Notifikationer

Markér alle som læst Log ud

daki Juniormester

02. oktober 2008 - 19:31 Der er 29 kommentarer og
3 løsninger

Check af hijackthis logfil

Er der nogen som vil se på denne logfil.

Jeg har renset med ccleaner og malwarebytes, men kan desværre ikke selv rydde op i hijackthis.
På forhånd tak.

Vedlægger 2 logfiler fra malwarebytes og 1 logfil fra hijackthis:
----------
Malwarebytes' Anti-Malware 1.28
Database version: 1212
Windows 5.0.2195 Service Pack 4

27-09-2008 15:50:55
mbam-log-2008-09-27 (15-50-55).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 87518
Tid tilbagelagt: 34 minute(s), 48 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 1
Inficerede Registeringsdatabase Nøgler: 52
Inficerede Registeringsdatabase Værdier: 23
Inficerede Registeringsdatabase Filer: 5
Inficerede Mapper: 18
Inficerede Filer: 75

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
C:\WINDOWS\SYSTEM32\ubmaku.dll (Trojan.FakeAlert) -> Delete on reboot.

Inficerede Registeringsdatabase Nøgler:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f666ea4a-7085-7e51-ff3f-0ba2e5eb1f97} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f666ea4a-7085-7e51-ff3f-0ba2e5eb1f97} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ubmaku (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\znnrruor (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\znnrruor (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\znnrruor (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winta38 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\winta38 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winta38 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windj40 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windj40 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windj40 (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webtools (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinCtrl32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Client Server Runtime Counter (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImgBurn (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\client server runtime counter (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\client server runtime counter (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ugac (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate (Rootkit.Agent) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Products\rdomain (Rogue.PCVirusless) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Products\prodname (Rogue.PCVirusless) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Products\compname (Rogue.PCVirusless) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft service 32 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\microsoft service 32 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PrdMgr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RunServices (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcaeaj0ejoj (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\backupwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Filer:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe %WINDIR%\system\MSVCRT.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Inficerede Mapper:
C:\Programmer\Outerinfo (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Programmer\Outerinfo\FF (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Programmer\Outerinfo\FF\components (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Programmer\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Programmer\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Programmer\PCPrivacyCleaner (Rogue.PCPrivacyCleaner) -> Quarantined and deleted successfully.
C:\Programmer\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

Inficerede Filer:
C:\WINDOWS\SYSTEM32\zadwiu.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rs32net.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ubmaku.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Programmer\Mjcore\Mjcore.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Programmer\Webtools\webtools.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\888x6w2l2u2.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\s4j1v4x7t8b1.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\q8a4d8b7a5r1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ubmaku32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\naPrdMg.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\ZNNRRUOR.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\Winta38.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\Windj40.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Programmer\Fælles filer\Yazzle1560OinUninstaller.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Programmer\Outerinfo\FF\components\FF.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Lokale indstillinger\Temporary Internet Files\Content.IE5\QO7HX15X\c12345[1].jpg (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Lokale indstillinger\Temporary Internet Files\Content.IE5\QO7HX15X\17PHolmes[1].cmt (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Lokale indstillinger\Temporary Internet Files\Content.IE5\T7EXH4SA\pq22[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Lokale indstillinger\Temporary Internet Files\Content.IE5\X7ZIJK3M\q28[1].exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Programmer\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Programmer\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Programmer\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> Quarantined and deleted successfully.
C:\Programmer\InetGet2\Installeur.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\bar\Settings\settings.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Programmer\MyWebSearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Application Data\speedrunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Application Data\speedrunner\SpeedRunner.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM\Spool.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\faceback.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\faceback1001186.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\WinCtrl32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\mssvc32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\PrdMgr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\naPrdMgr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\btwdin.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM\MSVCRT.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\cygwin.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\crssc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\service.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu_upx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\d1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\d.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\17PHolmes1001186.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lphcaeaj0ejoj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\phcaeaj0ejoj.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\blphcaeaj0ejoj.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Programmer\Fælles filer\Yazzle1560OinAdmin.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\b128.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\b157.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Photo_SP_P0059.zip (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\BN9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\.ttE.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.tt1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\.tt77.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.tt79.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\.tt6.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\.tt4.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.tt1.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.tt4.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\kim\Lokale indstillinger\Temp\.tt2.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.28
Database version: 1212
Windows 5.0.2195 Service Pack 4

01-10-2008 18:59:43
mbam-log-2008-10-01 (18-59-43).txt

Skan type: Fuldstændig skanning (C:\|)
Objekter skannet: 88957
Tid tilbagelagt: 24 minute(s), 17 second(s)

Inficerede Hukommelses Processer: 1
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 5
Inficerede Registeringsdatabase Værdier: 6
Inficerede Registeringsdatabase Filer: 1
Inficerede Mapper: 0
Inficerede Filer: 6

Inficerede Hukommelses Processer:
C:\WINDOWS\faceback.exe (Trojan.Agent) -> Unloaded process successfully.

