Søg
Avatar billede k32a Nybegynder
12. januar 2008 - 19:13 Der er 12 kommentarer

Hjælp, jeg har fået virus!

Hej!

Jeg har fået virus - jeg åbnede en fil som jeg troede var et program, og så forsvandt filen og siden har min computer kørt meget langsomt og ustabilt, og er kommet med mange fejl.

Jeg har læst den guide der er her på siden, og jeg har 4 log's som jeg sætter ind nedenfor.

Jeg håber at i kan hjælpe mig!!!

SUPERAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2008 at 06:34 PM

Application Version : 3.7.1018

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type      : Complete Scan
Total Scan Time : 00:51:17

Memory items scanned      : 90
Memory threats detected  : 1
Registry items scanned    : 6026
Registry threats detected : 61
File items scanned        : 30890
File threats detected    : 16

Adware.Vundo Variant/Resident
    C:\WINDOWS\SYSTEM32\FCYWW.DLL
    C:\WINDOWS\SYSTEM32\FCYWW.DLL

Trojan.Vundo/Variant-Installer
    [load] C:\WINDOWS\SYSTEM32\FCYWW.EXE
    C:\WINDOWS\SYSTEM32\FCYWW.EXE
    [load] C:\WINDOWS\SYSTEM32\FCYWW.EXE
    [load] C:\WINDOWS\SYSTEM32\FCYWW.EXE
    C:\WINDOWS\Prefetch\FCYWW.EXE-27DBEF75.pf

Adware.ClickSpring/Outer Info Network
    HKLM\Software\Classes\CLSID\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\InprocServer32
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\InprocServer32#ThreadingModel
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\Programmable
    HKCR\CLSID\{2E9D4C81-9F27-4C14-B804-7B0F6BC88A4F}\TypeLib
    C:\PROGRAMMER\OUTERINFO\OUTERINFO.DLL

Adware.E404 Helper/Hij
    HKLM\Software\Classes\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
    HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
    HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}
    HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\InprocServer32
    HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\InprocServer32#ThreadingModel
    HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\ProgID
    HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\Programmable
    HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\TypeLib
    HKCR\CLSID\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}\VersionIndependentProgID
    C:\PROGRAMMER\HELPER\SUPERFINDERUSA.DLL
    HKCR\E404.e404mgr
    HKCR\E404.e404mgr\CLSID
    HKCR\E404.e404mgr\CurVer
    HKCR\E404.e404mgr.1
    HKCR\E404.e404mgr.1\CLSID
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version

Adware.Vundo-Variant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3588AF53-39A2-4B75-BDEB-BA8557EB5828}
    HKCR\CLSID\{3588AF53-39A2-4B75-BDEB-BA8557EB5828}
    HKCR\CLSID\{3588AF53-39A2-4B75-BDEB-BA8557EB5828}\InprocServer32
    HKCR\CLSID\{3588AF53-39A2-4B75-BDEB-BA8557EB5828}\InprocServer32#ThreadingModel

Trojan.Unknown Origin
    HKLM\SOFTWARE\Microsoft\MSSMGR
    HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
    HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
    HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST

Trojan.Downloader-DRVSAM
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run#CTDrive [ rundll32.exe C:\WINDOWS\system32\drvcuz.dll,startup ]

Trojan.DNSChanger-Codec
    HKCR\CLSID\E404.e404mgr
    HKCR\CLSID\E404.e404mgr#UserId

Malware.MalwareCrush
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}#AppID
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}\agpfhind
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}\aqrKtkmpa
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}\bsShy
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}\ekpSj
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}\iBtmrduecoyf
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}\InprocServer32
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}\InprocServer32#ThreadingModel
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}\jHseeigzbBmMd
    HKCR\CLSID\{E4D71E45-94E1-A19A-A939-B7D2A756F719}\Ocjxgiawl
    C:\Programmer\MalwareCrush\MalwareCrush .exe
    C:\Programmer\MalwareCrush

Trojan.Unclassified/Packed-Win
    C:\DOCUMENTS AND SETTINGS\-KRESTEN\LOKALE INDSTILLINGER\TEMP\GOS1C3.TMP
    C:\WINDOWS\TEMP\GOSE6.TMP

Trojan.Unclassified/DRV-Slice
    C:\WINDOWS\SYSTEM32\DRVCUZ.DLL

Trojan.Unclassifed/AffiliateBundle
    C:\WINDOWS\SYSTEM32\OPNLJKK.DLL

Adware.Tracking Cookie
    C:\WINDOWS\Temp\Cookies\-kresten@ad.outerinfoads[2].txt
    C:\WINDOWS\Temp\Cookies\-kresten@ad.yieldmanager[1].txt

Adware.OuterInfo-Installer
    C:\WINDOWS\TEMP\WINDE.EXE

Trace.Known Threat Sources
    C:\Documents and Settings\-Kresten\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\S9QV4FCD\cmd[1].htm
    C:\Documents and Settings\-Kresten\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\S9QV4FCD\text[1].dat


Hijackthis

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:31:56, on 12-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE
C:\VIRUSfighter\Npm\Bin\Zanda.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\SPAMfighter\sfus.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\VIRUSfighter\Npm\bin\NJEEVES.EXE
C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE
C:\VIRUSfighter\Nvc\bin\nvcoas.exe
C:\WINDOWS\system32\rundll32.exe
C:\VIRUSfighter\Npm\bin\ZLH.EXE
C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr  .exe
C:\VIRUSfighter\Npm\bin\ZLH .EXE
C:\WINDOWS\System32\alg.exe
C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr  .exe
C:\VIRUSfighter\Nvc\BIN\NIP.EXE
C:\VIRUSfighter\Nvc\bin\cclaw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Programmer\Fælles filer\Nero\Lib\NMIndexingService.exe
C:\Documents and Settings\-Kresten\Skrivebord\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moensbank.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F3 - REG:win.ini: load=C:\WINDOWS\system32\fcyww.exe
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Programmer\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {EC0AB31E-7990-4634-AACB-A12C5DF324A4} - C:\WINDOWS\system32\fcyww.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Programmer\Helper\superfinderusa.dll
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\xxyyywx.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\QTTask  .exe" -atboottime
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcuz.dll,startup
O4 - HKLM\..\Run: [Norman ZANDA] C:\VIRUSfighter\Npm\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr  .exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187864327574
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187865314773
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/flashax.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\svch2t1.dll
O20 - Winlogon Notify: xxyyywx - C:\WINDOWS\SYSTEM32\xxyyywx.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmer\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Nero\Lib\NMIndexingService.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\VIRUSfighter\Npm\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Norman ASA - C:\VIRUSfighter\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\VIRUSfighter\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Programmer\SPAMfighter\sfus.exe

