[LØST] Malware, trojan + popups.

[The Used 0]

Hei, jeg trenger all hjelpen jeg kan få av dere!

Det kommer opp irriterende popups uten at jeg har internet explorer oppe, og jeg får meldinger om at jeg er infected av " A black door trojan, Malware". Sidene som popper opp ligner på "liksom antivirus download" der det står at pcen min er utsatt for risiko og anbefaler at jeg skal laste ned "BestSellerAntiVirus". Jeg tror at dette bare vil gjøre det værre. I tillegg så lagresdet 2 ting på desktoppen min automatisk etter jeg legger de i papirkurven. Online Security Guide og Live Safety Center.

Håper noen skjønte noe av det her!

[Jonass 4]

du kan jo formatere PCen....

[norbat 24]

Hent Smitfraudfix, legg det på skrivebordet

Restart i sikker modus (tapp F8 under oppstart, velg sikker modus)

Kjør Smitfraudfix, velg valg 2. Følg veiledningen.

Fra normal modus:

Last ned SAS, installer, oppdater og kjør en full (Complete) scan.

Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile".

Loggfilen fra hjt kopierer du og poster.

[Jonass 4]

Jeg vill heller anbefale å formatere PCen, og skafe deg et skikkelig anti-virus programm.

Send meg en PM så kan du få...

[L.M. 0]

Hei.

Prøv med en grundig opprenskning av midlertidige internett-filer og døde registernøkler, og deretter en real antivirus og spy/ad-ware sjekk.

Først, kjør CCleaner, den fjerner midlertidige filer, deretter trykk "Saker" i CCleaner vinduet, velg "søk etter feil". CCleaner scanner da etter ubrukte registernøkler, trykk så "reparer merkede feil", si ja til å ta backup. Lastes her: http://filehippo.com/download_ccleaner/

Til sist scann med AVG Antispyware, lastes her: http://filehippo.com/download_ewido/

Grunnen til til at du bør scanne med flere forskjellige program er at den ene finner noe den andre ikke finner. Alt jeg har vist til er Freeware.

Jeg tror dette vil hjelpe betraktlig. Hvis du vil være helt på den sikre siden kan du til sist kjøre Trend Micros Housecall, en meget omfattende online antivirusscanner.

Denne finnes her: http://housecall.trendmicro.com/

BitDefender Onlinescan er også et bra alternativ: http://www.bitdefender.com/

Langtekkelig jobb kanskje, men kan være veldig effektivt, hvis virus/spyware er årsaken.

Er 99.,9% sikker på at dette ordner biffen.

EDIT: Prøv mitt forslag i stedet, det ordner saken nemlig.

Endret 2 feb. 2008 av L.M.

[The Used 0]

Hent Smitfraudfix, legg det på skrivebordet

Restart i sikker modus (tapp F8 under oppstart, velg sikker modus)

Kjør Smitfraudfix, velg valg 2. Følg veiledningen.

Fra normal modus:

Last ned SAS, installer, oppdater og kjør en full (Complete) scan.

Last ned Hijackthis. Legg det i en egen mappe på skrivebordet.

Start programmet, velg "Do a system scan and save a logfile".

Loggfilen fra hjt kopierer du og poster.

Jeg restarta i sikker modus og kjørte Smitfraudfix.. men skjønte ikke hvilken av dem jeg skulle velge.

[norbat 24]

Kjør Smitfraudfix og velg valg 2 (Clean)

[The Used 0]

Jeg kjører SAS complete scan nå. Jeg ser at den finner mye bugs.. sletter den alt den finner ?

[norbat 24]

Når SAS er ferdig, lister den opp det den har funnet. Sjekk bare at alt er avmerket for sletting. SAS vil sannsynligvis be om en restart av pc'n.

Kunne godt tenkt meg og sett loggen fra SAS også. Den finner du under Preferences->statistics/logs. Post den sammen med loggen fra HJT.

Edit: Smitfraudfix bruker normalt å fjerne filer knyttet til Online Security Guide og Live Safety Center. Kunne du ha bekreftet at disse iconene på skrivebordet forsvant etter at du hadde kjørt smitfraudfix.