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\psspsrtq (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\psspsrtq (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qvprostq (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qvprostq (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PrdMgr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Filer:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\WINDOWS\SYSTEM32\DRIVERS\PSSPSRTQ.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\QVPROSTQ.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\faceback.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\JJJJJJJJ.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\PrdMgr.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
----------
----------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:18:33, on 02-10-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\sistray.EXE
C:\Programmer\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ALVGMLFG.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\internat.exe
C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\UltimateZip 2.7\uzqkst.exe
C:\WINDOWS\system32\cmd.exe
C:\Programmer\Java\jre1.6.0_05\bin\jucheck.exe
C:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\regvcs.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6C5CBD06-1A2C-401F-B97B-863C1A3F46A8} - C:\WINDOWS\system32\Natu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmer\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E08226A0-3505-4533-94E2-B144CC9B6E1C} - C:\WINDOWS\system32\Natu.dll
O2 - BHO: (no name) - {FCCF387C-05D5-4233-8AC3-18C2A122BFF3} - C:\WINDOWS\system32\Natu.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe
O4 - HKLM\..\Run: [BKOCITOE] %systemroot%\BKOCITOE.exe
O4 - HKLM\..\Run: [RJJXADLA] %systemroot%\RJJXADLA.exe
O4 - HKLM\..\Run: [vaaofjkn] %systemroot%\vaaofjkn.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AXRRFKAA] %systemroot%\AXRRFKAA.exe
O4 - HKLM\..\Run: [BCRRDOIK] %systemroot%\BCRRDOIK.exe
O4 - HKLM\..\Run: [ALVGMLFG] %systemroot%\ALVGMLFG.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [Svchost Performance Adapter Services] C:\WINDOWS\system32\svmtc.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "c:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunServices: [Svchost Performance Adapter Services] C:\WINDOWS\system32\svmtc.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Svchost Performance Adapter Services] C:\WINDOWS\system32\svmtc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Poab] "C:\PROGRA~1\STEM32~1\msdtc.exe" -vt yazb (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Programmer\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Svchost Performance Adapter Services] C:\WINDOWS\system32\svmtc.exe (User 'Default user')
O4 - Startup: UltimateZip Quick Start.lnk = C:\Programmer\UltimateZip 2.7\uzqkst.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.dk
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.dk
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3451E54-DFA6-49DC-810F-9989EFFEAE9C}: NameServer = 192.168.12.100,194.239.134.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{F14020A1-EB81-4AB7-9517-945CD34F52CB}: NameServer = 192.168.12.100,194.239.134.83
O20 - Winlogon Notify: pcdmfa - pcdmfa.dll (file missing)
O20 - Winlogon Notify: pcdmfa - pcdmfa.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft Visual Basic - Unknown owner - C:\WINDOWS\system\\MSVCRT.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6697 bytes
----------

Det er en kollega, som har haft problemer med sin pc og har bedt mig om hjælp. Problemet er, at så snart netværkskablet sættes i genstart maskinen med det samme :-(

/dan

Synes godt om

reinelt Nybegynder

02. oktober 2008 - 20:05 #1

du kan også køre en SFC /scannow for at se om den kan rette op på fejlen. Gå i START > KØR og skriv CMD - skriv herefter SFC /SCANNOW - og vent.. ha' din Win CD parat.

Synes godt om

reinelt Nybegynder

02. oktober 2008 - 20:10 #2

http://www.spywarefri.dk/manualer/ccleaner-manual.htm

Synes godt om

Computer Hjælp (Gratis) Mester

02. oktober 2008 - 22:40 #3

UHA - der er meget endnu... StandBy

Synes godt om

Computer Hjælp (Gratis) Mester

02. oktober 2008 - 22:45 #4

Dette er lige en hurtig ->

Kør en scanning med Hijackthis,
Du får herunder nogle filer, som du skal fixe. Det, du skal gøre, er at sætte et flueben ud for disse filer. Når du har gjort det, så lukker du alle andre vinduer ned. Det er meget vigtigt at det eneste vindue, som er åbent er HijackThis vinduet. Husk også at lukke dette vindue, når du har markeret filerne. Nu må du fixe. Klik på Fix checked.

Det er disse, som skal fixes:

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\regvcs.exe
O2 - BHO: (no name) - {6C5CBD06-1A2C-401F-B97B-863C1A3F46A8} - C:\WINDOWS\system32\Natu.dll
O2 - BHO: (no name) - {E08226A0-3505-4533-94E2-B144CC9B6E1C} - C:\WINDOWS\system32\Natu.dll
O2 - BHO: (no name) - {FCCF387C-05D5-4233-8AC3-18C2A122BFF3} - C:\WINDOWS\system32\Natu.dll
O4 - HKLM\..\Run: [regvcs.exe] C:\WINDOWS\system32\drivers\regvcs.exe
O4 - HKLM\..\Run: [BKOCITOE] %systemroot%\BKOCITOE.exe
O4 - HKLM\..\Run: [RJJXADLA] %systemroot%\RJJXADLA.exe
O4 - HKLM\..\Run: [vaaofjkn] %systemroot%\vaaofjkn.exe
O4 - HKLM\..\Run: [AXRRFKAA] %systemroot%\AXRRFKAA.exe
O4 - HKLM\..\Run: [BCRRDOIK] %systemroot%\BCRRDOIK.exe
O4 - HKLM\..\Run: [ALVGMLFG] %systemroot%\ALVGMLFG.exe
O4 - HKLM\..\RunServices: [Svchost Performance Adapter Services] C:\WINDOWS\system32\svmtc.exe
O4 - HKCU\..\RunServices: [Svchost Performance Adapter Services] C:\WINDOWS\system32\svmtc.exe
O4 - HKUS\.DEFAULT\..\Run: [Svchost Performance Adapter Services] C:\WINDOWS\system32\svmtc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Poab] "C:\PROGRA~1\STEM32~1\msdtc.exe" -vt yazb (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Svchost Performance Adapter Services] C:\WINDOWS\system32\svmtc.exe (User 'Default user')
O4 - Startup: UltimateZip Quick Start.lnk = C:\Programmer\UltimateZip 2.7\uzqkst.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O20 - Winlogon Notify: pcdmfa - pcdmfa.dll (file missing)
O20 - Winlogon Notify: pcdmfa - pcdmfa.dll (file missing)
O23 - Service: Microsoft Visual Basic - Unknown owner - C:\WINDOWS\system\\MSVCRT.exe (file missing)

Genstart normalt...

Og en frisk Log...

------------------------------------------------------------------------

Synes godt om

daki Juniormester

03. oktober 2008 - 07:04 #5

Hermed ny log:
----------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:56:36, on 03-10-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sistray.EXE
C:\Programmer\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\internat.exe
C:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmer\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\system32\khooker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [hpcqbmjk] %systemroot%\hpcqbmjk.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Programmer\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://c:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.dk
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.dk
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3451E54-DFA6-49DC-810F-9989EFFEAE9C}: NameServer = 192.168.12.100,194.239.134.83
O17 - HKLM\System\CCS\Services\Tcpip\..\{F14020A1-EB81-4AB7-9517-945CD34F52CB}: NameServer = 192.168.12.100,194.239.134.83
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4686 bytes

/dan

Synes godt om

reinelt Nybegynder

03. oktober 2008 - 09:35 #6

gav scanningen med ccleaner og sfc noget?