--
End of file - 7259 bytes


Rootchk

********************************* ROOTCHK-(28-12-07)-LOG, by ejvindh
12-01-2008 18:45:41,75

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 18:45:44
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Programmer\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000001
"ujdew"=hex:f0,61,7d,95,ce,1b,76,10,e6,1a,da,ec,23,3b,7a,34,5c,ed,0f,61,59,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programmer\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:37,3d,c7,8b,e3,ee,c8,d4,65,61,7f,70,35,66,df,17,0c,e9,02,ee,3e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e6,84,9f,9f,6f,01,ad,c8,52,a9,ed,7b,76,26,ed,2f,88,..
"khjeh"=hex:e3,c8,46,11,9d,70,4a,ad,c8,b9,ee,29,7a,b1,c5,a3,f1,36,43,db,3d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:a9,ba,7d,2d,b9,3f,2d,15,14,4f,80,94,90,79,c8,a5,10,88,3d,a9,ee,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:d7,b7,2c,c3,8b,3f,33,47,c7,54,8f,22,f9,88,bd,69,55,2b,b4,95,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000df01f0078]
"001cd67e99ad"=hex:f8,22,4a,88,cc,7d,e6,74,07,37,a4,ca,b1,a3,a2,df
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:11,cd,e0,ff,21,71,d7,24,95,3d,19,31,c2,8a,59,4f,67,39,1e,6e,fa,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programmer\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:37,3d,c7,8b,e3,ee,c8,d4,65,61,7f,70,35,66,df,17,0c,e9,02,ee,3e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e6,84,9f,9f,6f,01,ad,c8,52,a9,ed,7b,76,26,ed,2f,88,..
"khjeh"=hex:e3,c8,46,11,9d,70,4a,ad,c8,b9,ee,29,7a,b1,c5,a3,f1,36,43,db,3d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7d,54,dc,8a,a7,32,28,d6,f8,61,cd,de,0d,50,2c,fe,e8,a2,e9,c4,ff,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:11,34,c0,a7,32,8b,73,bb,1b,bb,fb,50,c8,c8,8f,a3,80,61,8e,ad,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000df01f0078]
"001cd67e99ad"=hex:f8,22,4a,88,cc,7d,e6,74,07,37,a4,ca,b1,a3,a2,df
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:11,cd,e0,ff,21,71,d7,24,95,3d,19,31,c2,8a,59,4f,67,39,1e,6e,fa,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programmer\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:37,3d,c7,8b,e3,ee,c8,d4,65,61,7f,70,35,66,df,17,0c,e9,02,ee,3e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e6,84,9f,9f,6f,01,ad,c8,52,a9,ed,7b,76,26,ed,2f,88,..
"khjeh"=hex:e3,c8,46,11,9d,70,4a,ad,c8,b9,ee,29,7a,b1,c5,a3,f1,36,43,db,3d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7d,54,dc,8a,a7,32,28,d6,f8,61,cd,de,0d,50,2c,fe,e8,a2,e9,c4,ff,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:11,34,c0,a7,32,8b,73,bb,1b,bb,fb,50,c8,c8,8f,a3,80,61,8e,ad,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\000df01f0078]
"001cd67e99ad"=hex:f8,22,4a,88,cc,7d,e6,74,07,37,a4,ca,b1,a3,a2,df
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000001
"ujdew"=hex:11,cd,e0,ff,21,71,d7,24,95,3d,19,31,c2,8a,59,4f,67,39,1e,6e,fa,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programmer\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:37,3d,c7,8b,e3,ee,c8,d4,65,61,7f,70,35,66,df,17,0c,e9,02,ee,3e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e6,84,9f,9f,6f,01,ad,c8,52,a9,ed,7b,76,26,ed,2f,88,..
"khjeh"=hex:e3,c8,46,11,9d,70,4a,ad,c8,b9,ee,29,7a,b1,c5,a3,f1,36,43,db,3d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7d,54,dc,8a,a7,32,28,d6,f8,61,cd,de,0d,50,2c,fe,e8,a2,e9,c4,ff,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:11,34,c0,a7,32,8b,73,bb,1b,bb,fb,50,c8,c8,8f,a3,80,61,8e,ad,f2,..

scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BB77386C-0FB6-6D41-FA82-0FAEB419E22B}]
"iakjegnldknedmpldf"=hex:6b,61,6f,6d,6b,68,61,67,66,6c,64,6e,64,6a,6d,6c,6d,68,6f,62,6a,..
"haijmaeembcfagmk"=hex:6b,61,6f,6d,6b,68,61,67,66,6c,64,6e,64,6a,6d,6c,6d,68,6f,62,6a,..

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0


Combofix

ComboFix 08-01-11.3 - -Kresten 2008-01-12 18:50:21.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1030.18.631 [GMT 1:00]
Running from: C:\Documents and Settings\-Kresten\Skrivebord\ComboFix.exe
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((  Other Deletions  )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Programmer\Helper
C:\Programmer\Internet Explorer\setupapi.dll
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\wwycf.ini
C:\WINDOWS\system32\wwycf.ini2
C:\WINDOWS\system32\xxyyywx.dll
C:\WINDOWS\system32\yayyvsq.dll

.
(((((((((((((((((((((((((  Files Created from 2007-12-12 to 2008-01-12  )))))))))))))))))))))))))))))))
.

