Notifikationer

Markér alle som læst Log ud

jbob Nybegynder

04. maj 2008 - 10:06 Der er 11 kommentarer og
1 løsning

Hjælp til Monder og Vundo angreb!

Jeg har fået en led virus. Jeg kører AntiVir og den kommer konstant op med at nogle filer i Windows/system32er vundo virus. Samtidig får jeg med mellemrum nogle reklamer op som jeg ikke beder om!

Jeg har kørt spybot, ccleaner, vundoFix, men det har ikke hjulpet???

Er der nogle der kan hjælpe?

Synes godt om

Computer Hjælp (Gratis) Mester

04. maj 2008 - 10:27 #1

... Nu er det ikke alle (u)ønskede elementer som viser sig med en HiJackThis Log; så gennemfør proceduren herfra -> http://www.eksperten.dk/artikler/1123
PS: Brug denne version af HJT -> http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe

Synes godt om

jbob Nybegynder

04. maj 2008 - 13:19 #2

Har nu kørt hele molevitten! Da jeg kørte Superantispyware i safe mode fandt den vira, men slettede dem ikke. Ved kørstel i almindelig mode fandt den dem igen og slettede denne gang. Ser ud til at virus'erne er væk :-)

Her er hijacken:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13, on 2008-05-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\Programmer\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\ASUSKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
D:\Programmer\Apache Group\Apache2\bin\Apache.exe
D:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Programmer\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Documents and Settings\Jakob\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {57976EAA-5B45-457C-8083-014C8DDE215D} - C:\WINDOWS\system32\tuvSKday.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {b7497365-6fc3-859a-7f14-8089e690d56c} - {c65d096e-9808-41f7-a958-3cf65637947b} - C:\WINDOWS\system32\hnuagihx.dll (file missing)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] d:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BM337b5edc] Rundll32.exe "C:\WINDOWS\system32\bsyekbqx.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "D:\Programmer\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = D:\Programmer\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124556861755
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124558509404

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows Update - {C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F} - C:\WINDOWS\SYSTEM32\IOCTRL.DLL (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Apache Software Foundation - D:\Programmer\Apache Group\Apache2\bin\Apache.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - D:\PROGRA~1\bin\nSvcIp.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Synes godt om

Computer Hjælp (Gratis) Mester

04. maj 2008 - 14:08 #3

Nej det er der IKKE !!!

Jeg skal se/læse loggen fra ComboFix ...