Endret 2 feb. 2008 av norbat

[The Used 0]

Nei, de forsvant ikke etter jeg kjørte Smitfraudfix. SAS scanningen går fortsatt..

Edit: SAS scanning er fullført, og da finner jeg loggen på SAS, deretter scanner jeg og finner loggen med HJT?

Endret 2 feb. 2008 av The Used

[norbat 24]

Nei, de forsvant ikke etter jeg kjørte Smitfraudfix. SAS scanningen går fortsatt..

Ok, takk.

Ja, SAS tar ca. 1 time +/-. Kommer litt an på hd-størrelsen. Mens SAS scanner, kunne du ha postet loggen fra Smitfruadfix. Du finner det normalt på følgende sted: C:\rapport.txt

Edit: Ja, når du starter SAS, velger du Preferences->Statistics/logs. Der finner du rapporten som SAS opprettet. Åpne den og kopier det som står der.

Ang. HJT: Den lager en logg (kommer opp i notisblokk). Den kopierer du og limer inn i posten din.

Endret 2 feb. 2008 av norbat

[The Used 0]

Her er loggen fra SAS scan:

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 02/02/2008 at 01:40 PM

Application Version : 3.9.1008

Core Rules Database Version : 3394

Trace Rules Database Version: 1386

Scan type : Complete Scan

Total Scan Time : 00:54:33

Memory items scanned : 599

Memory threats detected : 4

Registry items scanned : 6065

Registry threats detected : 62

File items scanned : 43480

File threats detected : 35

Trojan.Unclassifed/AffiliateBundle

C:\WINDOWS\SYSTEM32\IIFDDBX.DLL

C:\WINDOWS\SYSTEM32\IIFDDBX.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24C61C09-62C0-42ED-B640-53F7FEC9098A}

HKCR\CLSID\{24C61C09-62C0-42ED-B640-53F7FEC9098A}

HKCR\CLSID\{24C61C09-62C0-42ED-B640-53F7FEC9098A}\InprocServer32

HKCR\CLSID\{24C61C09-62C0-42ED-B640-53F7FEC9098A}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{24C61C09-62C0-42ED-B640-53F7FEC9098A}

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\iifddbx

Trojan.WinFixer

C:\WINDOWS\SYSTEM32\JKHFC.DLL

C:\WINDOWS\SYSTEM32\JKHFC.DLL

HKLM\Software\Classes\CLSID\{74882B52-0106-48BB-8D8D-E769C6ABAF3F}

HKCR\CLSID\{74882B52-0106-48BB-8D8D-E769C6ABAF3F}

HKCR\CLSID\{74882B52-0106-48BB-8D8D-E769C6ABAF3F}\InprocServer32

HKCR\CLSID\{74882B52-0106-48BB-8D8D-E769C6ABAF3F}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74882B52-0106-48BB-8D8D-E769C6ABAF3F}

Adware.Vundo-Variant/Small-A

C:\WINDOWS\SYSTEM32\IBNRGSNI.DLL

C:\WINDOWS\SYSTEM32\IBNRGSNI.DLL

HKLM\Software\Classes\CLSID\{73c297ca-d8c7-4975-bef0-24124f333640}

HKCR\CLSID\{73C297CA-D8C7-4975-BEF0-24124F333640}

HKCR\CLSID\{73C297CA-D8C7-4975-BEF0-24124F333640}\InprocServer32

HKCR\CLSID\{73C297CA-D8C7-4975-BEF0-24124F333640}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\DCIGFAFQ.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{73c297ca-d8c7-4975-bef0-24124f333640}

Adware.MyWebSearch

C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE

C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE

[MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE

HKLM\Software\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}

HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}

HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}

HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32

HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel

HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\Programmable

C:\PROGRAMFILER\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL

HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}

HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}

HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}

HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32

HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel

HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable

HKLM\Software\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32

HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel

C:\PROGRAMFILER\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL

HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32

HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

HKLM\Software\Microsoft\Internet Explorer\Toolbar#{07B18EA9-A523-4961-B6BB-170DE4475CCA}