2008-01-12 18:48 . 2000-08-31 08:00    51,200    --a------    C:\WINDOWS\NirCmd.exe
2008-01-12 17:35 . 2008-01-12 17:35    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-12 17:34 . 2008-01-12 18:50    <DIR>    d--------    C:\Programmer\SUPERAntiSpyware
2008-01-12 17:34 . 2008-01-12 17:34    <DIR>    d--------    C:\Documents and Settings\-Kresten\Application Data\SUPERAntiSpyware.com
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\zts2.exe
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\system32\vcmgcd32.dll
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\system32\iifgfgf.dll
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\rundll16.exe
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\rundl132.dll
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\logo1_.exe
2008-01-12 17:26 . 2004-08-27 01:53    150,528    --a------    C:\WINDOWS\R.COM
2008-01-12 17:26 . 2004-08-27 01:53    137,216    --a------    C:\WINDOWS\system32\T.COM
2008-01-12 17:26 . 2008-01-12 17:28    50    --a------    C:\WINDOWS\Lic.xxx
2008-01-12 17:16 . 2008-01-12 17:16    <DIR>    dr-h-----    C:\Documents and Settings\-Kresten\Recent
2008-01-12 15:56 . 2007-07-09 10:50    19,000    --a------    C:\WINDOWS\system32\drivers\nvcw32mf.sys
2008-01-12 15:53 . 2008-01-12 18:56    <DIR>    d--------    C:\VIRUSfighter
2008-01-12 15:02 . 2008-01-12 15:52    <DIR>    d--------    C:\Documents and Settings\-Kresten\.housecall6.6
2008-01-12 14:59 . 2008-01-12 16:00    12,288    --a------    C:\WINDOWS\system32\wupeng .exe
2008-01-12 14:59 . 2008-01-12 14:59    93    --a------    C:\WINDOWS\wininit.ini
2008-01-12 13:23 . 2008-01-12 13:23    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-12 13:22 . 2008-01-12 13:22    54,764    --a------    C:\WINDOWS\system32\dxdss.sys
2008-01-12 13:22 . 2008-01-12 13:22    8    --a------    C:\WINDOWS\system32\1409560896
2008-01-12 13:22 . 2008-01-12 13:22    2    --a------    C:\1409560896
2008-01-12 13:20 .     <DIR>        C:\Programmer\Fælles filer\Adobe Systems Shared
2008-01-12 13:19 .     <DIR>        C:\Programmer\Fælles filer\Adobe
2008-01-11 12:20 . 2008-01-12 18:57    <DIR>    d--------    C:\Programmer\SPAMfighter
2008-01-11 12:20 .     <DIR>        C:\Programmer\Fælles filer\Application
2008-01-11 12:20 .     <DIR>        C:\Programmer\Fælles filer\Ankiro
2008-01-10 12:09 . 2002-12-31 13:00    17,920    --a------    C:\WINDOWS\system32\mdimon.dll
2008-01-10 12:09 . 2008-01-10 12:09    376    --a------    C:\WINDOWS\ODBC.INI
2008-01-10 12:05 . 2008-01-10 12:07    <DIR>    d--------    C:\WINDOWS\SHELLNEW
2008-01-02 13:20 . 2001-08-17 21:56    7,552    --a------    C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-01-02 13:20 . 2001-08-17 21:56    7,552    --a--c---    C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-12-30 12:28 . 2007-12-30 12:28    <DIR>    d--------    C:\Documents and Settings\-Kresten\Application Data\Nero
2007-12-30 12:24 . 2007-12-30 12:24    <DIR>    d--------    C:\Programmer\Nero
2007-12-30 12:24 .     <DIR>        C:\Programmer\Fælles filer\Nero
2007-12-30 12:24 . 2007-12-30 12:24    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Nero
2007-12-28 19:17 . 2007-12-28 19:17    7,680    --ahs----    C:\WINDOWS\Thumbs.db
2007-12-22 12:02 . 2007-12-22 12:02    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-12-14 22:55 . 2004-05-14 16:53    462,848    --a------    C:\WINDOWS\system32\ltkrn13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    450,560    --a------    C:\WINDOWS\system32\ltimg13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    401,408    --a------    C:\WINDOWS\system32\lfcmp13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    299,008    --a------    C:\WINDOWS\system32\ltdis13n.dll
2007-12-14 22:55 . 2004-01-12 02:09    206,336    --a------    C:\WINDOWS\system32\ltefx13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    163,840    --a------    C:\WINDOWS\system32\ltfil13n.dll
2007-12-14 22:55 . 2003-11-04 15:10    69,632    --a------    C:\WINDOWS\system32\lfgif13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    57,344    --a------    C:\WINDOWS\system32\lfbmp13n.dll
2007-12-13 19:09 . 2007-12-13 19:09    972,072    --a------    C:\WINDOWS\UNNeroMediaHome.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 17:55    3,407,872    ---ha-w    C:\Documents and Settings\-Kresten\NTUSER.DAT
2008-01-12 17:42    ---------    d-----w    C:\Programmer\QuickTime
2008-01-12 16:34    ---------    d-----w    C:\Programmer\Fælles filer\Wise Installation Wizard
2008-01-12 16:34    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\SUPERAntiSpyware.com
2008-01-12 16:22    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 14:59    ---------    d-----w    C:\Programmer\Quick Launch Button
2008-01-12 14:59    ---------    d-----w    C:\Programmer\MSN Messenger
2008-01-12 14:59    ---------    d-----w    C:\Programmer\iTunes
2008-01-12 14:53    ---------    d--h--w    C:\Programmer\InstallShield Installation Information
2008-01-12 11:31    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\gtk-2.0
2008-01-10 11:12    ---------    d-s---w    C:\Documents and Settings\-Kresten\Application Data\Microsoft
2008-01-10 10:57    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\uTorrent
2008-01-02 17:48    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\temp
2007-12-30 11:28    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\Nero
2007-12-22 11:03    ---------    d-----w    C:\Programmer\Winamp
2007-12-11 14:35    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-11 14:35    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\PC Suite
2007-12-11 14:35    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\Nokia
2007-12-11 14:07    ---------    d-----w    C:\Programmer\PC Connectivity Solution
2007-12-11 14:07    ---------    d-----w    C:\Programmer\Nokia
2007-12-11 14:07    ---------    d-----w    C:\Programmer\Fælles filer\PCSuite
2007-12-11 14:07    ---------    d-----w    C:\Programmer\Fælles filer\Nokia
2007-12-11 14:07    ---------    d-----w    C:\Programmer\DIFX
2007-12-11 14:06    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Installations
2007-12-04 08:59    972,072    ----a-w    C:\WINDOWS\UNRecode.exe
2007-12-01 17:16    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\MGS
2007-12-01 17:00    ---------    d-----w    C:\Programmer\ScandicBookmakers.com
2007-12-01 08:56    ---------    d-----w    C:\Programmer\PokerChamps
2007-11-30 19:29    ---------    d-----w    C:\Programmer\Hattrick Manager
2007-11-23 13:56    ---------    d-----w    C:\Programmer\Java
2007-11-21 16:31    132,904    ----a-w    C:\WINDOWS\system32\drivers\imagesrv.sys
2007-11-21 16:31    11,304    ----a-w    C:\WINDOWS\system32\drivers\imagedrv.sys
2007-11-13 19:07    22,328    ----a-w    C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-13 10:25    20,480    ----a-w    C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 09:03    22,328    ----a-w    C:\Documents and Settings\-Kresten\Application Data\PnkBstrK.sys
2007-10-27 13:00    569,344    ----a-w    C:\WINDOWS\uninstal.exe
.
[code]<pre>
----a-w          153,136 2008-01-12 15:00:08  C:\Programmer\Fælles filer\Nero\Lib\NeroCheck .exe
----a-w        1,688,872 2008-01-12 17:40:53  C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr    .exe
----a-w        2,029,056 2008-01-12 16:41:55  C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr  .exe
----a-w          267,064 2008-01-12 15:00:06  C:\Programmer\iTunes\iTunesHelper .exe
----a-w          132,496 2008-01-12 14:59:58  C:\Programmer\Java\jre1.6.0_03\bin\jusched .exe
----a-w        5,674,352 2008-01-12 15:00:46  C:\Programmer\MSN Messenger\MsnMsgr .Exe
----a-w        2,213,160 2008-01-12 15:00:16  C:\Programmer\Nero\Nero8\Nero BackItUp\NBKeyScan .exe
----a-w          688,128 2008-01-12 15:00:24  C:\Programmer\Nokia\Nokia PC Suite 6\PCSuite .exe
----a-w          106,496 2008-01-12 14:59:52  C:\Programmer\Quick Launch Button\QLButton .exe
----a-w          652,800 2008-01-12 16:41:58  C:\Programmer\QuickTime\QTTask  .exe
----a-w          652,800 2008-01-12 16:13:58  C:\Programmer\QuickTime\QTTask  .exe
----a-w          308,880 2008-01-12 15:00:15  C:\Programmer\SPAMfighter\SFAgent .exe
----a-w        1,318,128 2008-01-12 17:40:55  C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w          692,316 2008-01-12 15:00:01  C:\Programmer\Synaptics\SynTP\SynTPEnh .exe
----a-w          102,492 2008-01-12 14:59:58  C:\Programmer\Synaptics\SynTP\SynTPLpr .exe
----a-w          183,352 2008-01-12 16:14:38  C:\VIRUSfighter\npm\bin\ZLH .EXE
----a-w            12,288 2008-01-12 15:00:16  C:\WINDOWS\system32\wupeng .exe
</pre>[/code]