Synes godt om

jbob Nybegynder

05. maj 2008 - 14:13 #4

Her er Combofix:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\OqBHOqru.ini
C:\WINDOWS\system32\OqBHOqru.ini2
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\yadKSvut.ini
C:\WINDOWS\system32\yadKSvut.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-05-04 11:07 . 2008-05-04 11:07 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-05-04 10:40 . 2008-05-04 11:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-04 10:40 . 2008-05-04 10:40 <DIR> d-------- C:\Documents and Settings\Jakob\Application Data\SUPERAntiSpyware.com
2008-05-04 10:40 . 2008-05-04 10:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-04 09:55 . 2008-05-04 09:55 <DIR> d-a------ C:\WINDOWS\zts2.exe
2008-05-04 09:55 . 2008-05-04 09:55 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2008-05-04 09:55 . 2008-05-04 09:55 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2008-05-04 09:55 . 2008-05-04 09:55 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2008-05-04 09:55 . 2008-05-04 09:55 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2008-05-04 09:55 . 2008-05-04 09:55 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2008-05-04 09:51 . 2004-08-04 09:56 146,432 --a------ C:\WINDOWS\R.COM
2008-05-04 09:51 . 2004-08-04 09:56 135,680 --a------ C:\WINDOWS\system32\T.COM
2008-05-04 09:51 . 2008-05-04 09:55 50 --a------ C:\WINDOWS\Lic.xxx
2008-05-04 09:43 . 2008-05-04 09:45 <DIR> d-------- C:\Downloads
2008-05-04 09:43 . 2008-05-04 09:45 <DIR> d-------- C:\Bases
2008-05-04 08:50 . 2008-05-04 08:51 153 --a------ C:\WINDOWS\wininit.ini
2008-05-04 08:19 . 2008-05-04 08:18 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-04 08:19 . 2008-05-04 08:19 2,545 --a------ C:\WINDOWS\unins000.dat
2008-05-04 08:09 . 2008-05-04 08:44 109,802 --a------ C:\WINDOWS\BM337b5edc.xml
2008-05-03 18:38 . 2008-05-04 09:25 <DIR> d-------- C:\VundoFix Backups
2008-05-03 16:16 . 2008-05-03 16:15 147,456 --a------ C:\VundoFix.exe
2008-05-03 13:38 . 2003-09-22 17:01 11,520 --a------ C:\WINDOWS\system32\drivers\WDMSTUB.sys
2008-05-03 13:16 . 2008-05-03 13:16 <DIR> d-------- C:\Garmin
2008-05-03 13:16 . 2006-02-20 20:25 17,536 -ra------ C:\WINDOWS\system32\drivers\grmn0200.sys
2008-05-03 13:16 . 2006-04-11 21:51 16,512 -ra------ C:\WINDOWS\system32\drivers\grmn0400.sys
2008-05-03 13:16 . 2006-07-11 21:50 11,776 -ra------ C:\WINDOWS\system32\drivers\grmn1200.sys
2008-04-06 14:12 . 2008-05-04 12:12 <DIR> d-------- C:\Documents and Settings\Jakob\Application Data\OpenOffice.org2
2008-04-06 14:09 . 2008-04-06 14:10 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 10:12 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-05-04 09:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-04 08:37 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-04 07:25 --------- d-----w C:\Program Files\PowerISO
2008-05-04 06:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-03 12:14 --------- d-----w C:\Documents and Settings\Jakob\Application Data\uTorrent
2008-05-03 11:46 --------- d-----w C:\Documents and Settings\Jakob\Application Data\ZipGenius
2008-04-21 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic
2008-04-10 06:27 --------- d-----w C:\Program Files\Java
2008-04-06 11:32 26,416 ----a-w C:\Documents and Settings\Jakob\Application Data\GDIPFONTCACHEV1.DAT
2007-10-19 17:43 30 ----a-w C:\Program Files\Exiferupdate.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57976EAA-5B45-457C-8083-014C8DDE215D}]
C:\WINDOWS\system32\tuvSKday.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c65d096e-9808-41f7-a958-3cf65637947b}]
C:\WINDOWS\system32\hnuagihx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"NBJ"="D:\Programmer\Ahead\Nero BackItUp\NBJ.exe" [2004-09-07 21:55 1871872]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-21 02:12 131072]
"ATIPTA"="d:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-24 21:05 344064]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 12:20 77824 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 20:50 155648]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 13:12 473928]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 16:22 262401]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"BM337b5edc"="C:\WINDOWS\system32\bsyekbqx.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56 15360]

C:\Documents and Settings\Jakob\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-23 02:04:00 98304]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-03-16 17:54:44 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]
Monitor Apache Servers.lnk - D:\Programmer\Apache Group\Apache2\bin\ApacheMonitor.exe [2005-02-10 15:12:16 41042]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F}"= C:\WINDOWS\SYSTEM32\IOCTRL.DLL [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"D:\\Programmer\\Apache Group\\Apache2\\bin\\Apache.exe"=
"D:\\Programmer\\Macromedia\\Flash MX\\Flash.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Age Of Empires II\\age2_x1.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1607:UDP"= 1607:UDP:Windows Media Format SDK (firefox.exe)
"1606:UDP"= 1606:UDP:Windows Media Format SDK (firefox.exe)

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-20 16:22]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-20 16:22]
R2 devdpl;devdpl;C:\WINDOWS\system32\DRIVERS\devdpl.sys [2002-11-12 12:12]
R2 litdpl;litdpl;C:\WINDOWS\system32\DRIVERS\litdpl.sys [2002-11-12 12:12]
R2 P1C1394;Phase One 1394 Camera Driver;C:\WINDOWS\system32\Drivers\p1c1394.sys [2003-10-15 12:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b71365e-119e-11da-be0e-806d6172696f}]
\Shell\AutoRun\command - H:\ASUSACPI.exe

