Just nu i M3-nätverket
Jump to content

Virus som gör datorn seg :/ HJÄLP !


HampusL

Recommended Posts

Hej, Jag har ett virus som gör min dator jätte seg och när jag startar vissa program ibland så fungerar de inte och när jag stänger av program så hänger sig datorn så att jag måste starta om datorn.

 

Jag har Adaware och spybot, men inget att dem kan hitta det eller ta bort.

Sedan har jag Panda Antivirus, men när jag gör en komplett sökning genom dator så hänger sig hela programmet när det är klart så jag kan varken se om det är några virus på datorn eller ta bort det.

 

När jag loggar in på datorn så blinkar det till en liten ruta i vänstra hörnet precis innan man kommer in på skrivbordet och där står det något med "inställningar och system32", men jag hinner inte se hela meningen.

 

Jag antar att det är ett virus som har gjort något i system32 mappen så att datorn hänger sig ofta och beter sig konstigt.

 

Snälla hjälp mig :)

 

Link to comment
Share on other sites

[log]

Logfile of HijackThis v1.99.1

Scan saved at 20:15:43, on 2006-12-05

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program\Synaptics\SynTP\SynTPEnh.exe

C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\msnmsgr.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\Internet Explorer\iexplore.exe

C:\DOCUME~1\KHN06H~1\MINADO~1\ASEMBL~1\services.exe

C:\Documents and Settings\khn06halonne\Mina dokument\?dobe\m?dtc.exe

C:\Program\hpq\Shared\HPQTOA~1.EXE

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\Panda Software\Panda Antivirus Platinum\pavProxy.exe

C:\Program\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Delade filer\{8493D7C5-067E-1053-0615-06030820002e}\Update.exe

C:\WINDOWS\system32\ishost.exe

C:\WINDOWS\system32\ismini.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\Program\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://clk.atdmt.com/goiframe/11562227.16657942/msnnkmse001234x60Ximssws0000001pps/direct;wi.234;hi.60/01

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

R3 - URLSearchHook: (no name) - {60238CAE-1A17-49B7-1395-4091FEA088E9} - C:\WINDOWS\system32\mjwkl.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program\Safety Bar\SafetyBar.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll

O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program\DELADE~1\{3493D~1\888Bar.dll

O4 - HKLM\..\Run: [iAAnotif] C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [WatchDog] C:\Program\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\system32\winupd.exe

O4 - HKLM\..\Run: [ipWins] C:\Program\ipwins\ipwins.exe

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgak.dll,startup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [winupd] C:\WINDOWS\system32\winupd.exe

O4 - HKCU\..\Run: [uniblue Registry Booster] C:\Program\Uniblue\Registry Booster\RegistryBooster.exe /S

O4 - HKCU\..\Run: [ibrn] "C:\DOCUME~1\KHN06H~1\MINADO~1\ASEMBL~1\services.exe" -vt yazb

O4 - HKCU\..\Run: [Nxgc] C:\Documents and Settings\khn06halonne\Mina dokument\?dobe\m?dtc.exe

O4 - Global Startup: DVD Check.lnk = C:\Program\InterVideo\DVD Check\DVDCheck.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154682963062

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = khamn.johnbauer.nu

O17 - HKLM\Software\..\Telephony: DomainName = khamn.johnbauer.nu

O17 - HKLM\System\CCS\Services\Tcpip\..\{77D3FF0C-7C1B-4732-8D8C-60F26D81ABB0}: NameServer = 192.168.0.1,192.168.0.2

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = khamn.johnbauer.nu

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = khamn.johnbauer.nu

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[/log]

 

Link to comment
Share on other sites

Kan det vara MSN-otrevligheten som kommer in när man klickar på en länk i MSN?

 

Bland annat finns det spionprogrammet PurityScan i loggen. Vi börjar med att åtgärda den.

 

Ladda ner http://www.mvps.org/winhelp2002/hosts.zip till Skrivbordet.

Packa upp filen. En ny mapp Hosts skapas på Skrivbordet.

Dubbelklicka på mappen för att öppna den.

Dubbelklicka på filen mvps.bat för att starta programmet.

Detta program kommer att byta ut datorns Hosts-fil så att PurityScan-otrevligheten förhindras komma i kontakt med sin skapare. Det kommer också förhindra att du kan besöka sidor som är ökända för att installera otrevligheter på datorn. Du kan läsa mer om det här:

http://www.mvps.org/winhelp2002/hosts.htm

 

Kontrollpanelen - Lägg till eller ta bort program

Om något av följande finns i listan så ta bort:

Oin

Yazzle by Oin

Purityscan by Oin

Snowballwars by Oin

eller något liknande med Oin eller Outerinfo i sig.

Zolero

Tizzletalk

MediaTickets

Cowabanga

 

Ladda ner och kör avinstallationsprogrammet

http://www.outerinfo.com/OiUninstaller.exe

Om du behöver anvisningar så finns de här: http://www.outerinfo.com/howto.html

 

Starta om datorn

 

Ladda hem och installera gratisversionen av SUPERAntiSpyware Free Edition:

http://www.superantispyware.com/download.html

Starta programmet, klicka på Check for updates.

Avsluta programmet när uppdateringen är klar.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Starta SUPERAntiSpyware och klicka på Scan your Computer.