(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F08869B-B1D6-4463-8450-5A1372279BA8}]
            C:\WINDOWS\system32\fcyww.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr    .exe" [ ]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-27 01:53 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-09 15:33 6803456]
"nwiz"="nwiz.exe" [2005-06-09 15:33 1519616 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Programmer\QuickTime\QTTask    .exe" [ ]
"Norman ZANDA"="C:\VIRUSfighter\Npm\bin\ZLH.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-27 01:53 15360]
"Nokia.PCSync"="C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\svch2t1.dll

R2 Ndiskio;Ndiskio;C:\VIRUSfighter\Nse\bin\NDISKIO.SYS [2007-01-02 10:55]
R2 SPAMfighter Update Service;SPAMfighter Update Service;C:\Programmer\SPAMfighter\sfus.exe [2008-01-02 17:03]
R3 NvcMFlt;NvcMFlt;C:\WINDOWS\system32\DRIVERS\nvcw32mf.sys [2007-07-09 10:50]
R3 nvcoas;Norman Virus Control on-access component;C:\VIRUSfighter\Nvc\bin\nvcoas.exe [2007-07-12 11:38]
R3 NVCScheduler;Norman Virus Control Scheduler;C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE [2007-05-23 13:23]
S3 nvcfsr;nvcfsr;C:\VIRUSfighter\Nvc\bin\nvcfsr.sys [2007-01-09 15:25]
S3 nvcoafl51;nvcoafl51;C:\VIRUSfighter\Nvc\bin\nvcoafl51.sys [2007-01-09 15:25]
S3 nvcoaft51;nvcoaft51;C:\VIRUSfighter\Nvc\bin\nvcoaft51.sys [2007-01-09 15:25]
S3 nvcoarc51;nvcoarc51;C:\VIRUSfighter\Nvc\bin\nvcoarc51.sys [2007-01-09 15:25]
S3 RivaTunerEx;RivaTunerEx;C:\Programmer\RivaTuner v2.0 RC 15.5\RivaTunerEx.sys [2005-05-06 21:15]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-20 10:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 18:58:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-12 19:00:06 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-12 17:59:45
.
2008-01-12 10:44:11    --- E O F --- 



På forhånd tak.
Avatar billede levich Nybegynder
12. januar 2008 - 23:07 #1
Jeg ser på det, øjeblik.
Avatar billede levich Nybegynder
12. januar 2008 - 23:13 #2
Læs alle punkterne inden du gør noget.

(1)
Hent AVG Anti-Spyware her: http://www.grisoft.com/doc/downloads-products/us/crp/0?prd=triasw
Installer programmer og opdater det, men vent med at scanne.

(2)
Hent AFT-cleaner her: http://www.geekstogo.com/forum/index.php?autocom=downloads&showfile=21
Start programmet og vælg "select all" og derefter "empty all".
Hvis du har Firefox skal du først vælge det i menuen og derefter "select all" og "empty all".

(3)
Genstart computeren i fejlsikret tilstand (tryk F8 når Windows starter op) og Fix følgende linjer med HijackThis:
F3 - REG:win.ini: load=C:\WINDOWS\system32\fcyww.exe
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Programmer\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {EC0AB31E-7990-4634-AACB-A12C5DF324A4} - C:\WINDOWS\system32\fcyww.dll
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - C:\Programmer\Helper\superfinderusa.dll
O2 - BHO: (no name) - {FC1B64D9-3499-4791-82D5-AABAC3FAEA45} - C:\WINDOWS\system32\xxyyywx.dll
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcuz.dll,startup
O20 - AppInit_DLLs: C:\WINDOWS\system32\svch2t1.dll
O20 - Winlogon Notify: xxyyywx - C:\WINDOWS\SYSTEM32\xxyyywx.dll

(4)
Start AVG Anti-Spyware, vælg fanebladet "scanner" og klik på "complete system scan".
Bagefter klik "apply all actions", "save report", "save report as" og gem logfil, f.eks. på skrivebordet.