Synes godt om

daki Juniormester

03. oktober 2008 - 10:14 #7

Oprettet 02/10 2008
Tidspunkt 19:31:32

citat:
'Jeg har renset med ccleaner og malwarebytes, men kan desværre ikke selv rydde op i hijackthis.'

kan ikke få lov til at køre sfc.

/dan

Synes godt om

f-arn Guru

03. oktober 2008 - 14:15 #8

Malwarebytes' Anti-Malware 1.28
Database version: 1212
Windows 5.0.2195 Service Pack 4

Har ikke lige Malwarebytes' Anti-Malware ved hånden men
er den ikke nået over 1212?

Synes godt om

Computer Hjælp (Gratis) Mester

04. oktober 2008 - 09:58 #9

Nyeste [Malwarebytes' Anti-Malware] database i skrivende 3/10/2008 stund er 1227...

<daki>: Ta' en tur mere med [Malwarebytes' Anti-Malware] men brug "opdater" funktionen først og chec at du får database version 1227 eller højere...
Loggen DERFRA skal du lægge her i tråden...

Jo der ER stadig lidt 'snavs' tilbage; kan godt fixes manuelt, men la' nu [Malwarebytes' Anti-Malware] tygge på den først da jeg har mistanke om mere end det som HiJackThis viser...

Synes godt om

daki Juniormester

05. oktober 2008 - 09:09 #10

Problemet er, at maskinen genstarter hver gang netværksstikket sættes i, har flyttet den over som slave og scannet med opdateret Malwarebytes' Anti-Malware. Her er loggen:
----------
Malwarebytes' Anti-Malware 1.28
Database version: 1227
Windows 5.1.2600 Service Pack 3

04-10-2008 19:11:08
mbam-log-2008-10-04 (19-11-08).txt

Skan type: Fuldstændig skanning (E:\|)
Objekter skannet: 73899
Tid tilbagelagt: 1 hour(s), 26 minute(s), 27 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 0
Inficerede Registeringsdatabase Nøgler: 0
Inficerede Registeringsdatabase Værdier: 0
Inficerede Registeringsdatabase Filer: 0
Inficerede Mapper: 0
Inficerede Filer: 9

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Nøgler:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Værdier:
(Ingen mistænkelige filer fundet)

Inficerede Registeringsdatabase Filer:
(Ingen mistænkelige filer fundet)

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
E:\WINDOWS\TEMP\stf2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\TEMP\stf3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\TEMP\stf4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\TEMP\stf5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\TEMP\stf6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\TEMP\stf7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\TEMP\stf8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\TEMP\stf9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Photo_14301.zip (Backdoor.Bot) -> Quarantined and deleted successfully.
----------
/dan

Synes godt om

Computer Hjælp (Gratis) Mester

05. oktober 2008 - 16:52 #11

O4 - HKLM\..\Run: [hpcqbmjk] %systemroot%\hpcqbmjk.exe

vil jeg ikke opfatte som 'sund' !!!

Synes godt om

Computer Hjælp (Gratis) Mester

05. oktober 2008 - 16:54 #12

Set i anden tråd - bare en tanke - opdatér din netkort driver...

Synes godt om

daki Juniormester

06. oktober 2008 - 12:14 #13

O4 - HKLM\..\Run: [hpcqbmjk] %systemroot%\hpcqbmjk.exe

Vil bare ikke fjernes !!!
Har prøvet hver gang Hijackthis er kørt, prøver igen i aften.

Synes godt om

ejvindh Ekspert

06. oktober 2008 - 16:28 #14

Man burde nok køre noget Combofix og/eller SDfix ind over denne computer.

Synes godt om

daki Juniormester

06. oktober 2008 - 20:33 #15

Hermed log fra Combofix og SDfix:
----------
ComboFix 08-10-05.10 - kim 06-10-2008 18:40:20.1 - NTFSx86
Running from: C:\Documents and Settings\kim\Skrivebord\ComboFix.exe
/wow section not completed

((((((((((((((((((((((((( Files Created from 2008-09-06 to 2008-10-06 )))))))))))))))))))))))))))))))
.