HKU\S-1-5-21-3799961400-1039158051-479145415-1005\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

C:\PROGRAMFILER\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE

C:\WINDOWS\Prefetch\MWSOEMON.EXE-13562333.pf

Adware.Vundo Variant

HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32

HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\DOMDGUQS.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}

HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

Adware.Tracking Cookie

C:\Documents and Settings\Lars\Cookies\lars@directtrack[1].txt

C:\Documents and Settings\Lars\Cookies\lars@angleinteractive.directtrack[2].txt

C:\Documents and Settings\Lars\Cookies\lars@bestsellerantivirus[3].txt

C:\Documents and Settings\Lars\Cookies\lars@clickbank[1].txt

C:\Documents and Settings\Lars\Cookies\lars@zedo[1].txt

C:\Documents and Settings\Lars\Cookies\lars@mywebsearch[2].txt

C:\Documents and Settings\martin\Cookies\martin@www5.addfreestats[1].txt

C:\Documents and Settings\martin\Cookies\martin@e2.emediate[2].txt

C:\Documents and Settings\martin\Cookies\martin@ads.vg.basefarm[2].txt

C:\Documents and Settings\martin\Cookies\martin@ads.vg.basefarm[1].txt

C:\Documents and Settings\martin\Cookies\martin@ads.us.e-planning[1].txt

C:\Documents and Settings\martin\Cookies\martin@ad2.bbmedia[1].txt

C:\Documents and Settings\martin\Cookies\martin@xiti[1].txt

C:\Documents and Settings\martin\Cookies\martin@track.adform[1].txt

C:\Documents and Settings\martin\Cookies\martin@mywebsearch[1].txt

C:\Documents and Settings\martin\Cookies\martin@server.cpmstar[1].txt

C:\Documents and Settings\martin\Cookies\martin@ads.habbohotel[1].txt

D:\Jonas\Cookies\jonas@ads.habbohotel[2].txt

D:\Jonas\Cookies\jonas@ads.monster[1].txt

D:\Jonas\Cookies\jonas@advert.runescape[1].txt

D:\Jonas\Cookies\jonas@ads.habbogroup[2].txt

Trojan.Unknown Origin

HKLM\SOFTWARE\Microsoft\MSSMGR

HKLM\SOFTWARE\Microsoft\MSSMGR#Data

HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd

HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST

HKLM\SOFTWARE\Microsoft\MSSMGR#PID

HKLM\SOFTWARE\Microsoft\MSSMGR#Rid

HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV

HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV

HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST

HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST

HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV

HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV

HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV

Adware.Vundo Variant/Rel

C:\WINDOWS\SYSTEM32\CFHKJ.INI

Adware.SXGAdvisor

C:\SYSTEM VOLUME INFORMATION\_RESTORE{0213F552-E4CF-4068-8FB1-989D2C1F6CDE}\RP494\A0050820.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{0213F552-E4CF-4068-8FB1-989D2C1F6CDE}\RP495\A0050845.DLL

Trojan.Unclassified/Packed-Win

C:\SYSTEM VOLUME INFORMATION\_RESTORE{0213F552-E4CF-4068-8FB1-989D2C1F6CDE}\RP504\A0052506.DLL

HJT LOGG :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:57:11, on 02.02.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Programfiler\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe

C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe

C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Acer\Acer eConsole\MediaServerService.exe

C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe

C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\MyService\RIOService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe

C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Acer\Acer eConsole\MediaSync.exe

C:\Programfiler\Windows Defender\MSASCui.exe

C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe

C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe

D:\iTunesHelper.exe

C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe

C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programfiler\Vidalia\vidalia.exe

C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Programfiler\MSN Messenger\msnmsgr.exe

D:\wcescomm.exe

C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Programfiler\Privoxy\privoxy.exe

C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Programfiler\FinePixViewer\QuickDCF2.exe

D:\rapimgr.exe

C:\Programfiler\iPod\bin\iPodService.exe

C:\WINDOWS\system32\notepad.exe

C:\Programfiler\Internet Explorer\iexplore.exe

C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Programfiler\Messenger\msmsgs.exe