*Newly Created Service* - SASDIFSV
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 12:19:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 4.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-05-04 12:23:12
ComboFix-quarantined-files.txt 2008-05-04 10:22:09

Pre-Run: 4,932,218,880 bytes free
Post-Run: 4,921,286,656 bytes free

Synes godt om

Computer Hjælp (Gratis) Mester

05. maj 2008 - 19:40 #5

Afinstaller
* µTorrent - Fildelingsprogram
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=40284
* Microsoft AntiSpyware (Programmet er udgået for lang tid siden - erstatet af MS Defender)
via
[Start][Indstilninger][Kontrolpanel][Tilføj/fjern programmer]

Genstart for at fuldføre afinstalationen...

---------------------------------------

-- Hent Avenger her:
http://swandog46.geekstogo.com/avenger.zip

-- Pak Avenger-programmet ud og dobbeltklik på avenger.exe

-- Der dukker et vindue op, hvor du skal kopiere indholdet mellem ~~~ skrift ind:

~~~~~~~~~~~~~~~~~~
Files to delete:
C:\WINDOWS\system32\tuvSKday.dll
C:\WINDOWS\system32\bsyekbqx.dll
C:\WINDOWS\system32\hnuagihx.dll
C:\WINDOWS\R.COM
C:\WINDOWS\system32\T.COM

Folders to delete:
C:\WINDOWS\zts2.exe
C:\WINDOWS\system32\vcmgcd32.dll
C:\WINDOWS\system32\iifgfgf.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundl132.dll
C:\WINDOWS\logo1_.exe
C:\Documents and Settings\Jakob\Application Data\uTorrent
C:\Program Files\uTorrent
~~~~~~~~~~~~~~~~~~

--- Klik på EXECUTE - og la' PC'en selv genstarte.

-- Efter genstarten vil der dukke et notepad-vindue op, med en log for Avengers handlinger. Den må du gerne lægge ind i dit næste svar.

-- Kør Hijackthis, vælg "Do a system scan only", sæt flueben ved linierne listet her, luk alle vinduer undtaget Hijackthis, klik på fix checked.

O2 - BHO: (no name) - {57976EAA-5B45-457C-8083-014C8DDE215D} - C:\WINDOWS\system32\tuvSKday.dll (file missing)
O4 - HKLM\..\Run: [BM337b5edc] Rundll32.exe "C:\WINDOWS\system32\bsyekbqx.dll",s
O2 - BHO: {b7497365-6fc3-859a-7f14-8089e690d56c} - {c65d096e-9808-41f7-a958-3cf65637947b} - C:\WINDOWS\system32\hnuagihx.dll (file missing)

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [NBJ] "D:\Programmer\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O22 - SharedTaskScheduler: Windows Update - {C1A8B6A1-2C81-1C3D-A3C6-A1CCDB10B47F} - C:\WINDOWS\SYSTEM32\IOCTRL.DLL (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - D:\PROGRA~1\bin\nSvcIp.exe (file missing)

Genstart computeren, og lav en ny log med Hijackthis, som du lægger herind sammen med loggen fra Avenger.

Synes godt om

jbob Nybegynder

06. maj 2008 - 15:51 #6

Jeg kan ikke slette denne (har prøvet et par gange med efterfølgende reboot):
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - D:\PROGRA~1\bin\nSvcIp.exe (file missing)