2008-10-06 18:22 . 08-10-06 18:22 177,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vrrnrvnr.sys
2008-10-06 18:22 . 08-10-06 18:22 177,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\jrvvjrvv.sys
2008-10-06 18:22 . 08-10-06 18:22 176,128 --a------ C:\WINDOWS\bjtgnhhk.exe
2008-10-04 17:12 . 08-10-04 17:12 <DIR> d-------- C:\Programmer\Malwarebytes' Anti-Malware
2008-10-04 17:12 . 08-09-10 00:04 38,528 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-10-04 17:12 . 08-09-10 00:03 17,200 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-10-04 16:33 . 08-10-04 16:33 176,128 --a------ C:\WINDOWS\aczzbrbb.exe
2008-10-04 13:01 . 08-10-04 13:01 176,128 --a------ C:\WINDOWS\KCLHLNJJ.exe
2008-10-04 12:55 . 08-10-04 14:13 267,964,416 --a------ C:\WINDOWS\MEMORY.DMP
2008-10-04 09:49 . 98-05-05 10:30 36,352 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\xilinxit.dll
2008-10-04 09:47 . 00-02-16 02:00 3,442,432 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\pyime.exe
2008-10-04 09:46 . 03-06-19 12:05 297,744 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\mqxp32.dll
2008-10-04 09:45 . 03-06-19 12:05 575,517 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\imejpknl.dll
2008-10-04 09:44 . 00-02-16 02:00 8,929,280 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2008-10-04 09:43 . 00-02-16 02:00 1,577,216 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\cjime.exe
2008-10-04 09:39 . 00-02-16 02:00 1,753,160 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\vgx.dll
2008-10-04 09:38 . 03-06-19 12:05 1,146,640 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\msoe.dll
2008-10-04 09:37 . 00-02-11 22:32 258,320 --a------ C:\WINDOWS\SYSTEM32\msh263.drv
2008-10-04 09:37 . 00-02-11 22:32 10,000 --a------ C:\WINDOWS\SYSTEM32\ksvpintf.ax
2008-10-04 09:37 . 00-02-11 22:31 7,952 --a------ C:\WINDOWS\SYSTEM32\ksinterf.ax
2008-10-04 09:37 . 00-02-11 22:32 7,440 --a------ C:\WINDOWS\SYSTEM32\ksclockf.ax
2008-10-04 09:37 . 00-02-11 22:31 6,928 --a------ C:\WINDOWS\SYSTEM32\ksdata.ax
2008-10-04 09:11 . 03-06-19 12:05 1,040,880 -ra------ C:\WINDOWS\SET55.tmp
2008-10-04 09:11 . 00-02-16 02:00 371,984 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\vcmd.exe
2008-10-04 09:11 . 00-02-16 02:00 150,016 --a------ C:\WINDOWS\SYSTEM32\spxcoins.dll
2008-10-04 09:11 . 00-02-16 02:00 150,016 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\spxcoins.dll
2008-10-04 09:11 . 00-02-16 02:00 15,120 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\delttsul.exe
2008-10-04 09:11 . 00-02-16 02:00 15,120 --a------ C:\WINDOWS\delttsul.exe
2008-10-04 09:10 . 00-02-16 02:00 14,512 -ra------ C:\WINDOWS\SET2D.tmp
2008-10-04 08:06 . 08-10-04 08:06 176,128 --a------ C:\WINDOWS\eghpnano.exe
2008-10-03 21:02 . 08-10-03 21:02 176,128 --a------ C:\WINDOWS\ldlomeij.exe
2008-10-03 20:02 . 08-10-03 20:02 176,128 --a------ C:\WINDOWS\kflnfimi.exe
2008-10-03 19:36 . 08-09-06 17:46 25,085,704 --a------ C:\Temp\antivir_workstation_winu_en_h.exe
2008-10-03 19:32 . 08-10-03 19:32 <DIR> d-------- C:\Temp\DFE-530TX 20020724
2008-10-03 19:32 . 08-10-03 19:32 <DIR> d-------- C:\Temp\CMI8738_WDM_0639W2K
2008-10-03 06:42 . 08-10-04 17:16 142,914 ---h----- C:\WINDOWS\ShellIconCache
2008-10-03 06:36 . 08-10-03 06:51 <DIR> d-------- C:\Temp\backups
2008-10-03 06:27 . 08-10-03 06:27 176,128 --a------ C:\WINDOWS\TOLAHAFQ.exe
2008-10-02 21:18 . 08-10-02 21:18 176,128 --------- C:\WINDOWS\hpcqbmjk.exe
2008-10-02 19:16 . 08-04-26 16:29 401,720 --a------ C:\Temp\HiJackThis.exe
2008-10-02 19:14 . 08-10-02 19:14 176,128 --a------ C:\WINDOWS\odafglps.exe
2008-10-02 19:04 . 08-10-02 19:04 176,128 --a------ C:\WINDOWS\tanmkfna.exe
2008-10-02 18:49 . 02-06-25 11:02 40,448 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\dlkfet5b.sys
2008-10-02 18:49 . 08-10-02 18:50 25 --a------ C:\WINDOWS\mixerdef.ini
2008-09-30 19:53 . 08-09-30 19:53 176,128 --a------ C:\WINDOWS\jjnfbjnn.exe
2008-09-30 19:27 . 08-09-30 19:27 176,128 --a------ C:\WINDOWS\LKENVCEH.exe
2008-09-30 19:15 . 08-09-30 19:15 176,128 --a------ C:\WINDOWS\jluxaaib.exe
2008-09-30 19:03 . 08-09-30 19:03 176,128 --a------ C:\WINDOWS\khdnklmg.exe
2008-09-29 20:55 . 08-09-29 20:55 176,128 --a------ C:\WINDOWS\NASFFFNN.exe
2008-09-29 20:53 . 08-09-29 20:53 54,784 --a------ C:\WINDOWS\SYSTEM32\D.tmp
2008-09-29 20:53 . 08-09-29 20:53 13,312 --a------ C:\WINDOWS\SYSTEM32\B.tmp
2008-09-29 20:53 . 08-09-29 20:53 18 --a------ C:\WINDOWS\SYSTEM32\F.tmp
2008-09-29 20:52 . 08-09-29 20:53 67,072 --a------ C:\WINDOWS\SYSTEM32\A.tmp
2008-09-29 20:52 . 08-09-29 20:52 188 --a------ C:\WINDOWS\SYSTEM32\8.tmp
2008-09-29 20:49 . 08-10-04 08:04 0 --a------ C:\WINDOWS\SYSTEM32\NvApps.xml
2008-09-29 19:36 . 03-06-19 12:05 1,040,880 -ra------ C:\WINDOWS\SET54.tmp
2008-09-29 19:36 . 00-02-16 02:00 14,512 -ra------ C:\WINDOWS\SET2C.tmp
2008-09-27 17:52 . 08-09-27 17:52 176,128 --a------ C:\WINDOWS\RSBSRBAA.exe
2008-09-27 17:14 . 06-10-22 15:06 221,184 --a------ C:\WINDOWS\SYSTEM32\NVUNINST.EXE
2008-09-27 17:12 . 08-10-03 19:36 <DIR> d-------- C:\Temp
2008-09-27 16:56 . 08-09-27 16:56 176,128 --a------ C:\WINDOWS\ojjaapmn.exe
2008-09-27 16:07 . 08-09-27 16:07 158,208 --a------ C:\r5e3j6c2.exe
2008-09-27 14:27 . 08-07-18 22:09 29,896 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-09-27 14:26 . 00-02-16 01:00 66,594 --a------ C:\WINDOWS\SYSTEM32\c_862.nls
2008-09-27 14:26 . 00-02-16 01:00 66,082 --a------ C:\WINDOWS\SYSTEM32\c_10005.nls
2008-09-27 14:26 . 00-02-16 01:00 6,416 --a------ C:\WINDOWS\SYSTEM32\kbdheb.dll
2008-09-27 14:26 . 00-02-16 01:00 6,416 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\kbdheb.dll
2008-09-27 14:05 . 08-09-27 14:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-27 13:38 . 03-06-19 12:05 1,040,880 -ra------ C:\WINDOWS\SET53.tmp
2008-09-27 13:38 . 00-02-16 02:00 14,512 -ra------ C:\WINDOWS\SET2B.tmp
2008-09-26 22:54 . 08-09-26 22:54 192,512 --a------ C:\WINDOWS\SJNJFFNA.exe
2008-09-26 22:47 . 08-09-26 22:47 188 --a------ C:\WINDOWS\SYSTEM32\2.tmp
2008-09-26 22:47 . 08-09-26 22:47 0 --a------ C:\WINDOWS\SYSTEM32\7.tmp
2008-09-26 22:47 . 08-09-26 22:47 0 --a------ C:\WINDOWS\SYSTEM32\6.tmp
2008-09-26 22:47 . 08-09-26 22:47 0 --a------ C:\WINDOWS\SYSTEM32\4.tmp
2008-09-26 22:47 . 08-09-26 22:47 0 --a------ C:\WINDOWS\SYSTEM32\3.tmp
2008-09-26 22:29 . 03-06-19 12:05 577,296 --a------ C:\WINDOWS\SYSTEM32\hypertrm.dll
2008-09-26 22:18 . 03-06-19 12:05 1,040,880 -ra------ C:\WINDOWS\SET52.tmp
2008-09-26 22:18 . 00-02-16 02:00 14,512 -ra------ C:\WINDOWS\SET2A.tmp
2008-09-26 21:59 . 16,384 C:\WINDOWS\SYSTEM32\Perflib_Perfdata_234.dat
2008-09-26 21:55 . 08-09-26 21:55 192,512 --a------ C:\WINDOWS\jhllmfji.exe
2008-09-26 21:52 . 08-09-26 21:52 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_2b4.dat
2008-09-26 21:33 . 08-09-26 21:33 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_228.dat
2008-09-26 21:28 . 08-09-26 21:28 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_3d4.dat
2008-09-26 21:28 . 08-09-26 21:28 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_314.dat
2008-09-26 21:28 . 08-09-26 21:28 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_2f4.dat
2008-09-26 21:27 . 08-09-26 21:27 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_2ac.dat
2008-09-26 21:27 . 08-09-26 21:27 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_284.dat
2008-09-26 21:27 . 08-09-26 21:27 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_258.dat
2008-09-26 21:27 . 08-09-26 21:27 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_1f4.dat
2008-09-26 20:08 . 08-09-26 20:08 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_4dc.dat
2008-09-26 19:50 . 08-09-26 19:50 <DIR> d-------- C:\Documents and Settings\kim\Application Data\Malwarebytes
2008-09-26 19:49 . 08-09-26 19:49 <DIR> d-a------ C:\Programmer\CCleaner
2008-09-26 18:10 . 08-09-26 18:10 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_288.dat
2008-09-26 17:16 . 08-09-26 17:16 163,840 --a------ C:\WINDOWS\SYSTEM32\74.tmp
2008-09-26 17:16 . 08-09-26 17:16 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_404.dat
2008-09-26 17:16 . 08-09-26 17:16 0 --a------ C:\WINDOWS\SYSTEM32\76.tmp
2008-09-26 17:15 . 08-09-26 17:16 140 --a------ C:\WINDOWS\SYSTEM32\6E.tmp
2008-09-26 17:14 . 08-09-26 17:14 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_260.dat
2008-09-26 16:58 . 08-09-26 16:58 29 --a------ C:\WINDOWS\SYSTEM32\gffptiir.tmp
2008-09-26 16:58 . 08-09-26 16:58 0 --a------ C:\WINDOWS\SYSTEM32\6D.tmp
2008-09-26 16:53 . 08-09-26 16:53 0 --a------ C:\WINDOWS\SYSTEM32\yewqhosa.tmp
2008-09-26 16:50 . 08-09-26 16:50 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_654.dat
2008-09-26 16:48 . 00-02-16 00:00 4,080 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\beeper.sys
2008-09-26 16:47 . 08-09-26 16:47 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_464.dat
2008-09-26 16:47 . 08-09-26 16:47 0 --a------ C:\WINDOWS\SYSTEM32\6F.tmp
2008-09-26 16:46 . 08-09-26 16:47 88 --a------ C:\WINDOWS\SYSTEM32\6C.tmp
2008-09-21 15:30 . 08-09-21 20:08 93,184 --a------ C:\v4i7s4u8p5b4.exe
2008-09-21 15:27 . 08-09-21 19:40 155 --a------ C:\WINDOWS\SYSTEM\melt1.bat
2008-09-21 15:08 . 08-09-27 16:07 90,112 --a------ C:\3j5r5e3j6c2.exe
2008-09-21 15:07 . 08-09-21 20:05 93,184 -rahs---- C:\WINDOWS\SYSTEM32\DRIVERS\regvcs.exe
2008-09-18 21:43 . 08-09-18 21:43 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_6d4.dat
2008-09-14 12:07 . 08-09-14 12:09 81,920 --a------ C:\m5a4t9k7s2t4.exe
2008-09-14 11:21 . 08-09-14 12:20 61,440 --a------ C:\q5u1t3l7n2y3.exe
2008-09-07 15:49 . 08-09-07 15:49 16,384 --a------ C:\WINDOWS\SYSTEM32\Perflib_Perfdata_11b8.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-04 07:39 271 ---h--w C:\Programmer\desktop.ini
2008-10-04 07:39 22,029 ---h--w C:\Programmer\folder.htt
2008-10-04 07:38 --------- d---a-w C:\Programmer\Fælles filer\Tjenester
2008-10-01 17:38 --------- d---a-w C:\Programmer\RegCleaner
2008-09-26 19:36 37,376 ----a-w C:\WINDOWS\SYSTEM32\mssrv16.exe
2008-09-26 19:36 163,840 ----a-w C:\WINDOWS\SYSTEM32\9.tmp
2008-09-07 16:25 73,216 ----a-w C:\p5w5z8y3c7t3.exe
2008-09-04 15:11 --------- d-----w C:\Documents and Settings\kim\Application Data\VirusForsvar
2008-09-03 17:18 68,608 ----a-w C:\g3g6r8w3c2f7.exe
2008-07-26 14:34 171 ----a-w C:\a7i7x6w2l2u2.exe
2008-07-25 10:39 71,168 ----a-w C:\l3r1t1j4s1x7.exe
2008-07-25 09:53 71,168 ----a-w C:\o4s8q2c2q4j8.exe
2008-07-25 09:45 113,664 --sha-r C:\WINDOWS\SYSTEM32\SubInACL.exe
2008-07-19 15:20 51,200 ----a-w C:\y6a4b3r2r4x2.exe
2008-07-19 15:05 51,200 ----a-w C:\q3v6s1e9n4x7.exe
2008-07-19 15:04 109,568 ----a-w C:\o8d3d9u9.exe
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2008-07-11 15:03 41,945 ----a-w C:\n3x3d3g2q9g5.exe
2008-07-09 00:50 49,009 ----a-w C:\1s9r1ls2.exe
2002-10-20 09:08 16,176 ----a-w C:\Documents and Settings\kim\Application Data\GDIPFONTCACHEV1.DAT
2000-02-16 00:00 32,528 ----a-w C:\WINDOWS\inf\wbfirdma.sys
2007-12-22 19:36 0 --sha-w C:\WINDOWS\SYSTEM32\.exe
.