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programfiler\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programfiler\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programfiler\Fellesfiler\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programfiler\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: ekxdvft - {1817219B-D6DC-450A-B913-41F12BC05019} - C:\WINDOWS\ekxdvft.dll (file missing)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [iS CfgWiz] C:\Programfiler\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [PD0870 STISvc] RunDLL32.exe P0870Pin.dll,RunDLL32EP 513

O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe

O4 - HKLM\..\Run: [Alaunch] C:\Windows\alaunch.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Programfiler\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [REGSHAVE] C:\Programfiler\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"

O4 - HKLM\..\Run: [b96cb7ff] rundll32.exe "C:\WINDOWS\system32\ibnrgsni.dll",b

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Vidalia] "C:\Programfiler\Vidalia\vidalia.exe"

O4 - HKCU\..\Run: [swg] C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\wcescomm.exe"

O4 - HKCU\..\Run: [steam] "c:\progra~1\steam\steam.exe" -silent

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETTVERKSTJENESTE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Privoxy.lnk = C:\Programfiler\Privoxy\privoxy.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Office10\OSA.EXE

O4 - Global Startup: ExifLauncher2.lnk = C:\Programfiler\FinePixViewer\QuickDCF2.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\INetRepl.dll

O9 - Extra 'Tools' menuitem: Opprett mobil favoritt... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\INetRepl.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/7/532/6712/6c5b0a...5/Installer.exe

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: domdguqs - domdguqs.dll (file missing)

O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)

O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programfiler\Fellesfiler\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)

O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\ccPwdSvc.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programfiler\Norton Internet Security\comHost.exe

O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Programfiler\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programfiler\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: RIOService - TODO: <Company name> - C:\MyService\RIOService.exe

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programfiler\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 11718 bytes

Endret 2 feb. 2008 av The Used

[norbat 24]

Start hjt, velg "Do a system scan only", sett merke framfor følgende linjer og klikk Fix checked:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: ekxdvft - {1817219B-D6DC-450A-B913-41F12BC05019} - C:\WINDOWS\ekxdvft.dll (file missing)

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [b96cb7ff] rundll32.exe "C:\WINDOWS\system32\ibnrgsni.dll",b

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZNfox000

O20 - Winlogon Notify: domdguqs - domdguqs.dll (file missing)

O20 - Winlogon Notify: winmfu32 - winmfu32.dll (file missing)

Kjenner du til denne tjenesten som kjører på pc'n: RIOService.exe ?

Vi tar en ekstra sjekk med Combofix. Last det ned og legg det på skrivebordet

Kjør combofix.exe, og følg veiledningen.

Post loggfilen fra combofix (c:\combofix.txt)

Fortell også hvordan pc'n kjører.

[The Used 0]

Jeg tok Fix Checked på de linjene. Men forresten, etter SAS scannen da jeg reboot'a pcen, så virker alt helt normalt igjen. Jeg får ikke popups og ikke meldinger om Worm, trojan osv..

"Kjenner du til denne tjenesten som kjører på pc'n: RIOService.exe ?"

Nei, jeg har ikke mye peiling egentlig.

[norbat 24]

Problemet ditt vil jeg tro var knyttet til WinFixer, som er en applikasjon i Vundo-familien. En Vundo-infeksjon bruke å bestå av en horde med filer, filer som Combofix kan avsløre hvis det fortsatt ligger rester igjen. Derfor er det lurt selv om problemet ditt er borte, at du kjøre en scan med dette programmet. Det tar ca- 10-15 minuttet.

Jeg tror ikke tjenesten RIOService er noe 'farlig', men kunne vært greit å vite hvor den kommer fra.

[The Used 0]

Når jeg skulle kjøre combofix får jeg meldingen... 1/100 maskiner feiler et eller annet. du skjønner sikkert hva jeg mener. Jeg stoler fullt på deg, men det er vel sånn det skal være?

[norbat 24]

Ja, du får noen meldinge i starten. Det er helt normalt

[The Used 0]

Ok, da har jeg kjørt Combofix, og restarta pc'n. Tror du jeg er ferdig med allt da?