Her er ny Hijack og avenger (håber at det værste er væk nu):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:47:57, on 06-05-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\Programmer\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\ASUSKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
D:\Programmer\Apache Group\Apache2\bin\Apache.exe
D:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Programmer\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jakob\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] d:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = D:\Programmer\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124556861755
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124558509404
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Apache Software Foundation - D:\Programmer\Apache Group\Apache2\bin\Apache.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - D:\PROGRA~1\bin\nSvcIp.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\system32\tuvSKday.dll" not found!
Deletion of file "C:\WINDOWS\system32\tuvSKday.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\bsyekbqx.dll" not found!
Deletion of file "C:\WINDOWS\system32\bsyekbqx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\hnuagihx.dll" not found!
Deletion of file "C:\WINDOWS\system32\hnuagihx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\R.COM" deleted successfully.
File "C:\WINDOWS\system32\T.COM" deleted successfully.
Folder "C:\WINDOWS\zts2.exe" deleted successfully.
Folder "C:\WINDOWS\system32\vcmgcd32.dll" deleted successfully.
Folder "C:\WINDOWS\system32\iifgfgf.dll" deleted successfully.
Folder "C:\WINDOWS\rundll16.exe" deleted successfully.
Folder "C:\WINDOWS\rundl132.dll" deleted successfully.
Folder "C:\WINDOWS\logo1_.exe" deleted successfully.
Folder "C:\Documents and Settings\Jakob\Application Data\uTorrent" deleted successfully.
Folder "C:\Program Files\uTorrent" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Synes godt om

jbob Nybegynder

06. maj 2008 - 17:29 #7

AntiVir er lige poppet op med at der er virus i:
C:\System Volume Information\_restore{6C9856DC-71E8-41CD-9E91-D4722C4FD08B}\RP547\A0044662.dll.
skal jeg slette filen?

Synes godt om

Computer Hjælp (Gratis) Mester

06. maj 2008 - 17:55 #8

Deaktiver systemgendannelse -> http://www.spywareinfo.dk/#/tip-og-tricks/deaktiver_systemgendannelse.htm
Genstart din computer - aktiver systemgendannelse. Dette gøres samme sted, hvor du deaktiverede, denne gang skal du blot aktivere.
Så er DEN klaret...

Synes godt om

Computer Hjælp (Gratis) Mester

06. maj 2008 - 19:07 #9

Mht "ForceWare IP service (nSvcIp)" - er det noget du selv har haft gang i ?

Klik på Start->Kør skriv Services.msc og klik OK.
Find Tjenesten
* ForceWare IP service (nSvcIp)
stop den hvis den kører, højreklik på den og vælg Starttype Deaktiveret.

Derefter bør du kunne "fixe" den i HiJackThis ...

---------

Hvordan kører PC'en så nu ?

Synes godt om

jbob Nybegynder

06. maj 2008 - 19:57 #10

Mht "ForceWare IP service (nSvcIp)" - er det noget du selv har haft gang i ? Nej, men nu er den væk ;-)

PC'en kører helt fint nu. Smid endelig et svar - jeg takker mange gange for hjælpen!

Synes godt om

Computer Hjælp (Gratis) Mester

06. maj 2008 - 20:42 #11

Der er ikke mere 'snavs' ifølge din Log...

Du er velkommen en anden gang...

Åbn en mappe, klik på Funktioner >Mappeindstillinger >Vis.
Du bør rense temp med denne fil, det tager kun få sek.
http://www.spywareinfo.dk/download/cleantempxp2k.bat

Efter sådan en tur er det altid en god ide og rydde op i systemgendannelsesfilerne.
Deaktiver systemgendannelse -> http://www.spywareinfo.dk/#/tip-og-tricks/deaktiver_systemgendannelse.htm
Genstart din computer - aktiver systemgendannelse. Dette gøres samme sted, hvor du deaktiverede, denne gang skal du blot aktivere.
Det vil også være en god idé manuelt at oprette et nyt punkt, som du kan navngive, og vende tilbage til, hvis du skulle få problemer af nogen art.

Et par artikler om sikker surfing finder du her:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414

Safe Surfing...

--------------

Registreringsdatabase oprydning kan anbefales ->
RegCleaner http://www.ccleaner.com/ + http://www.spywarefri.dk/manualer/ccleaner-manual.htm (Specielt punktet [Register]...)
Under installationen får du tilbudt [Yahoo Toolbar]. Du kan sige ja eller NEJ til den.

Synes godt om

jbob Nybegynder

06. maj 2008 - 20:50 #12

Takker igen!

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Se alle it-kurser fra Computerworld Kurser

IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus	22	26/11/202510:42	23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus	8	31/08/202519:08	01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus	10	03/02/202514:20	04/02/202511:05
mulig ukendt virus Af jackie18 i Virus	3	18/01/202514:07	18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus	13	18/01/202511:40	20/01/202517:53

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS