)
Avatar billede vejmand Juniormester
05. juni 2009 - 16:18 #9
PS: Tusind tak for hjælpen!
Avatar billede Computer Hjælp (Gratis) Mester
05. juni 2009 - 16:21 #10
Ping...
Avatar billede vejmand Juniormester
05. juni 2009 - 16:53 #11
Jeg vil gerne lige fortælle, hvordan jeg fik Windows update til at funke igen:

Start -> Alle programmer -> Tilbehør -> Højreklik på Kommando prompt -> Kør som administrator -> Skriv: netsh winhttp show proxy -> Når den er færdig, skriv: netsh winhttp reset proxy -> Skriv: exit

Herefter kunne jeg åbne IE og foretage en update uden problemer.  :-)
Avatar billede birkus Nybegynder
07. juni 2009 - 22:36 #12
Jeg ved ikke om jeg har samme problem som det dette indlæg handler om, men en af vores PCere har problemer efter tilsyneladende at have  fået virus eller lignende fra Facebook.
(Konen klikkede på et link, og derefter skete der underlige ting på skærmen)

Nu kan computeren imidlertid ikke længere tilgå internettet.
Der er muligvis MS sikkerhedsopdateringer der ikke er blevet installeret.

Er der nogen der har et godt råd til hvordan jeg kommer videre?
Avatar billede vejmand Juniormester
07. juni 2009 - 23:16 #13
Læs, forstå og følg denne guide. http://www.eksperten.dk/guide/1232
Opret herefter et spørgsmål i Virus-kattegorien, hvor du kopierer dine logs ind.
Så er jeg sikker på du får kvalificeret hjælp.  :-)
Avatar billede johnstigers Seniormester
10. juni 2009 - 21:00 #14
Han fik et godt råd, men det skete der intet ved ;)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel Indlæg Oprettet Seneste aktivitet
pop up black friday Af Malm i Virus 10 I går 20:49 I dag 10:46
Findes der mon et Antivirus program, som ikke, konstant, reklamerer, for at købe ? Af Ikke-ekspert i Virus 21 22/06/202419:22 23/06/202412:54
Anbefaling af antivirusprogram med firewall Af OnePlusFan i Virus 23 07/05/202421:02 13/05/202419:48
trusler Af gerhardpet i Virus 4 26/01/202410:02 27/01/202408:32
Kan ikke fjerne virus Af mik28 i Virus 16 09/01/202416:37 10/01/202419:59
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester



Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
I dag 14:10 Outlook henter ikke mails Af TTA i Office & Kontorpakker
I dag 13:58 vise billeder i kartotek med store ikoner inklusive optagelsesdato Af Malm i Billedbehandling
I dag 13:35 Adobe Elements 2019, Organizer Crasher Af mort1 i Billedbehandling
I går 20:49 pop up black friday Af Malm i Virus
I går 18:31 Hvor finder jeg en netværksdriver? Af jcr18 i Wifi
White papers
Flere white papers »


Premium
Teaser billede
Vil købe tele-løsninger til det offentlige for 370 millioner kroner
Læs mere »
Efterspørgslen på AI-regnekraft er enorm - og det smitter af på priserne: "Vi kan sælge næsten alt, hvad vi får ind"
Nyt værtøj fra Microsoft: Snart kan du reparere nedbrudte Windows-enheder på distancen
Politiet skriver kontrakt på 75 millioner kroner med dansk it-firma: Medarbejdere skal flytte ind hos politiet
Se alle »
Computerworld
Teaser billede
Microsofts nye pc er ekstrem billig – men kan blive ekstrem sikker og fleksibel
Læs mere »
Test: Prøv kun disse B&O-hovedtelefoner, hvis du har råd
Kæmpe datalæk på hospital: 750.000 patienters fortrolige data lækket
Test: Audi Q6 er en super fed SUV - men gør dig selv en tjeneste og kast flere penge efter den
Se alle »
CIO
Teaser billede
Konsulenthus vil rulle Microsoft 365 Copilot ud til 200.000 ansatte
Læs mere »
Kæmpe-opgave for Danske Bank har banet vej for fuldautomatiseret migrering til cloud: Nu udbredes metoden i hele AWS
Microsofts store årlige event: De tre vigtigste nøglebudskaber fra Satya Nadella om Microsofts fremtid
Stor sag mod Microsoft kan være på vej: Beskyldes for at låse Azure-kunder fast med ulovlige metoder
Se alle »
Job & Karriere
Teaser billede
Microsoft klar med ny direktion for den danske forretning: Her er de nye direktører
Læs mere »
Efter skelsættende møde med sportscoach: Stor dansk it-arbejdsplads indfører fredags-fri og isbade i arbejdstiden
Linus Torvalds giver russiske Linux-udviklere sparket: Vil ikke have noget med dem at gøre
Topchef Sara Green mener, at der er brug for et radikalt nyt syn på it-ledelse - særligt én ny trend hader hun som pesten
Se alle »
White paper
Teaser billede
SMB og cybertrusler: Brug sikkerhedsressourcerne optimalt
Læs mere »
Sæt turbo på din cloudperformance og minimér risikoen for DDoS-angreb
Sådan gør du: Elektronisk dokumentudveksling i praksis
Managed Detection & Response: Forsvar din virksomhed mod cybertrusler døgnet rundt
Se alle »

Events
Flere events »
White papers
Flere white papers »
IT-Kurser
Se alle vores it-kurser »