Hvis det var det... så, tusen hjertelig takk.

Endret 2 feb. 2008 av The Used

[norbat 24]

Hvis du poster combofix-loggen, så kan jeg svare deg på det

Loggen finner du vanligvis som c:\combofix.txt

[The Used 0]

Skulle combofix loggen kommet opp av seg selv?

[norbat 24]

Skulle combofix loggen kommet opp av seg selv?

Etter restart, bruker combofix å avslutte, for deretter å vise en logg. Det skjer ikke alltid. Du bør da finne den på nevnte plassering.

Endret 2 feb. 2008 av norbat

[The Used 0]

Tror jeg fant den

ComboFix 08-02.02.5 - Lars 2008-02-02 14:35:16.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.294 [GMT 1:00]

Running from: C:\Documents and Settings\Lars\Lokale innstillinger\Temporary Internet Files\Content.IE5\VFA0R61D\ComboFix[1].exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\Administrator\Favoritter\Online Security Guide.lnk

C:\Documents and Settings\Administrator\Skrivebord\Live Safety Center.lnk

C:\Documents and Settings\Administrator\Skrivebord\Online Security Guide.lnk

C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Programdata\Microsoft\Network\Downloader\qmgr1.dat

C:\Documents and Settings\All Users\Start-meny\Live Safety Center.lnk

C:\Documents and Settings\All Users\Start-meny\Online Security Guide.lnk

C:\Documents and Settings\Lars\Favoritter\Online Security Guide.lnk

C:\Programfiler\FunWebProducts

C:\Programfiler\FunWebProducts\Shared\Cache\AvatarSmallBtn.html

C:\Programfiler\FunWebProducts\Shared\Cache\CursorManiaBtn.html

C:\Programfiler\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html

C:\Programfiler\FunWebProducts\Shared\Cache\MailStampBtn.html

C:\Programfiler\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html

C:\Programfiler\FunWebProducts\Shared\Cache\MyStationeryBtn.html

C:\Programfiler\FunWebProducts\Shared\Cache\SmileyCentralBtn.html

C:\Programfiler\MyWebSearch

C:\Programfiler\MyWebSearch\bar\1.bin\F3BKGERR.JPG

C:\Programfiler\MyWebSearch\bar\1.bin\F3BROVLY.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3CJPEG.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3DTACTL.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3HISTSW.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3HTMLMU.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3HTTPCT.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3IMSTUB.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3POPSWT.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3PSSAVR.SCR

C:\Programfiler\MyWebSearch\bar\1.bin\F3REPROX.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3RESTUB.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3SCHMON.EXE

C:\Programfiler\MyWebSearch\bar\1.bin\F3SCRCTR.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3SHLLVW.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\F3SPACER.WMV

C:\Programfiler\MyWebSearch\bar\1.bin\F3WALLPP.DAT

C:\Programfiler\MyWebSearch\bar\1.bin\F3WPHOOK.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\M3FFXTBR.JAR

C:\Programfiler\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST

C:\Programfiler\MyWebSearch\bar\1.bin\M3HTML.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\M3IDLE.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\M3IMPIPE.EXE

C:\Programfiler\MyWebSearch\bar\1.bin\M3MSG.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\M3NTSTBR.JAR

C:\Programfiler\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST

C:\Programfiler\MyWebSearch\bar\1.bin\M3OUTLCN.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\M3PLUGIN.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\M3SKIN.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\M3SKPLAY.EXE

C:\Programfiler\MyWebSearch\bar\1.bin\M3SLSRCH.EXE

C:\Programfiler\MyWebSearch\bar\1.bin\M3SRCHMN.EXE

C:\Programfiler\MyWebSearch\bar\1.bin\MWSOEPLG.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\MWSOESTB.DLL