------- Sigcheck -------

00-02-16 02:00 17680 22e415898d5271438be6f865071320da C:\WINDOWS\SYSTEM32\svchost.exe
00-02-16 02:00 17680 3be249b0fe6e109aedd1e83618c5440a C:\WINDOWS\SYSTEM32\dllcache\svchost.exe

03-06-19 12:05 253200 16fc7e56ffaa71d8974c799e75242848 C:\WINDOWS\explorer.exe
03-06-19 12:05 253200 a2ba99ccdd6251424c2185312b42ad04 C:\WINDOWS\SYSTEM32\dllcache\explorer.exe

03-06-19 10:05 99088 a127a57622a114778003ad2cdf72853e C:\WINDOWS\$NtUpdateRollupPackUninstall$\services.exe
03-06-19 12:05 99088 632fcf962c263f34839c3c54a01a427b C:\WINDOWS\SYSTEM32\services.exe
03-06-19 12:05 99088 70eb7808d6d462b9d8f3a628933d7f9f C:\WINDOWS\SYSTEM32\dllcache\services.exe

03-06-19 10:05 44304 690757d81359c954306e719735a36f48 C:\WINDOWS\$NtUpdateRollupPackUninstall$\lsass.exe
03-06-19 12:05 44304 feed3de417e51d0abfb88831cea686bb C:\WINDOWS\SYSTEM32\lsass.exe
03-06-19 12:05 44304 194d22e386775283449115137cb3c778 C:\WINDOWS\SYSTEM32\dllcache\lsass.exe

03-06-19 11:05 55056 b4fe5bd083dd61a6ef3d2df02a933cf0 C:\WINDOWS\$NtUpdateRollupPackUninstall$\spoolsv.exe
03-06-19 12:05 55056 0115715e6aafd603086d64da3f45d3e8 C:\WINDOWS\SYSTEM32\spoolsv.exe
03-06-19 12:05 55056 4c031d8944bda4ce6881f262a5ea9921 C:\WINDOWS\SYSTEM32\dllcache\spoolsv.exe

03-06-19 12:05 27408 6dce5c0d46d8318fcf275a3ae5e2fbf2 C:\WINDOWS\SYSTEM32\userinit.exe
03-06-19 12:05 27408 610dcc2b2dd9328376b90f87d179e0a8 C:\WINDOWS\SYSTEM32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[COLOR=RED]NETSVCS REQUIRES REPAIRS - current entries shown[/COLOR]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 18:45:51
Windows 5.0.2195 Service Pack 4 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\tqpwqqqq.sys 177152 bytes executable

**************************************************************************
.
Completion time: 2008-10-06 18:49:08

Pre-Run: 15.341.218.816 byte ledig
----------

SDFix: Version 1.231
Run by kim on ma 2008-10-06 at 19:52

Microsoft Windows 2000 [version 5.00.2195]
Running From: C:\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\MNTRSSUT.sys - Rootkit Srizbi
C:\WINDOWS\system32\drivers\VORUURKR.sys - Rootkit Srizbi
C:\WINDOWS\system32\drivers\YXTLXHRM.sys - Rootkit Srizbi

Name :
MNTRSSUT
VORUURKR
YXTLXHRM

Path :
\??\C:\WINDOWS\system32\drivers\mntrssut.sys
\??\C:\WINDOWS\system32\drivers\voruurkr.sys
\??\C:\WINDOWS\system32\drivers\YXTLXHRM.sys

MNTRSSUT - Deleted
VORUURKR - Deleted
YXTLXHRM - Deleted

C:\WINDOWS\system32\Microsoft\backup.ftp Found
C:\WINDOWS\system32\Microsoft\backup.tftp Found

Checking files:

Genuine:
C:\WINDOWS\system32\Microsoft\backup.ftp
C:\WINDOWS\system32\Microsoft\backup.tftp
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\dllcache\ftp.exe
C:\WINDOWS\system32\dllcache\tftp.exe

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\GFFPTIIR.TMP - Deleted
C:\WINDOWS\SYSTEM32\GFFPTIIR.TMP - Deleted
C:\WINDOWS\SYSTEM32\GFFPTIIR.TMP - Deleted
C:\WINDOWS\SYSTEM32\WMSOFT~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\WMSOFT~2.EXE - Deleted
C:\WINDOWS\SYSTEM32\WMSOFT~3.EXE - Deleted
C:\628692~1 - Deleted
C:\WINDOWS\system32\2.tmp - Deleted
C:\WINDOWS\system32\3.tmp - Deleted
C:\WINDOWS\system32\4.tmp - Deleted
C:\WINDOWS\system32\5.tmp - Deleted
C:\WINDOWS\system32\6.tmp - Deleted
C:\WINDOWS\system32\7.tmp - Deleted
C:\WINDOWS\system32\8.tmp - Deleted
C:\WINDOWS\system32\9.tmp - Deleted
C:\WINDOWS\system32\A.tmp - Deleted
C:\WINDOWS\system32\B.tmp - Deleted
C:\WINDOWS\system32\C.tmp - Deleted
C:\WINDOWS\system32\D.tmp - Deleted
C:\WINDOWS\system32\F.tmp - Deleted
C:\WINDOWS\system32\2.tmp - Deleted
C:\WINDOWS\system32\TFTP504 - Deleted
C:\WINDOWS\system32\wmsoft25031.exe - Deleted
C:\WINDOWS\system32\wmsoft33627.exe - Deleted
C:\WINDOWS\system32\wmsoft36163.exe - Deleted
C:\WINDOWS\system32\wmsoft58834.exe - Deleted
C:\WINDOWS\admintxt.txt - Deleted
C:\WINDOWS\system\melt1.bat - Deleted
C:\WINDOWS\system32\.exe - Deleted
C:\WINDOWS\system32\admdll.dll - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\Microsoft\backup.ftp - Deleted
C:\WINDOWS\system32\Microsoft\backup.tftp - Deleted
C:\WINDOWS\system32\drivers\MNTRSSUT.sys - Deleted
C:\WINDOWS\system32\drivers\VORUURKR.sys - Deleted
C:\WINDOWS\system32\drivers\YXTLXHRM.sys - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-06 20:12:53
Windows 5.0.2195 Service Pack 4 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Remaining Files :

Files with Hidden Attributes :

Wed 5 May 1999 129,078 ..SH. --- "C:\LOGO.SYS"
Mon 14 Jul 2003 77,282 A.SHR --- "C:\WINDOWS\Readers_sl.EXE"
Thu 19 Jun 2003 77,282 A.SHR --- "C:\WINDOWS\SYSTEM32\Readers_sl.EXE"
Fri 25 Jul 2008 113,664 A.SHR --- "C:\WINDOWS\SYSTEM32\SubInACL.exe"
Thu 19 Jun 2003 76,919 A.SHR --- "C:\WINDOWS\SYSTEM32\TINTSETPS.EXE"
Mon 26 Sep 2005 4,348 ..SH. --- "C:\WINDOWS\All Users\DRM\DRMv1.bak"
Sun 21 Sep 2008 93,184 A.SHR --- "C:\WINDOWS\SYSTEM32\DRIVERS\regvcs.exe"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3d4c9dbe9196328161c76e65e80820e2\BITB.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6e6c3b3397c092c9bad72327ea8ed7ff\BIT7.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\732cf1c10ac796f09e08d983c73f6461\BITC.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7480a9c231a1912f48d1c77397045a47\BIT1.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7d70b86e150ba25197e05cdd7fde4a15\BITA.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9048eb2d7bd71efb179e7e33303d16a3\BIT9.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\90715bb538f06d72f9cc4cfce8506109\BIT4.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b357662dbd6a58571d2f97c91f558e66\BIT5.tmp"
Fri 26 Sep 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3f81ef8210093e5b49bcec76d8461e9\BIT1.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bad79d7755dbfbcfd2faa21e4691b8bf\BITD.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\da20d7c8df96134fd91ab306f59e15d2\BIT6.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dc4921dcabd711bc86c7969898dd4b65\BIT8.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dee2565ad23b710bee016d044bbfd5ca\BIT2.tmp"
Thu 2 Oct 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fc9421971a3b04be2b0a56ac29c9452f\BIT3.tmp"

Finished!
----------
/dan

Synes godt om

ejvindh Ekspert

06. oktober 2008 - 21:27 #16

Nu er det jo ikke mig, der fører logfilen her. Men hvis det var, så ville min anbefaling være, at denne maskine blev formateret. Den er fyldt med rootkits, og har tilsyneladende været det gennem længere tid.

Man kan godt forsøge at rense, men det kan nemt blive en lang proces, der bl.a. vil involvere en udskiftning af visse systemfiler (svchost.exe, explorer.exe, services.exe, lsass.exe, spoolsv.exe og userinit.exe), da disse også ser ud til at være hijacket.

Synes godt om

fromsej Praktikant

06. oktober 2008 - 21:34 #17

Er du sikker Ejvindh, jeg synes da jeg så en enkelt legal fil eller to!!!

Jeg er helt enig, giv maskinen en gang Killdisk og forfra.

Synes godt om

fromsej Praktikant

06. oktober 2008 - 21:39 #18

Nogen der vil påtage sig at finde 10 IKKE-inficerede exe-filer, så giver jeg ½L fadøl, hvis det lykkes.

Synes godt om

Computer Hjælp (Gratis) Mester

07. oktober 2008 - 06:43 #19

ENIG!

<daki>: Hvad siger du til det ?

Synes godt om

reinelt Nybegynder

07. oktober 2008 - 13:27 #20

karise-larry kan du hjælpe på den her. http://www.eksperten.dk/spm/846177#rid7224475

Synes godt om

daki Juniormester

07. oktober 2008 - 16:45 #21

Det var det jeg var bange for :-)
Men, ser ud som den eneste udvej....