Bocka för alla hårddiskar (fixed drive/disk).

Välj Perform complete scan

Nästa/Next

 

När skanningen är klar som kommer det upp en sammanfattning, tryck på OK

Nästa/Next

Utför eller liknande

Ett fönster med Quarantine and removal Complete kommer upp

OK

Utför eller liknande

Avsluta programmet.

 

Starta om i normalt läge.

 

Starta programmet, tryck på Preferences, välj filken Statistics/Logs

Dubbelklicka på den nyaste SUPERAntiSpyware Scan Log så att loggen kommer upp i Anteckningar.

Klistra in loggen i ditt svar

 

Ladda ner ComboFix:

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

Kör den och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på Combofix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den här, samt en ny HijackThis-logg.

 

Link to comment
Share on other sites

[log]

khn06halonne - 06-12-06 9:00:17.17 Service Pack 2

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\khn06halonne\Skrivbord"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program\Delade filer\Yazzle1162OinAdmin.exe

C:\Program\Delade filer\Yazzle1162OinUninstaller.exe

C:\WINDOWS\system32\components

C:\Program\Delade filer\{3493D7C5-067E-1053-0615-06030820002e}

C:\Program\Delade filer\{8493D7C5-067E-1053-0615-06030820002e}

 

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

Folders Quarantined:

 

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\ASEMBL~1

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\DOBE~1

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\MCROSO~1

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\ASEMBL~1\a?sembly

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-06 to 2006-12-06 ))))))))))))))))))))))))))))))))))

 

 

2006-12-06 08:53 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE

2006-12-06 08:39 <KAT> d-------- C:\Program\SUPERAntiSpyware

2006-12-06 08:39 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard

2006-12-06 08:39 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\SUPERAntiSpyware.com

2006-12-05 22:25 <KAT> d-------- C:\Program\Azureus

2006-12-05 20:15 <KAT> d-------- C:\Program\Hijackthis

2006-12-05 20:11 40,973 ---hs---- C:\WINDOWS\system32\vtuvstr.dll

2006-12-05 13:10 <KAT> d-------- C:\Documents and Settings\khn06halonne\Local Settings

2006-12-05 13:10 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Google

2006-12-05 13:10 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Google

2006-12-05 13:09 <KAT> d-------- C:\Program\Google

2006-12-05 13:03 88,340 --a------ C:\WINDOWS\system32\ryylrbnv.exe

2006-12-05 13:03 <KAT> d-------- C:\Program\VSAdd-in

2006-12-05 09:54 88,340 --a------ C:\WINDOWS\system32\klwmwukq.exe

2006-12-04 09:54 88,340 --a------ C:\WINDOWS\system32\rcxdoiic.exe

2006-12-04 09:54 42,516 --a------ C:\WINDOWS\system32\rbbxbsmj.dll

2006-12-04 09:54 1,170,373 ---hs---- C:\WINDOWS\system32\jjllm.bak2

2006-12-03 22:58 19,456 --a------ C:\WINDOWS\system32\cool.exe

2006-12-03 22:21 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe

2006-12-03 22:21 53,248 --a------ C:\WINDOWS\system32\Process.exe

2006-12-03 22:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2006-12-03 22:21 40,960 --a------ C:\WINDOWS\system32\swsc.exe

2006-12-03 22:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2006-12-03 22:21 135,168 --a------ C:\WINDOWS\system32\swreg.exe