(5)
Åbn "denne computer", i menuen skal du klikke på Funktioner -> Mappeindstillinger -> Vis.
Fjern flueben ved "Skjul beskyttede operativsystemfiler" og ved "Skjul filtypenavne for kendte filtyper", sæt prik i "Vis skjulte filer og mapper". Husk at trykke på knappen "Anvend på alle mapper" i stedet for "ok".

søg efter og slet følgende fil(er):
C:\WINDOWS\system32\fcyww.exe
C:\WINDOWS\system32\xxyyywx.dll
C:\WINDOWS\system32\drvcuz.dll
C:\WINDOWS\system32\svch2t1.dll
... og følgende mappe(r):
C:\Programmer\Outerinfo\
C:\Programmer\Helper\

(6)
Genstart computeren normalt. Lav en ny log med HijackThis, og send den herind sammen med loggen fra AVG Anti-Spyware.
Avatar billede k32a Nybegynder
13. januar 2008 - 03:29 #3
Jeg har gjort præcist som der stod i guiden...
Avatar billede fromsej Praktikant
13. januar 2008 - 09:46 #4
Tillykke, du er blevet ramt af en ny variant.

Hent og dobbeltklik på denne fil:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Programmet laver en lille log, som du skal kopiere herind - uden at ændre noget. Log'en vil blive vist som et "citat", men sådan skal det se ud.

Levich>> Kig i Combologgen i det felt der starter med [code]<pre>, kan du se at der er noget forkert ved exefilerne?
Avatar billede levich Nybegynder
13. januar 2008 - 11:09 #5
k32a -> Husk også at kopiere en frist hijackthis-log herind sammen med loggen fra RenV.exe programmet.

fromsej -> ja og der optræder også en fil med ændret filnavn i hijackthis-loggen, men som (næsten) altid plejer jeg at køre standardfremgangsmåden først.
Avatar billede fromsej Praktikant
13. januar 2008 - 11:34 #6
Du/vi/nogen er nødt til at få slået den infektion ihjel først, som der skal bruges Renv til, derefter skal der ryddes op med HJT og Combo.
I dag er der ingen overordnet standardvejledning til det hele desværre.
De forb. svinemikler bliver dygtigere og dygtigere.
Avatar billede levich Nybegynder
13. januar 2008 - 12:05 #7
ok
Avatar billede k32a Nybegynder
13. januar 2008 - 12:50 #8
RenV -

[code]
Ran on 13-01-2008 - 12:48:58,90

----a-w          153,136 2008-01-12 15:00:08  C:\Programmer\Fælles filer\Nero\Lib\NeroCheck .exe
----a-w        1,688,872 2008-01-12 17:40:53  C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr    .exe
----a-w        2,029,056 2008-01-12 16:41:55  C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr  .exe
----a-w          267,064 2008-01-12 15:00:06  C:\Programmer\iTunes\iTunesHelper .exe
----a-w          132,496 2008-01-12 14:59:58  C:\Programmer\Java\jre1.6.0_03\bin\jusched .exe
----a-w        5,674,352 2008-01-12 15:00:46  C:\Programmer\MSN Messenger\MsnMsgr .Exe
----a-w        2,213,160 2008-01-12 15:00:16  C:\Programmer\Nero\Nero8\Nero BackItUp\NBKeyScan .exe
----a-w          688,128 2008-01-12 15:00:24  C:\Programmer\Nokia\Nokia PC Suite 6\PCSuite .exe
----a-w          106,496 2008-01-12 14:59:52  C:\Programmer\Quick Launch Button\QLButton .exe
----a-w          652,800 2008-01-12 16:41:58  C:\Programmer\QuickTime\QTTask  .exe
----a-w          652,800 2008-01-12 16:13:58  C:\Programmer\QuickTime\QTTask  .exe
----a-w          308,880 2008-01-12 15:00:15  C:\Programmer\SPAMfighter\SFAgent .exe
----a-w        1,318,128 2008-01-12 17:40:55  C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w          692,316 2008-01-12 15:00:01  C:\Programmer\Synaptics\SynTP\SynTPEnh .exe
----a-w          102,492 2008-01-12 14:59:58  C:\Programmer\Synaptics\SynTP\SynTPLpr .exe
----a-w          183,352 2008-01-12 16:14:38  C:\VIRUSfighter\npm\bin\ZLH .EXE
----a-w            12,288 2008-01-12 15:00:16  C:\WINDOWS\system32\wupeng .exe

Entries:              17  (17)
Directories:            0  Files:            17
Bytes:        16,875,816  Blocks:      32,967
[/code]




Hijackthis -

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:50:26, on 13-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr    .exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\SPAMfighter\sfus.exe
C:\Programmer\Fælles filer\Nero\Lib\NMIndexingService.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Mozilla Firefox\firefox.exe
C:\Documents and Settings\-Kresten\Skrivebord\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moensbank.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8F08869B-B1D6-4463-8450-5A1372279BA8} - C:\WINDOWS\system32\fcyww.dll (file missing)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\QTTask    .exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr    .exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187864327574
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187865314773
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/flashax.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\svch2t1.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmer\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Programmer\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SPAMfighter Update Service - SPAMfighter ApS - C:\Programmer\SPAMfighter\sfus.exe

--
End of file - 6487 bytes
Avatar billede fromsej Praktikant
13. januar 2008 - 14:19 #9
1. Find log'en igen - i samme mappe, hvor du har RenV.exe liggende (hvis du downloadede RenV til Skrivebordet, så ligger log'en også der).

2. Træk log'ens ikon henover RenV.exe ikonet. Programmet kører og laver en lille log igen, som du skal kopiere herind i dit næste indlæg.