Vil lige nævne, at det jo ikke er min men en kollegas hvor de åbenbart aldrig har interesseret sig for de mystiske beskeder som der har fået i længere tid og har aldrig bedt om at få installeret antivirus mm.

Skal det være killdisk, reinstallation med format er ikke nok eller hvad?

/dan

Synes godt om

daki Juniormester

07. oktober 2008 - 16:48 #22

Men at jeg har kikket på den og desværre har været så dum at benytte min egne som master hd, har gjort at jeg også må til at formatere den :-(
Desuden er jeg bange for, at det også har sat sig i min bærbar (logs via usb-stik). :-(

/dan

Synes godt om

Computer Hjælp (Gratis) Mester

07. oktober 2008 - 16:55 #23

En reinstalation med FULD formatering - næsten som beskrevet her ->

http://www.eksperten.dk/artikler/1104
Altså INGEN FORM FOR INTERNETFORBINDELSE undervejs ...

Synes godt om

Computer Hjælp (Gratis) Mester

07. oktober 2008 - 16:56 #24

Kig på din USB-stick om der er andet 'sjov' end omtalte LOG filer...

Synes godt om

daki Juniormester

07. oktober 2008 - 17:02 #25

OK, kikker på det.
Har scannet 3 gange med f-secure og de 2 sidste gange var den clean.
Tænker på at formater den....

Synes godt om

ejvindh Ekspert

07. oktober 2008 - 21:18 #26

Hvis du har brugt din egen som master, uden at installationen på den inficerede HD var aktiv, så behøver du ikke være bange. Skidtet skal jo aktiveres for at kunne "smitte" ;-)

Noget andet er med USB-pennen, den bør du nok lige få kigget efter, hvis den har været sat ind i computeren imens den infektionen var aktiv.

Synes godt om

daki Juniormester

20. oktober 2008 - 11:48 #27

Så skulle der være styr på det :-)
Er der nogen som vil have points?

/dan

Synes godt om

reinelt Nybegynder

20. oktober 2008 - 12:37 #28

lidt ville være dejligt

Synes godt om

fromsej Praktikant

20. oktober 2008 - 13:19 #29

Jeg beholder og nyder præmien herfra i stedet for: 06/10-2008 21:39:10

Synes godt om

Computer Hjælp (Gratis) Mester

20. oktober 2008 - 19:02 #30

Ping...
(Deles mellem flere ...)

Synes godt om

ejvindh Ekspert

21. oktober 2008 - 12:19 #31

Jeg springer over. Det var jo dig selv, der løste problemet.

Synes godt om

daki Juniormester

22. oktober 2008 - 09:32 #32

Er det OK?

/dan

Synes godt om

Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Følg dette spørgsmål

Opret Preview

Se alle it-kurser fra Computerworld Kurser

IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Se alle it-kurser

Flere spørgsmål fra Virus kategorien

Titel	Indlæg	Oprettet	Seneste aktivitet
Vil skrifte antivirusprogram. Af ErikHg i Virus	22	26/11/202510:42	23/12/202514:29
Er gratis Bitdefender værd at installere ? Af Ikke-ekspert i Virus	8	31/08/202519:08	01/09/202514:18
Ukendte filer på min Pc Af jonpet i Virus	10	03/02/202514:20	04/02/202511:05
mulig ukendt virus Af jackie18 i Virus	3	18/01/202514:07	18/01/202516:39
virus popper op med jævne mellemrum Af Malm i Virus	13	18/01/202511:40	20/01/202517:53

Se alle spørgsmål i kategorien Opret spørgsmål

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester

Alle kategorier på Eksperten

Seneste artiklerRSS

30/12

Apples vilde planer for 2026: Her er de banebrydende produkter vi venter på

30/12

Årets 10 mest populære Computerworld-artikler: Her er historierne, der for alvor hittede

30/12

CBS lukker en stribe uddannelser: Vil fokusere på teknologi og digitalisering

30/12

En af verdens vildeste it-stillinger: Bliver CIO for over to millioner ansatte

30/12

AI-projekter fejler ikke på teknologien – de fejler på ledelsen

30/12

ERP, sikkerhed og datacentre: Her er tre store tech-opkøb du måske er gået glip af i juleferien

30/12

Omsætningen i Comm2ig rasler ned med over en halv milliard kroner: Fastholder alligevel "hovedparten af medarbejderstaben"

30/12

Stod bag dansk milliard-app: Nu kaster han sig over et nyt projekt

30/12

Bøger: Obamas bud på årets vigtigste udgivelser

30/12

Microsofts danske udviklingscenter er tynget af høje omkostninger

30/12

Meta opkøber ombejlet kinesisk AI-selskab: Vil integrere teknologien i Facebook og Instagram

Vis flere artikler

IT-JOB

LB Forsikring

Senior Software Engineer til Online

PensionDanmark

Scrum Master

Lessor Group

Business Analyst for our Danløn Scrum team

Formpipe Software A/S

Senior Product Manager

Csis Security Group A/S

Senior Director, People & Culture

Vis flere jobs

Seneste spørgsmål Seneste aktivitet

27/1222:02	Låse brugt iPad op Af drstein i iOS, iPhone & iPad
27/1219:21	Hvor finder jeg en oversigt over mine spørgsmål Af KurtG i Hjælp og fejl
27/1211:31	TP-Link Wifi extender opsat som accesspoint giver 50% up- og download, Af Uvanga i Wifi
26/1213:05	Hvorfor bliver tiff-filer større ved konvertering til samme format Af KurtG i Billedbehandling
23/1221:36	Gøre Ikonerne lidt større i proceslinjen (Windows 10) Af Ikke-ekspert i Windows

White papers

Udnyt Genesys Cloud CX optimalt og styrk kundeoplevelsen
Sabio
Samarbejde mellem AI og mennesker styrker sikkerheden
Konica Minolta
Er I klar til at tage næste skridt på den digitale retailrejse?
TDC Erhverv
Undgå at printeren bliver svageste led i sikkerheden
Konica Minolta

Flere white papers »