C:\Programfiler\MyWebSearch\bar\1.bin\NPMYWEBS.DLL

C:\Programfiler\MyWebSearch\bar\Avatar\COMMON.F3S

C:\Programfiler\MyWebSearch\bar\Cache\00DAA95B

C:\Programfiler\MyWebSearch\bar\Cache\0179D3E0.bin

C:\Programfiler\MyWebSearch\bar\Cache\0179D5B5.bin

C:\Programfiler\MyWebSearch\bar\Cache\0179E39F.bin

C:\Programfiler\MyWebSearch\bar\Cache\0179F061.bin

C:\Programfiler\MyWebSearch\bar\Cache\0179F18A.bin

C:\Programfiler\MyWebSearch\bar\Cache\063DCABA

C:\Programfiler\MyWebSearch\bar\Cache\063DD4BD

C:\Programfiler\MyWebSearch\bar\Cache\063DD876.bin

C:\Programfiler\MyWebSearch\bar\Cache\063DDD48.bin

C:\Programfiler\MyWebSearch\bar\Cache\063DDE90.bin

C:\Programfiler\MyWebSearch\bar\Cache\063DDAA8.bin

C:\Programfiler\MyWebSearch\bar\Cache\08D3A953.bin

C:\Programfiler\MyWebSearch\bar\Cache\08D3ABB5.bin

C:\Programfiler\MyWebSearch\bar\Cache\08D3AA9C.bin

C:\Programfiler\MyWebSearch\bar\Cache\0B61B04C

C:\Programfiler\MyWebSearch\bar\Cache\files.ini

C:\Programfiler\MyWebSearch\bar\Game\CHECKERS.F3S

C:\Programfiler\MyWebSearch\bar\Game\CHESS.F3S

C:\Programfiler\MyWebSearch\bar\Game\REVERSI.F3S

C:\Programfiler\MyWebSearch\bar\History\search2

C:\Programfiler\MyWebSearch\bar\icons\CM.ICO

C:\Programfiler\MyWebSearch\bar\icons\MFC.ICO

C:\Programfiler\MyWebSearch\bar\icons\PSS.ICO

C:\Programfiler\MyWebSearch\bar\icons\SMILEY.ICO

C:\Programfiler\MyWebSearch\bar\icons\WB.ICO

C:\Programfiler\MyWebSearch\bar\icons\ZWINKY.ICO

C:\Programfiler\MyWebSearch\bar\Message\COMMON.F3S

C:\Programfiler\MyWebSearch\bar\Message\COMMON\ask_logo.gif

C:\Programfiler\MyWebSearch\bar\Message\COMMON\autoup.gif

C:\Programfiler\MyWebSearch\bar\Message\COMMON\autoup.htm

C:\Programfiler\MyWebSearch\bar\Message\COMMON\center.htm

C:\Programfiler\MyWebSearch\bar\Message\COMMON\index.htm

C:\Programfiler\MyWebSearch\bar\Message\COMMON\mid_dots.gif

C:\Programfiler\MyWebSearch\bar\Message\COMMON\mws_logo.gif

C:\Programfiler\MyWebSearch\bar\Message\COMMON\protect.htm

C:\Programfiler\MyWebSearch\bar\Message\COMMON\shocked.gif

C:\Programfiler\MyWebSearch\bar\Message\COMMON\stop.gif

C:\Programfiler\MyWebSearch\bar\Message\COMMON\systray.htm

C:\Programfiler\MyWebSearch\bar\Message\COMMON\systrayp.htm

C:\Programfiler\MyWebSearch\bar\Message\COMMON\tp_grad.gif

C:\Programfiler\MyWebSearch\bar\Message\COMMON\warn.gif

C:\Programfiler\MyWebSearch\bar\Notifier\COMMON.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\DOG.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\FISH.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\KUNGFU.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\LIFEGARD.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\MAID.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\MAILBOX.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\OPERA.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\ROBOT.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\SEDUCT.F3S

C:\Programfiler\MyWebSearch\bar\Notifier\SURFER.F3S

C:\Programfiler\MyWebSearch\bar\Settings\prevcfg2.htm

C:\Programfiler\MyWebSearch\bar\Settings\s_pid.dat

C:\Programfiler\MyWebSearch\bar\Settings\setting2.htm

C:\Programfiler\MyWebSearch\bar\Settings\settings.dat

C:\WINDOWS\cookies.ini

C:\WINDOWS\system32\cfhkj.ini2

C:\WINDOWS\system32\domdguqs.dllbox

C:\WINDOWS\system32\f3PSSavr.scr

C:\WINDOWS\system32\insgrnbi.ini

C:\WINDOWS\system32\puqrvvtx.dll

----- BITS: Possible infected sites -----

hxxp://216.40.219.141

.