Se her for billede: http://www.ctrlaltdel.dk/forum/uploads/FBJSWF/2007-12-29_095939_RenV.gif

3. Umiddelbart efter du har gennemført ovennævnte skal du køre ComboFix igen og lægge den friske ComboFix log herind (sammen med den anden log du lige lavede). Du skal dog lige hente en ny version her:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

4. Afslut med en scanning herfra:

http://www.kaspersky.com/virusscanner

...i tilfælde af, at vi ikke har fået ram på det hele.
Avatar billede k32a Nybegynder
13. januar 2008 - 20:40 #10
Renv

[code]
Ran on 13-01-2008 - 20:36:00,69

----a-w          153,136 2008-01-12 15:00:08  C:\Programmer\Fælles filer\Nero\Lib\NeroCheck .exe
----a-w        1,688,872 2008-01-12 17:40:53  C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr    .exe
----a-w        2,029,056 2008-01-12 16:41:55  C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr  .exe
------w        5,674,352 2008-01-12 15:00:46  C:\Programmer\MSN Messenger\MsnMsgr .Exe

Entries:                4  (4)
Directories:            0  Files:            4
Bytes:          9,545,416  Blocks:      18,645
[/code]


Combofix

ComboFix 08-01-13.1 - -Kresten 2008-01-13 20:37:54.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1030.18.629 [GMT 1:00]
Running from: C:\Documents and Settings\-Kresten\Skrivebord\ComboFix(2).exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((  Files Created from 2007-12-13 to 2008-01-13  )))))))))))))))))))))))))))))))
.

2008-01-13 20:36 . 2008-01-12 16:00    12,288    --a------    C:\WINDOWS\system32\wupeng.exe
2008-01-12 20:29 . 2008-01-12 20:29    <DIR>    d--------    C:\Programmer\Fælles filer\Adobe Systems Shared
2008-01-12 20:28 . 2008-01-12 20:30    <DIR>    d--------    C:\Programmer\Fælles filer\Adobe
2008-01-12 20:11 . 2008-01-12 20:55    <DIR>    d--------    C:\Documents and Settings\-Kresten\Application Data\Adobe
2008-01-12 19:34 . 2008-01-12 19:34    <DIR>    d--------    C:\Programmer\Alwil Software
2008-01-12 19:34 . 2007-12-04 14:04    837,496    --a------    C:\WINDOWS\system32\aswBoot.exe
2008-01-12 19:34 . 2004-01-09 10:13    380,928    --a------    C:\WINDOWS\system32\actskin4.ocx
2008-01-12 19:34 . 2007-12-04 13:54    95,608    --a------    C:\WINDOWS\system32\AvastSS.scr
2008-01-12 19:34 . 2007-12-04 15:55    94,544    --a------    C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-12 19:34 . 2007-12-04 15:56    93,264    --a------    C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-12 19:34 . 2007-12-04 15:51    42,912    --a------    C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-12 19:34 . 2007-12-04 15:49    26,624    --a------    C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-12 19:34 . 2007-12-04 15:53    23,152    --a------    C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-12 19:18 . 2003-05-22 16:31    55,808    --a------    C:\WINDOWS\system32\lfpsd13n.dll
2008-01-12 18:48 . 2000-08-31 08:00    51,200    --a------    C:\WINDOWS\NirCmd.exe
2008-01-12 17:35 . 2008-01-12 17:35    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-12 17:34 . 2008-01-13 20:36    <DIR>    d--------    C:\Programmer\SUPERAntiSpyware
2008-01-12 17:34 . 2008-01-12 17:34    <DIR>    d--------    C:\Documents and Settings\-Kresten\Application Data\SUPERAntiSpyware.com
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\zts2.exe
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\system32\vcmgcd32.dll
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\system32\iifgfgf.dll
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\rundll16.exe
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\rundl132.dll
2008-01-12 17:30 . 2008-01-12 17:30    <DIR>    d-a------    C:\WINDOWS\logo1_.exe
2008-01-12 17:26 . 2004-08-27 01:53    150,528    --a------    C:\WINDOWS\R.COM
2008-01-12 17:26 . 2004-08-27 01:53    137,216    --a------    C:\WINDOWS\system32\T.COM
2008-01-12 17:26 . 2008-01-12 17:28    50    --a------    C:\WINDOWS\Lic.xxx
2008-01-12 17:16 . 2008-01-13 19:13    <DIR>    dr-h-----    C:\Documents and Settings\-Kresten\Recent
2008-01-12 15:53 . 2008-01-12 19:15    <DIR>    d--------    C:\VIRUSfighter
2008-01-12 15:02 . 2008-01-12 15:52    <DIR>    d--------    C:\Documents and Settings\-Kresten\.housecall6.6
2008-01-12 14:59 . 2008-01-12 14:59    93    --a------    C:\WINDOWS\wininit.ini
2008-01-12 13:23 . 2008-01-12 13:23    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-01-12 13:22 . 2008-01-12 13:22    54,764    --a------    C:\WINDOWS\system32\dxdss.sys
2008-01-12 13:22 . 2008-01-12 13:22    8    --a------    C:\WINDOWS\system32\1409560896
2008-01-12 13:22 . 2008-01-12 13:22    2    --a------    C:\1409560896
2008-01-11 12:20 . 2008-01-13 20:36    <DIR>    d--------    C:\Programmer\SPAMfighter
2008-01-11 12:20 . 2008-01-11 12:20    <DIR>    d--------    C:\Programmer\Fælles filer\Application
2008-01-11 12:20 . 2008-01-11 12:20    <DIR>    d--------    C:\Programmer\Fælles filer\Ankiro
2008-01-10 12:09 . 2002-12-31 13:00    17,920    --a------    C:\WINDOWS\system32\mdimon.dll
2008-01-10 12:09 . 2008-01-10 12:09    376    --a------    C:\WINDOWS\ODBC.INI
2008-01-10 12:05 . 2008-01-10 12:07    <DIR>    d--------    C:\WINDOWS\SHELLNEW
2008-01-02 13:20 . 2001-08-17 21:56    7,552    --a------    C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-01-02 13:20 . 2001-08-17 21:56    7,552    --a--c---    C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-12-30 12:28 . 2007-12-30 12:28    <DIR>    d--------    C:\Documents and Settings\-Kresten\Application Data\Nero
2007-12-30 12:24 . 2007-12-30 12:24    <DIR>    d--------    C:\Programmer\Nero
2007-12-30 12:24 . 2007-12-30 12:27    <DIR>    d--------    C:\Programmer\Fælles filer\Nero
2007-12-30 12:24 . 2007-12-30 12:24    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\Nero
2007-12-28 19:17 . 2007-12-28 19:17    7,680    --ahs----    C:\WINDOWS\Thumbs.db
2007-12-22 12:02 . 2007-12-22 12:02    <DIR>    d--------    C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-12-14 22:55 . 2004-05-14 16:53    462,848    --a------    C:\WINDOWS\system32\ltkrn13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    450,560    --a------    C:\WINDOWS\system32\ltimg13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    401,408    --a------    C:\WINDOWS\system32\lfcmp13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    299,008    --a------    C:\WINDOWS\system32\ltdis13n.dll
2007-12-14 22:55 . 2004-01-12 02:09    206,336    --a------    C:\WINDOWS\system32\ltefx13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    163,840    --a------    C:\WINDOWS\system32\ltfil13n.dll
2007-12-14 22:55 . 2003-11-04 15:10    69,632    --a------    C:\WINDOWS\system32\lfgif13n.dll
2007-12-14 22:55 . 2004-05-14 16:53    57,344    --a------    C:\WINDOWS\system32\lfbmp13n.dll
2007-12-13 19:09 . 2007-12-13 19:09    972,072    --a------    C:\WINDOWS\UNNeroMediaHome.exe