2006-12-03 20:36 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Help

2006-12-03 20:30 <KAT> d-------- C:\Program\Security Task Manager

2006-12-03 20:30 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan

2006-12-03 18:35 72,704 --a------ C:\WINDOWS\system32\drvluk.dll

2006-12-03 17:03 88,340 --a------ C:\WINDOWS\system32\vljcyyds.exe

2006-12-03 17:02 591,596 ---hs---- C:\WINDOWS\system32\jjllm.bak1

2006-12-03 17:02 126,996 --a------ C:\WINDOWS\system32\xlxsdgok.dll

2006-12-03 16:33 73,728 --a------ C:\uvfeel.exe

2006-12-03 16:31 72,704 --a------ C:\WINDOWS\system32\drvxil.dll

2006-12-03 16:31 40,973 ---hs---- C:\WINDOWS\system32\qommlig.dll

2006-12-03 16:29 <KAT> d-------- C:\Program\Gamenext

2006-12-03 16:29 <KAT> d-------- C:\Program\Delade filer\Oberon Media

2006-12-03 00:25 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys

2006-12-03 00:25 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys

2006-12-03 00:25 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS

2006-12-03 00:25 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys

2006-12-03 00:25 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys

2006-12-03 00:25 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys

2006-12-03 00:25 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys

2006-12-03 00:24 54,272 --a------ C:\WINDOWS\system32\vfwwdm32.dll

2006-12-03 00:24 <KAT> d-------- C:\WINDOWS\OvtCam

2006-12-03 00:22 61,440 --a------ C:\WINDOWS\ov519dib.dll

2006-12-03 00:22 40,960 --a------ C:\WINDOWS\system32\ov519ext.dll

2006-12-03 00:22 40,960 --a------ C:\WINDOWS\CleanDev.exe

2006-12-03 00:22 32,528 --a------ C:\WINDOWS\amcap.exe

2006-12-03 00:22 307,200 --a------ C:\WINDOWS\vidcap32.exe

2006-12-03 00:22 25,211 --a------ C:\WINDOWS\system32\drivers\ov519cmd.sys

2006-12-03 00:22 200,704 --a------ C:\WINDOWS\sel3110.exe

2006-12-03 00:22 174,530 --a------ C:\WINDOWS\system32\drivers\ov519vid.sys

2006-12-03 00:22 16,426 --a------ C:\WINDOWS\system32\ov519usd.dll

2006-12-03 00:22 135,168 --a------ C:\WINDOWS\ov519cap.exe

2006-12-03 00:22 <KAT> d-------- C:\Program\Eyetoy Drivers

2006-12-03 00:10 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys

2006-12-02 18:28 2,829 --a------ C:\WINDOWS\War3Unin.pif

2006-12-02 18:28 139,264 --a------ C:\WINDOWS\War3Unin.exe

2006-12-02 18:21 <KAT> d-------- C:\Program\Warcraft III

2006-12-02 16:29 <KAT> d-------- C:\Program\Uniblue

2006-12-02 16:29 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Uniblue

2006-11-29 08:23 <KAT> d-------- C:\Program\Notepad++

2006-11-29 08:23 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Notepad++

2006-11-28 12:02 <KAT> d-------- C:\Program\EA GAMES

2006-11-27 18:24 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\BearShare

2006-11-27 18:18 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\uTorrent

2006-11-27 17:24 <KAT> d-------- C:\Program\BearShare Applications

2006-11-27 12:25 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\AdobeUM

2006-11-27 12:21 <KAT> d-------- C:\WINDOWS\Sun

2006-11-27 11:44 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2006-11-27 11:44 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe

2006-11-27 10:24 <KAT> d-------- C:\WINDOWS\pss

2006-11-23 22:15 <KAT> d---s---- C:\Documents and Settings\khn06halonne\UserData

2006-11-11 18:09 <KAT> d-------- C:\WINDOWS\Minidump

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

Rootkit driver pe386 is present. A rootkit scan is required

 

2006-12-06 09:01 -------- d-------- C:\Program\Delade filer

2006-12-06 08:36 -------- d-------- C:\Program\Mozilla Firefox

2006-12-06 08:32 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Azureus

2006-12-05 13:09 -------- d--h----- C:\Program\InstallShield Installation Information

2006-11-30 08:12 -------- d-------- C:\Program\MSN Messenger

2006-11-27 13:11 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Macromedia

2006-11-27 12:47 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Winamp

2006-11-27 11:44 -------- d-------- C:\Program\Winamp

2006-11-18 03:01 -------- d-------- C:\Program\Internet Explorer

2006-11-16 21:59 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Real

2006-11-13 06:24 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\dvdcss

2006-10-16 15:31 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\foobar2000

2006-10-13 13:41 65536 --a------ C:\WINDOWS\system32\nwwks.dll

2006-10-13 13:41 64000 --a------ C:\WINDOWS\system32\nwapi32.dll

2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll

2006-10-13 11:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys

2006-09-13 06:07 1084416 --a------ C:\WINDOWS\system32\msxml3.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"msnmsgr"="\"C:\\Program\\MSN Messenger\\msnmsgr.exe\" /background"

"Steam"=""

"MSMSGS"="\"C:\\Program\\Messenger\\msmsgs.exe\" /background"

"Uniblue Registry Booster"="C:\\Program\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"

"SUPERAntiSpyware"="C:\\Program\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"IAAnotif"="C:\\Program\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"

"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"

"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"

"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

"AGRSMMSG"="AGRSMMSG.exe"

"SynTPEnh"="C:\\Program\\Synaptics\\SynTP\\SynTPEnh.exe"

"hpWirelessAssistant"="C:\\Program\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"

"SCANINICIO"="\"C:\\Program\\Panda Software\\Panda Antivirus Platinum\\Inicio.exe\""

"APVXDWIN"="\"C:\\Program\\Panda Software\\Panda Antivirus Platinum\\APVXDWIN.EXE\" /s"

"WatchDog"="C:\\Program\\InterVideo\\DVD Check\\DVDCheck.exe"

"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"

"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvgak.dll,startup"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

"{C671A733-A4AA-4B5F-8CEE-006242C457B5}"=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Acrobat Assistant.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start-meny\\Program\\Autostart\\Acrobat Assistant.lnk"

"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program\\Adobe\\ADOBEA~1.0\\Distillr\\acrotray.exe "

"item"="Acrobat Assistant"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Gamma Loader.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start-meny\\Program\\Autostart\\Adobe Gamma Loader.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program\\DELADE~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "

"item"="Adobe Gamma Loader"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="daemon"

"hkey"="HKLM"

"command"="\"C:\\Program\\DAEMON Tools\\daemon.exe\" -lang 1033"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="QlbCtrl"

"hkey"="HKLM"

"command"="%ProgramFiles%\\Hewlett-Packard\\HP Quick Launch Buttons\\QlbCtrl.exe /Start"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Smax4"

"hkey"="HKLM"

"command"="C:\\Program\\Analog Devices\\SoundMAX\\Smax4.exe /tray"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="smax4pnp"