((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))

.

2008-02-02 13:56 . 2008-02-02 13:56 <DIR> d-------- C:\Programfiler\Trend Micro

2008-02-02 12:43 . 2008-02-02 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\SUPERAntiSpyware.com

2008-02-02 12:42 . 2008-02-02 12:42 <DIR> d-------- C:\Programfiler\SUPERAntiSpyware

2008-02-02 12:42 . 2008-02-02 12:42 <DIR> d-------- C:\Documents and Settings\Lars\Programdata\SUPERAntiSpyware.com

2008-02-02 12:30 . 2008-02-02 12:30 3,810 --a------ C:\WINDOWS\system32\tmp.reg

2008-02-02 11:45 . 2008-02-02 11:45 <DIR> dr-h----- C:\Documents and Settings\Lars\Siste

2008-02-02 11:45 . 2008-02-02 11:45 <DIR> d-------- C:\Documents and Settings\Lars\Programdata\Grisoft

2008-02-02 11:45 . 2008-02-02 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Grisoft

2008-02-02 11:45 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2008-02-02 11:39 . 2008-02-02 11:39 <DIR> d-------- C:\Programfiler\CCleaner

2008-02-02 11:13 . 2005-06-24 19:30 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny

2008-02-02 11:13 . 2005-06-24 19:30 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere

2008-02-02 11:13 . 2005-06-24 19:30 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord

2008-02-02 11:13 . 2005-06-24 19:40 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste

2008-02-02 11:13 . 2005-06-24 19:42 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Symantec

2008-02-02 11:13 . 2005-06-24 19:30 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata

2008-02-02 11:13 . 2005-06-24 19:40 <DIR> dr------- C:\Documents and Settings\Administrator\Mine dokumenter

2008-02-02 11:13 . 2005-06-24 19:30 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler

2008-02-02 11:13 . 2005-06-24 19:30 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger

2008-02-02 11:13 . 2005-06-24 19:40 <DIR> dr------- C:\Documents and Settings\Administrator\Favoritter

2008-02-02 11:13 . 2005-06-24 19:30 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask

2008-02-02 11:07 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2008-02-02 11:07 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2008-02-02 11:07 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe

2008-02-02 11:07 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe

2008-02-02 11:07 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe

2008-02-02 11:07 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2008-02-02 11:07 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2008-02-02 01:43 . 2008-02-02 01:43 116 --a------ C:\WINDOWS\wininit.ini

2008-02-02 00:53 . 2008-02-02 00:53 38 --a------ C:\WINDOWS\system32\a.bat

2008-01-31 19:25 . 2008-01-31 19:25 <DIR> d-------- C:\Programfiler\Steam

2008-01-29 20:43 . 2008-01-29 20:43 10,345 --a------ C:\WINDOWS\system32\drivers\hamachi.sys

2008-01-03 15:15 . 2008-02-02 13:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-01-03 15:15 . 2008-01-03 15:15 1,409 --a------ C:\WINDOWS\QTFont.for

2008-01-02 23:36 . 2008-01-02 23:36 <DIR> d-------- C:\Programfiler\Interbank FX Trader 4

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-01-04 17:20 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2008-01-04 17:20 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL

2008-01-04 17:20 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2008-01-04 17:20 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2007-12-26 20:32 --------- d-----w C:\Programfiler\iPod

2007-12-26 20:30 --------- d-----w C:\Programfiler\QuickTime

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll

2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]

"Vidalia"="C:\Programfiler\Vidalia\vidalia.exe" [2006-08-31 01:01 8915456]

"swg"="C:\Programfiler\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 20:45 68856]

"msnmsgr"="C:\Programfiler\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

"H/PC Connection Agent"="D:\wcescomm.exe" [2005-11-15 21:42 1200128]