.
((((((((((((((((((((((((((((((((((((((((  Find3M Report  ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 19:35    ---------    d-----w    C:\Programmer\QuickTime
2008-01-13 19:35    ---------    d-----w    C:\Programmer\Quick Launch Button
2008-01-13 19:35    ---------    d-----w    C:\Programmer\iTunes
2008-01-13 19:29    ---------    d-----w    C:\Programmer\GIMP-2.0
2008-01-13 16:46    ---------    d-----w    C:\Programmer\DivX
2008-01-13 11:52    3,407,872    ---ha-w    C:\Documents and Settings\-Kresten\NTUSER.DAT
2008-01-12 19:55    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\Adobe
2008-01-12 18:14    ---------    d-----w    C:\Programmer\MSN Messenger
2008-01-12 16:34    ---------    d-----w    C:\Programmer\Fælles filer\Wise Installation Wizard
2008-01-12 16:34    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\SUPERAntiSpyware.com
2008-01-12 16:22    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 16:21    12,632    ----a-w    C:\WINDOWS\system32\lsdelete.exe
2008-01-12 14:53    ---------    d--h--w    C:\Programmer\InstallShield Installation Information
2008-01-12 11:31    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\gtk-2.0
2008-01-10 11:12    ---------    d-s---w    C:\Documents and Settings\-Kresten\Application Data\Microsoft
2008-01-10 10:57    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\uTorrent
2008-01-02 17:48    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\temp
2007-12-30 11:28    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\Nero
2007-12-22 11:03    ---------    d-----w    C:\Programmer\Winamp
2007-12-11 14:35    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\PC Suite
2007-12-11 14:35    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\PC Suite
2007-12-11 14:35    ---------    d-----w    C:\Documents and Settings\-Kresten\Application Data\Nokia
2007-12-11 14:07    ---------    d-----w    C:\Programmer\PC Connectivity Solution
2007-12-11 14:07    ---------    d-----w    C:\Programmer\Nokia
2007-12-11 14:07    ---------    d-----w    C:\Programmer\Fælles filer\PCSuite
2007-12-11 14:07    ---------    d-----w    C:\Programmer\Fælles filer\Nokia
2007-12-11 14:07    ---------    d-----w    C:\Programmer\DIFX
2007-12-11 14:06    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\Installations
2007-12-04 14:49    26,624    ----a-w    C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 08:59    972,072    ----a-w    C:\WINDOWS\UNRecode.exe
2007-12-03 17:04    95,600    ----a-w    C:\WINDOWS\system32\NeroCo.dll
2007-12-01 17:16    ---------    d-----w    C:\Documents and Settings\All Users\Application Data\MGS
2007-12-01 17:00    ---------    d-----w    C:\Programmer\ScandicBookmakers.com
2007-12-01 08:56    ---------    d-----w    C:\Programmer\PokerChamps
2007-11-30 19:29    ---------    d-----w    C:\Programmer\Hattrick Manager
2007-11-23 13:56    ---------    d-----w    C:\Programmer\Java
2007-11-21 16:31    132,904    ----a-w    C:\WINDOWS\system32\drivers\imagesrv.sys
2007-11-21 16:31    11,304    ----a-w    C:\WINDOWS\system32\drivers\imagedrv.sys
2007-11-18 20:46    219,136    ----a-w    C:\WINDOWS\system32\uxtheme.dll
2007-11-13 19:07    22,328    ----a-w    C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-11-13 19:06    103,736    ----a-w    C:\WINDOWS\system32\PnkBstrB.exe
2007-11-13 10:25    20,480    ----a-w    C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 09:03    22,328    ----a-w    C:\Documents and Settings\-Kresten\Application Data\PnkBstrK.sys
2007-11-07 09:28    723,456    ----a-w    C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:44    1,291,776    ----a-w    C:\WINDOWS\system32\quartz.dll
2007-10-27 13:00    569,344    ----a-w    C:\WINDOWS\uninstal.exe
2007-10-20 05:01    227,328    ----a-w    C:\WINDOWS\system32\wmasf.dll
.
[code]<pre>
----a-w          153,136 2008-01-12 15:00:08  C:\Programmer\Fælles filer\Nero\Lib\NeroCheck .exe
----a-w        1,688,872 2008-01-12 17:40:53  C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr    .exe
----a-w        2,029,056 2008-01-12 16:41:55  C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr  .exe
------w        5,674,352 2008-01-12 15:00:46  C:\Programmer\MSN Messenger\MsnMsgr .Exe
</pre>[/code]