"hkey"="HKLM"

"command"="C:\\Program\\Analog Devices\\Core\\smax4pnp.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DVDCheck"

"hkey"="HKLM"

"command"="C:\\Program\\InterVideo\\DVD Check\\DVDCheck.exe"

"inimapping"="0"

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyp32

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

Completion time: 06-12-06 9:01:58.96

C:\ComboFix.txt ... 06-12-06 09:01

C:\ComboFix2.txt ... 06-12-06 08:59

[/log]

[log]

SUPERAntiSpyware Scan Log

Generated 12/06/2006 at 08:54 AM

 

Application Version : 3.3.1020

 

Core Rules Database Version : 3142

Trace Rules Database Version: 1158

 

Scan type : Complete Scan

Total Scan Time : 00:06:09

 

Memory items scanned : 439

Memory threats detected : 8

Registry items scanned : 5338

Registry threats detected : 34

File items scanned : 622

File threats detected : 80

 

Trojan.WinFixer

C:\WINDOWS\SYSTEM32\MLLJJ.DLL

C:\WINDOWS\SYSTEM32\MLLJJ.DLL

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mlljj

 

Unclassified.Unknown Origin

C:\WINDOWS\SYSTEM32\XXYVSRP.DLL

C:\WINDOWS\SYSTEM32\XXYVSRP.DLL

HKLM\Software\Classes\CLSID\{C671A733-A4AA-4B5F-8CEE-006242C457B5}

HKCR\CLSID\{C671A733-A4AA-4B5F-8CEE-006242C457B5}

HKCR\CLSID\{C671A733-A4AA-4B5F-8CEE-006242C457B5}\InprocServer32

HKCR\CLSID\{C671A733-A4AA-4B5F-8CEE-006242C457B5}\InprocServer32#ThreadingModel

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C671A733-A4AA-4B5F-8CEE-006242C457B5}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{C671A733-A4AA-4B5F-8CEE-006242C457B5}

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\xxyvsrp

HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}

HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\InprocServer32

HKCR\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}\InprocServer32#ThreadingModel

HKCR\CLSID\{C671A733-A4AA-4B5F-8CEE-006242C457B5}

 

Trojan.Downloader-DRVSAM

C:\WINDOWS\SYSTEM32\DRVGAK.DLL

C:\WINDOWS\SYSTEM32\DRVGAK.DLL

 

Malware.Notifier

C:\WINDOWS\SYSTEM32\ISHOST.EXE

C:\WINDOWS\SYSTEM32\ISHOST.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#ishost.exe [ ishost.exe ]

C:\WINDOWS\Prefetch\ISHOST.EXE-38143B6A.pf

 

Worm.Rbot Variant

C:\WINDOWS\SYSTEM32\ISMINI.EXE

C:\WINDOWS\SYSTEM32\ISMINI.EXE

 

Trojan.Update-Mcboo

C:\PROGRAM\DELADE FILER\{8493D7C5-067E-1053-0615-06030820002E}\UPDATE.EXE

C:\PROGRAM\DELADE FILER\{8493D7C5-067E-1053-0615-06030820002E}\UPDATE.EXE

 

Trojan.Hacktool

C:\PROGRAM\DELADE FILER\{8493D7C5-067E-1053-0615-06030820002E}\SYSTEM.DLL

C:\PROGRAM\DELADE FILER\{8493D7C5-067E-1053-0615-06030820002E}\SYSTEM.DLL

 

Adware.ClickSpring-Variant

C:\DOCUME~1\KHN06H~1\MINADO~1\ASEMBL~1\SERVICES.EXE

C:\DOCUME~1\KHN06H~1\MINADO~1\ASEMBL~1\SERVICES.EXE

 

Unclassified.WINUPD

[winupd] C:\WINDOWS\SYSTEM32\WINUPD.EXE

C:\WINDOWS\SYSTEM32\WINUPD.EXE

[winupd] C:\WINDOWS\SYSTEM32\WINUPD.EXE

C:\WINDOWS\Prefetch\WINUPD.EXE-26BF56BD.pf

 

Adware.ClickSpring

[ibrn] C:\DOCUME~1\KHN06H~1\MINADO~1\ASEMBL~1\SERVICES.EXE

 

Adware.Tracking Cookie

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@drivecleaner[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ads.1001skins[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@stats1.reliablestats[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@abb[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@adultadworld[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@adultfriendfinder[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@metacafe.122.2o7[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@mb[5].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@www.drivecleaner[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@tribalfusion[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ad.mp-gamer[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@www.burstnet[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@counter12.sextracker[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@sextracker[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@msnportal.112.2o7[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@targetnet[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@184908[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ads.humornsex[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@4stats[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@cgi-bin[3].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@burstnet[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@humornsex[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@doubleclick[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ad1.emediate[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ad1.emediate[3].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@adinterax[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@tradedoubler[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@cgi-bin[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@kanoodle[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@serving-sys[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@mb[4].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@www.humornsex[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@atdmt[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ad.adtoma[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@mb[3].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ad2.adecn[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@cgi-bin[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@www.easy-xxx[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@video[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@stats.drivecleaner[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@adbrite[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ilead.itrack[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ads.realtechnetwork[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@zedo[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@adecn[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@www.oberon-media[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@statcounter[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@toplist[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@xiti[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@partygaming.122.2o7[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@atwola[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@1070436385[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@admarketplace[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@ad.zanox[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@internet[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@partypoker[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@rotator.adjuggler[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@focusin.ads.targetnet[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@mb[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@se.drivecleaner[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@advertising[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@adopt.hbmediapro[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@mediaplex[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@adtech[2].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@www.belstat[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@as-eu.falkag[1].txt