"Steam"="c:\progra~1\steam\steam.exe" [2008-01-31 19:33 1266936]

"SUPERAntiSpyware"="C:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"ccApp"="C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe" [2007-03-01 12:18 52840]

"IS CfgWiz"="C:\Programfiler\Norton Internet Security\cfgwiz.exe" [2005-11-01 09:25 120464]

"PD0870 STISvc"="P0870Pin.dll" [2005-05-04 18:00 36864 C:\WINDOWS\system32\P0870Pin.dll]

"MediaSync"="C:\Program Files\Acer\Acer eConsole\MediaSync.exe" [2004-08-27 11:21 376832]

"Alaunch"="C:\Windows\alaunch.exe" [2002-05-24 16:08 409657]

"Windows Defender"="C:\Programfiler\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]

"Google Desktop Search"="C:\Programfiler\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-31 12:25 1838592]

"Adobe Reader Speed Launcher"="C:\Programfiler\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]

"REGSHAVE"="C:\Programfiler\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]

"QuickTime Task"="C:\Programfiler\QuickTime\qttask.exe" [2007-12-11 10:56 286720]

"iTunesHelper"="D:\iTunesHelper.exe" [2007-12-11 12:10 267048]

"!AVG Anti-Spyware"="C:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]

"Picasa Media Detector"="C:\Programfiler\Picasa2\PicasaMediaDetector.exe" [2007-09-28 03:17 443968]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\

Privoxy.lnk - C:\Programfiler\Privoxy\privoxy.exe [2006-11-20 15:30:54 250368]

Microsoft Office.lnk - D:\Office10\OSA.EXE [2001-02-13 09:01:04 83360]

ExifLauncher2.lnk - C:\Programfiler\FinePixViewer\QuickDCF2.exe [2007-11-01 17:19:54 303104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programfiler\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programfiler\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

R2 Automatisk LiveUpdate-planlegging;Automatisk LiveUpdate-planlegging;"C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 18:08]

R2 RIOService;RIOService;C:\MyService\RIOService.exe [2004-07-22 09:09]

R2 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;C:\WINDOWS\system32\drivers\wf88vcap.sys [2004-03-15 12:30]

R2 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;C:\WINDOWS\system32\drivers\WF88XBAR.sys [2004-03-15 12:30]

R2 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;C:\WINDOWS\system32\drivers\WF88TUNE.sys [2004-03-15 12:30]

S3 P0870Dev;Creative WebCam Live! Motion;C:\WINDOWS\system32\DRIVERS\P0870Dev.sys [2005-06-29 18:00]

S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys [2007-10-31 14:09]

S3 WFIOCTL;WFIOCTL;C:\Program Files\Aspire\WFTVFM\WFIOCTL.SYS []

*Newly Created Service* - COMHOST

.

Contents of the 'Scheduled Tasks' folder

"2008-02-01 19:00:24 C:\WINDOWS\Tasks\Norton AntiVirus - Kjør fullstendig systemsøk - Lars.job"

[norbat 24]

Åpne notisblokk og kopier inn det som står i fet skrift under, lagre fila på skrivebordet som CFScript.txt.

Dra deretter fila over Combofix-iconet. Combofix vil starte igjen. (Du bør legge combofix direkte på skrivebordet)

File::

C:\WINDOWS\system32\a.bat

Du trenger ikke å poste loggen.

Loggen din ser fin ut etter dette. Du kan rydde litt ved å fjerne de programmene du har brukt under fixen:

Smitfraudfix: Fjern Smitfraud.exe-fila + mappa SmitfraudFix som skulle ligge på skrivebordet.

Combofix: skriv combofix /u (mellomrom mellom combofix og /u) i kjør-feltet (Startknappen->Kjør).

HJT: Avinstaller fra legg til/fjern programmer. Fjern programfila/mappa fra skrivebordet.

Hvis du ikke ønsker å bruke SAS videre, avinstallerer du det fra legg til /fjern programmer.

Surf trygt.

Endret 2 feb. 2008 av norbat

[The Used 0]

Nok en gang.

Tusen takk