(((((((((((((((((((((((((((((  snapshot@2008-01-12_18.59.31.30  )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-12 17:49:09    233,472    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 19:37:46    233,472    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-12 17:49:09    8,192    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 19:37:46    8,192    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-12 17:49:09    233,472    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 19:37:46    233,472    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-12 17:49:09    8,192    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 19:37:46    8,192    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-12 17:49:09    3,325,952    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-13 19:37:46    3,325,952    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-12 17:49:09    151,552    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 19:37:47    151,552    ----a-w    C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-12 12:20:49    65,536    ----a-r    C:\WINDOWS\Installer\{236BB7C4-4419-42FD-0409-1E257A25E34D}\NewShortcut1_236BB7C4441942FD04091E257A25E34D.exe
+ 2008-01-12 19:29:22    65,536    ----a-r    C:\WINDOWS\Installer\{236BB7C4-4419-42FD-0409-1E257A25E34D}\NewShortcut1_236BB7C4441942FD04091E257A25E34D.exe
- 2008-01-11 11:20:26    45,056    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut1_2D73ED7BCF5749BA9891E131D7FE5FBF.exe
+ 2008-01-13 19:27:26    45,056    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut1_2D73ED7BCF5749BA9891E131D7FE5FBF.exe
- 2008-01-11 11:20:26    45,056    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut10_2D73ED7BCF5749BA9891E131D7FE5FBF.exe
+ 2008-01-13 19:27:26    45,056    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut10_2D73ED7BCF5749BA9891E131D7FE5FBF.exe
- 2008-01-11 11:20:26    14,366    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut2_2D73ED7BCF5749BA9891E131D7FE5FBF.exe
+ 2008-01-13 19:27:26    14,366    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut2_2D73ED7BCF5749BA9891E131D7FE5FBF.exe
- 2008-01-11 11:20:26    4,710    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut5_86F3D0BB3537401DBB67D4F0DA976EAC_1.exe
+ 2008-01-13 19:27:26    4,710    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut5_86F3D0BB3537401DBB67D4F0DA976EAC_1.exe
- 2008-01-11 11:20:26    4,710    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut51_86F3D0BB3537401DBB67D4F0DA976EAC_1.exe
+ 2008-01-13 19:27:26    4,710    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut51_86F3D0BB3537401DBB67D4F0DA976EAC_1.exe
- 2008-01-11 11:20:27    4,710    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut52_86F3D0BB3537401DBB67D4F0DA976EAC_1.exe
+ 2008-01-13 19:27:26    4,710    ----a-r    C:\WINDOWS\Installer\{66D6AE9D-06EA-4B19-AE18-9C92EC576BE0}\NewShortcut52_86F3D0BB3537401DBB67D4F0DA976EAC_1.exe
+ 2008-01-12 19:29:52    65,536    ----a-r    C:\WINDOWS\Installer\{B74D4E10-1033-0000-0000-000000000001}\AdobeBridge_B74D4E10103300000000000000000001_1.exe
+ 2008-01-12 19:29:52    65,536    ----a-r    C:\WINDOWS\Installer\{B74D4E10-1033-0000-0000-000000000001}\BridgeCommonShortcut_B74D4E101033000000000001_1.exe
+ 2008-01-12 19:29:52    1,904,640    ----a-r    C:\WINDOWS\Installer\{B74D4E10-1033-0000-0000-000000000001}\ESLaunchShortcut_B74D4E10103300000000000000000001.exe
+ 2008-01-12 19:29:52    61,440    ----a-r    C:\WINDOWS\Installer\{B74D4E10-1033-0000-0000-000000000001}\NewShortcut2_B74D4E10103300000000000000000001.exe
+ 2008-01-12 19:31:07    65,536    ----a-r    C:\WINDOWS\Installer\{E9787678-1033-0000-8E67-000000000001}\AppLanuchShortcut_E9787678103300008E67000000000001_1.exe
+ 2008-01-12 19:31:07    65,536    ----a-r    C:\WINDOWS\Installer\{E9787678-1033-0000-8E67-000000000001}\ProgramMenuShortcut_E9787678103300008E670000000001_1.exe
- 2007-08-23 11:09:42    29,926    ----a-r    C:\WINDOWS\Installer\{F53548BC-B8A8-43E4-85FC-A263640C347F}\MsblIco.Exe
+ 2008-01-12 18:14:34    29,926    ----a-r    C:\WINDOWS\Installer\{F53548BC-B8A8-43E4-85FC-A263640C347F}\MsblIco.Exe
- 2008-01-12 12:37:19    190,592    ----a-w    C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-01-13 10:59:43    192,184    ----a-w    C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-01-13 15:15:24    16,384    ----atw    C:\WINDOWS\Temp\Perflib_Perfdata_764.dat
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((  Reg Loading Points  ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F08869B-B1D6-4463-8450-5A1372279BA8}]
            C:\WINDOWS\system32\fcyww.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programmer\Fælles filer\Nero\Lib\NMIndexStoreSvr    .exe" [2008-01-12 18:40 1688872]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-12 18:40 1318128]
"msnmsgr"="C:\Programmer\MSN Messenger\msnmsgr.exe" [2007-01-19 12:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-27 01:53 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-09 15:33 6803456]
"nwiz"="nwiz.exe" [2005-06-09 15:33 1519616 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Programmer\QuickTime\QTTask    .exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SPAMfighter Agent"="C:\Programmer\SPAMfighter\SFAgent.exe" [2008-01-12 16:00 308880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-27 01:53 15360]
"Nokia.PCSync"="C:\Programmer\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\svch2t1.dll

R2 SPAMfighter Update Service;SPAMfighter Update Service;C:\Programmer\SPAMfighter\sfus.exe [2008-01-02 17:03]
S3 RivaTunerEx;RivaTunerEx;C:\Programmer\RivaTuner v2.0 RC 15.5\RivaTunerEx.sys [2005-05-06 21:15]

.
Contents of the 'Scheduled Tasks' folder
"2007-11-20 10:43:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 20:38:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 20:39:34
ComboFix-quarantined-files.txt  2008-01-13 19:39:11
ComboFix2.txt  2008-01-12 18:00:06
.
2008-01-12 10:44:11    --- E O F --- 




... Jeg kører lige en virusscan :)
Avatar billede k32a Nybegynder
13. januar 2008 - 22:24 #11
Den fandt 11 vira og 39 infected objects :(
Avatar billede fromsej Praktikant
14. januar 2008 - 17:19 #12
Det var en sjat.

Gentag procedurens(13/01-2008 14:19:05) punkt 1 og 2 med Renvloggen indtil den er tom, når den er det, skal vi se endnu en Combofix og en Hijackthislog.
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
Se alle it-kurser fra Computerworld Kurser
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.
Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel Indlæg Oprettet Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus 22 26/11/202510:42 23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus 8 31/08/202519:08 01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus 10 03/02/202514:20 04/02/202511:05
mulig ukendt virus Af jackie18 i Virus 3 18/01/202514:07 18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus 13 18/01/202511:40 20/01/202517:53
Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Opret Log ind

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten
Seneste spørgsmål Seneste aktivitet
I går 19:26 Opstart af ny computer Af Bent i Windows
25/0120:06 Hjemmeside der virker både på mobil og computer Af Strawberry i PHP
25/0117:08 Problemer med borger.dk Af valby i Windows
25/0114:19 Fejl Af buls i Windows
25/0113:44 Adgang til Google konto via Ipad Af cyperbent i E-mail programmer
White papers
Flere white papers »