C:\Documents and Settings\khn06halonne\Cookies\khn06halonne@www.crackfound[1].txt

 

Trojan.Unknown Origin

HKLM\SOFTWARE\Microsoft\MSSMGR

HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd

HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV

HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV

 

Adware.Toolbar888

HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}

HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0

HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0

HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0\win32

HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\FLAGS

HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\HELPDIR

HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}

HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid

HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid32

HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib

HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib#Version

 

Adware.ClickSpring/Yazzle

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1162Oin

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1162Oin#DisplayName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yazzle1162Oin#UninstallString

 

Unclassified.Unknown Origin/System

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SECTASKMAN\COOL.EXE.Q_8044C00_Q

[/log]

[log]

Logfile of HijackThis v1.99.1

Scan saved at 09:05:50, on 2006-12-06

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program\Synaptics\SynTP\SynTPEnh.exe

C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\msnmsgr.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program\hpq\Shared\HPQTOA~1.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program\Panda Software\Panda Antivirus Platinum\pavProxy.exe

C:\Program\Mozilla Firefox\firefox.exe

C:\Program\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://clk.atdmt.com/goiframe/11562227.16657942/msnnkmse001234x60Ximssws0000001pps/direct;wi.234;hi.60/01

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - (no file)

O2 - BHO: (no name) - {CB414770-9D0B-411D-A0C7-ED2FF46F2CEC} - C:\WINDOWS\system32\mlljj.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program\Safety Bar\SafetyBar.dll (file missing)

O4 - HKLM\..\Run: [iAAnotif] C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [WatchDog] C:\Program\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgak.dll,startup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [uniblue Registry Booster] C:\Program\Uniblue\Registry Booster\RegistryBooster.exe /S

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: DVD Check.lnk = C:\Program\InterVideo\DVD Check\DVDCheck.exe

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154682963062

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = khamn.johnbauer.nu

O17 - HKLM\Software\..\Telephony: DomainName = khamn.johnbauer.nu

O17 - HKLM\System\CCS\Services\Tcpip\..\{77D3FF0C-7C1B-4732-8D8C-60F26D81ABB0}: NameServer = 192.168.0.1,192.168.0.2

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = khamn.johnbauer.nu

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = khamn.johnbauer.nu

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[/log]

 

Link to comment
Share on other sites

Kan det vara MSN-otrevligheten som kommer in när man klickar på en länk i MSN?

För om det är det så kan själva MSN-programmet vara infekterat och behöver då avinstalleras.

 

Ladda ner Gmer till Skrivbordet från denna sida: http://www.gmer.net/

Packa upp filen till Skrivbordet.

 

Start - Program - Tillbehör - Kommandotolken

I Kommandotolken skriver du följande:

cd Skrivbord

gmer -del service pe386

och så en ny ComboFix-logg.

 

Link to comment
Share on other sites

Ibland kommer det :S

 

[log]khn06halonne - 06-12-06 10:25:53,29 Service Pack 2

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\khn06halonne\Skrivbord"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

Folders Quarantined:

 

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\ASEMBL~1

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\DOBE~1

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\MCROSO~1

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\ASEMBL~1\a?sembly

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-06 to 2006-12-06 ))))))))))))))))))))))))))))))))))

 

 

2006-12-06 10:25 80 --a------ C:\WINDOWS\gmer_uninstall.cmd

2006-12-06 08:53 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE

2006-12-06 08:39 <KAT> d-------- C:\Program\SUPERAntiSpyware

2006-12-06 08:39 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard

2006-12-06 08:39 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\SUPERAntiSpyware.com

2006-12-05 22:25 <KAT> d-------- C:\Program\Azureus

2006-12-05 20:15 <KAT> d-------- C:\Program\Hijackthis

2006-12-05 20:11 40,973 ---hs---- C:\WINDOWS\system32\vtuvstr.dll

2006-12-05 13:10 <KAT> d-------- C:\Documents and Settings\khn06halonne\Local Settings

2006-12-05 13:10 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Google

2006-12-05 13:10 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Google

2006-12-05 13:09 <KAT> d-------- C:\Program\Google

2006-12-05 13:03 88,340 --a------ C:\WINDOWS\system32\ryylrbnv.exe

2006-12-05 13:03 <KAT> d-------- C:\Program\VSAdd-in

2006-12-05 09:54 88,340 --a------ C:\WINDOWS\system32\klwmwukq.exe

2006-12-04 09:54 88,340 --a------ C:\WINDOWS\system32\rcxdoiic.exe

2006-12-04 09:54 42,516 --a------ C:\WINDOWS\system32\rbbxbsmj.dll

2006-12-04 09:54 1,170,373 ---hs---- C:\WINDOWS\system32\jjllm.bak2

2006-12-03 22:58 19,456 --a------ C:\WINDOWS\system32\cool.exe

2006-12-03 22:21 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe

2006-12-03 22:21 53,248 --a------ C:\WINDOWS\system32\Process.exe

2006-12-03 22:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2006-12-03 22:21 40,960 --a------ C:\WINDOWS\system32\swsc.exe

2006-12-03 22:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2006-12-03 22:21 135,168 --a------ C:\WINDOWS\system32\swreg.exe

2006-12-03 20:36 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Help

2006-12-03 20:30 <KAT> d-------- C:\Program\Security Task Manager

2006-12-03 20:30 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan

2006-12-03 18:35 72,704 --a------ C:\WINDOWS\system32\drvluk.dll

2006-12-03 17:03 88,340 --a------ C:\WINDOWS\system32\vljcyyds.exe

2006-12-03 17:02 591,596 ---hs---- C:\WINDOWS\system32\jjllm.bak1

2006-12-03 17:02 126,996 --a------ C:\WINDOWS\system32\xlxsdgok.dll

2006-12-03 16:33 73,728 --a------ C:\uvfeel.exe

2006-12-03 16:31 72,704 --a------ C:\WINDOWS\system32\drvxil.dll

2006-12-03 16:31 40,973 ---hs---- C:\WINDOWS\system32\qommlig.dll

2006-12-03 16:29 <KAT> d-------- C:\Program\Gamenext

2006-12-03 16:29 <KAT> d-------- C:\Program\Delade filer\Oberon Media

2006-12-03 00:25 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys

2006-12-03 00:25 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys

2006-12-03 00:25 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS

2006-12-03 00:25 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys

2006-12-03 00:25 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys

2006-12-03 00:25 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys

2006-12-03 00:25 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys

2006-12-03 00:24 54,272 --a------ C:\WINDOWS\system32\vfwwdm32.dll

2006-12-03 00:24 <KAT> d-------- C:\WINDOWS\OvtCam

2006-12-03 00:22 61,440 --a------ C:\WINDOWS\ov519dib.dll

2006-12-03 00:22 40,960 --a------ C:\WINDOWS\system32\ov519ext.dll

2006-12-03 00:22 40,960 --a------ C:\WINDOWS\CleanDev.exe

2006-12-03 00:22 32,528 --a------ C:\WINDOWS\amcap.exe

2006-12-03 00:22 307,200 --a------ C:\WINDOWS\vidcap32.exe

2006-12-03 00:22 25,211 --a------ C:\WINDOWS\system32\drivers\ov519cmd.sys

2006-12-03 00:22 200,704 --a------ C:\WINDOWS\sel3110.exe

2006-12-03 00:22 174,530 --a------ C:\WINDOWS\system32\drivers\ov519vid.sys

2006-12-03 00:22 16,426 --a------ C:\WINDOWS\system32\ov519usd.dll

2006-12-03 00:22 135,168 --a------ C:\WINDOWS\ov519cap.exe

2006-12-03 00:22 <KAT> d-------- C:\Program\Eyetoy Drivers

2006-12-03 00:10 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys

2006-12-02 18:28 2,829 --a------ C:\WINDOWS\War3Unin.pif

2006-12-02 18:28 139,264 --a------ C:\WINDOWS\War3Unin.exe

2006-12-02 18:21 <KAT> d-------- C:\Program\Warcraft III

2006-12-02 16:29 <KAT> d-------- C:\Program\Uniblue

2006-12-02 16:29 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Uniblue

2006-11-29 08:23 <KAT> d-------- C:\Program\Notepad++

2006-11-29 08:23 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Notepad++

2006-11-28 12:02 <KAT> d-------- C:\Program\EA GAMES

2006-11-27 18:24 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\BearShare

2006-11-27 18:18 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\uTorrent

2006-11-27 17:24 <KAT> d-------- C:\Program\BearShare Applications

2006-11-27 12:25 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\AdobeUM

2006-11-27 12:21 <KAT> d-------- C:\WINDOWS\Sun

2006-11-27 11:44 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2006-11-27 11:44 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe

2006-11-27 10:24 <KAT> d-------- C:\WINDOWS\pss

2006-11-23 22:15 <KAT> d---s---- C:\Documents and Settings\khn06halonne\UserData

2006-11-11 18:09 <KAT> d-------- C:\WINDOWS\Minidump

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

Rootkit driver pe386 is present. A rootkit scan is required

 

2006-12-06 10:00 -------- d-------- C:\Program\Mozilla Firefox

2006-12-06 09:01 -------- d-------- C:\Program\Delade filer

2006-12-06 08:32 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Azureus

2006-12-05 13:09 -------- d--h----- C:\Program\InstallShield Installation Information

2006-11-30 08:12 -------- d-------- C:\Program\MSN Messenger

2006-11-27 13:11 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Macromedia

2006-11-27 12:47 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Winamp

2006-11-27 11:44 -------- d-------- C:\Program\Winamp

2006-11-18 03:01 -------- d-------- C:\Program\Internet Explorer

2006-11-16 21:59 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Real

2006-11-13 06:24 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\dvdcss

2006-10-16 15:31 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\foobar2000

2006-10-13 13:41 65536 --a------ C:\WINDOWS\system32\nwwks.dll

2006-10-13 13:41 64000 --a------ C:\WINDOWS\system32\nwapi32.dll

2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll

2006-10-13 11:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys

2006-09-13 06:07 1084416 --a------ C:\WINDOWS\system32\msxml3.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"msnmsgr"="\"C:\\Program\\MSN Messenger\\msnmsgr.exe\" /background"

"Steam"=""

"MSMSGS"="\"C:\\Program\\Messenger\\msmsgs.exe\" /background"

"Uniblue Registry Booster"="C:\\Program\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"

"SUPERAntiSpyware"="C:\\Program\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"IAAnotif"="C:\\Program\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"

"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"

"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"

"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

"AGRSMMSG"="AGRSMMSG.exe"

"SynTPEnh"="C:\\Program\\Synaptics\\SynTP\\SynTPEnh.exe"

"hpWirelessAssistant"="C:\\Program\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"

"SCANINICIO"="\"C:\\Program\\Panda Software\\Panda Antivirus Platinum\\Inicio.exe\""

"APVXDWIN"="\"C:\\Program\\Panda Software\\Panda Antivirus Platinum\\APVXDWIN.EXE\" /s"

"WatchDog"="C:\\Program\\InterVideo\\DVD Check\\DVDCheck.exe"

"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"

"CTDrive"="rundll32.exe C:\\WINDOWS\\system32\\drvgak.dll,startup"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

"{C671A733-A4AA-4B5F-8CEE-006242C457B5}"=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Acrobat Assistant.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start-meny\\Program\\Autostart\\Acrobat Assistant.lnk"

"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program\\Adobe\\ADOBEA~1.0\\Distillr\\acrotray.exe "

"item"="Acrobat Assistant"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Gamma Loader.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start-meny\\Program\\Autostart\\Adobe Gamma Loader.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program\\DELADE~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "

"item"="Adobe Gamma Loader"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="daemon"

"hkey"="HKLM"

"command"="\"C:\\Program\\DAEMON Tools\\daemon.exe\" -lang 1033"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="QlbCtrl"

"hkey"="HKLM"

"command"="%ProgramFiles%\\Hewlett-Packard\\HP Quick Launch Buttons\\QlbCtrl.exe /Start"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Smax4"

"hkey"="HKLM"

"command"="C:\\Program\\Analog Devices\\SoundMAX\\Smax4.exe /tray"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="smax4pnp"

"hkey"="HKLM"

"command"="C:\\Program\\Analog Devices\\Core\\smax4pnp.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DVDCheck"

"hkey"="HKLM"

"command"="C:\\Program\\InterVideo\\DVD Check\\DVDCheck.exe"

"inimapping"="0"

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyp32

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

Completion time: 06-12-06 10:26:41.73

C:\ComboFix.txt ... 06-12-06 10:26

C:\ComboFix2.txt ... 06-12-06 09:01

C:\ComboFix3.txt ... 06-12-06 08:59

[/log]

 

Link to comment
Share on other sites

Det gick inte bra. Du fick inga felmeddelanden?

 

Försök så här då:

Dubbelklicka på programmet gmer.exe för att starta det.

Välj fliken rootkit, tryck på Scan

När den är klar, så högerklicka på texten: [system] pe386

Välj Delete the service och starta sedan om datorn

Ny ComboFix-logg

 

Link to comment
Share on other sites

Om du skrev exakt som jag skrev inklusive mellanrum, så försök med att starta i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn) och där:

Dubbelklicka på programmet gmer.exe för att starta det.

Välj fliken rootkit, tryck på Scan

När den är klar, så högerklicka på texten: [system] pe386

Välj Delete the service och starta sedan om datorn

Ny ComboFix-logg

 

Link to comment
Share on other sites

Jag hittar ingen [system] pe386 när jag har skannat, men här är loggen på combofix iaf :)

 

[log]

khn06halonne - 06-12-06 13:45:31,03 Service Pack 2

ComboFix 06.11.27W - Running from: "C:\Documents and Settings\khn06halonne\Skrivbord"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

Folders Quarantined:

 

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\ASEMBL~1

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\DOBE~1

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\MCROSO~1

C:\QooBox\Purity\Documents and Settings\khn06halonne\Mina dokument\ASEMBL~1\a?sembly

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-11-06 to 2006-12-06 ))))))))))))))))))))))))))))))))))

 

 

2006-12-06 12:15 <KAT> d-------- C:\Program\LucasArts

2006-12-06 10:25 80 --a------ C:\WINDOWS\gmer_uninstall.cmd

2006-12-06 08:53 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE

2006-12-06 08:39 <KAT> d-------- C:\Program\SUPERAntiSpyware

2006-12-06 08:39 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard

2006-12-06 08:39 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\SUPERAntiSpyware.com

2006-12-05 22:25 <KAT> d-------- C:\Program\Azureus

2006-12-05 20:15 <KAT> d-------- C:\Program\Hijackthis

2006-12-05 20:11 40,973 ---hs---- C:\WINDOWS\system32\vtuvstr.dll

2006-12-05 13:10 <KAT> d-------- C:\Documents and Settings\khn06halonne\Local Settings

2006-12-05 13:10 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Google

2006-12-05 13:10 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\Google

2006-12-05 13:09 <KAT> d-------- C:\Program\Google

2006-12-05 13:03 88,340 --a------ C:\WINDOWS\system32\ryylrbnv.exe

2006-12-05 13:03 <KAT> d-------- C:\Program\VSAdd-in

2006-12-05 09:54 88,340 --a------ C:\WINDOWS\system32\klwmwukq.exe

2006-12-04 09:54 88,340 --a------ C:\WINDOWS\system32\rcxdoiic.exe

2006-12-04 09:54 42,516 --a------ C:\WINDOWS\system32\rbbxbsmj.dll

2006-12-04 09:54 1,170,373 ---hs---- C:\WINDOWS\system32\jjllm.bak2

2006-12-03 22:58 19,456 --a------ C:\WINDOWS\system32\cool.exe

2006-12-03 22:21 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe

2006-12-03 22:21 53,248 --a------ C:\WINDOWS\system32\Process.exe

2006-12-03 22:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2006-12-03 22:21 40,960 --a------ C:\WINDOWS\system32\swsc.exe

2006-12-03 22:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2006-12-03 22:21 135,168 --a------ C:\WINDOWS\system32\swreg.exe

2006-12-03 20:36 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Help

2006-12-03 20:30 <KAT> d-------- C:\Program\Security Task Manager

2006-12-03 20:30 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan

2006-12-03 18:35 72,704 --a------ C:\WINDOWS\system32\drvluk.dll

2006-12-03 17:03 88,340 --a------ C:\WINDOWS\system32\vljcyyds.exe

2006-12-03 17:02 591,596 ---hs---- C:\WINDOWS\system32\jjllm.bak1

2006-12-03 17:02 126,996 --a------ C:\WINDOWS\system32\xlxsdgok.dll

2006-12-03 16:33 73,728 --a------ C:\uvfeel.exe

2006-12-03 16:31 72,704 --a------ C:\WINDOWS\system32\drvxil.dll

2006-12-03 16:31 40,973 ---hs---- C:\WINDOWS\system32\qommlig.dll

2006-12-03 16:29 <KAT> d-------- C:\Program\Gamenext

2006-12-03 16:29 <KAT> d-------- C:\Program\Delade filer\Oberon Media

2006-12-03 00:25 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys

2006-12-03 00:25 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys

2006-12-03 00:25 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS

2006-12-03 00:25 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys

2006-12-03 00:25 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys

2006-12-03 00:25 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys

2006-12-03 00:25 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys

2006-12-03 00:24 54,272 --a------ C:\WINDOWS\system32\vfwwdm32.dll

2006-12-03 00:24 <KAT> d-------- C:\WINDOWS\OvtCam

2006-12-03 00:22 61,440 --a------ C:\WINDOWS\ov519dib.dll

2006-12-03 00:22 40,960 --a------ C:\WINDOWS\system32\ov519ext.dll

2006-12-03 00:22 40,960 --a------ C:\WINDOWS\CleanDev.exe

2006-12-03 00:22 32,528 --a------ C:\WINDOWS\amcap.exe

2006-12-03 00:22 307,200 --a------ C:\WINDOWS\vidcap32.exe

2006-12-03 00:22 25,211 --a------ C:\WINDOWS\system32\drivers\ov519cmd.sys

2006-12-03 00:22 200,704 --a------ C:\WINDOWS\sel3110.exe

2006-12-03 00:22 174,530 --a------ C:\WINDOWS\system32\drivers\ov519vid.sys

2006-12-03 00:22 16,426 --a------ C:\WINDOWS\system32\ov519usd.dll

2006-12-03 00:22 135,168 --a------ C:\WINDOWS\ov519cap.exe

2006-12-03 00:22 <KAT> d-------- C:\Program\Eyetoy Drivers

2006-12-03 00:10 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys

2006-12-02 18:28 2,829 --a------ C:\WINDOWS\War3Unin.pif

2006-12-02 18:28 139,264 --a------ C:\WINDOWS\War3Unin.exe

2006-12-02 18:21 <KAT> d-------- C:\Program\Warcraft III

2006-12-02 16:29 <KAT> d-------- C:\Program\Uniblue

2006-12-02 16:29 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Uniblue

2006-11-29 08:23 <KAT> d-------- C:\Program\Notepad++

2006-11-29 08:23 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\Notepad++

2006-11-28 12:02 <KAT> d-------- C:\Program\EA GAMES

2006-11-27 18:24 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\BearShare

2006-11-27 18:18 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\uTorrent

2006-11-27 17:24 <KAT> d-------- C:\Program\BearShare Applications

2006-11-27 12:25 <KAT> d-------- C:\Documents and Settings\khn06halonne\Application Data\AdobeUM

2006-11-27 12:21 <KAT> d-------- C:\WINDOWS\Sun

2006-11-27 11:44 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2006-11-27 11:44 115,880 --------- C:\WINDOWS\system32\pxinsi64.exe

2006-11-27 10:24 <KAT> d-------- C:\WINDOWS\pss

2006-11-23 22:15 <KAT> d---s---- C:\Documents and Settings\khn06halonne\UserData

2006-11-11 18:09 <KAT> d-------- C:\WINDOWS\Minidump

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-12-06 12:36 -------- d-------- C:\Program\Mozilla Firefox

2006-12-06 12:15 -------- d--h----- C:\Program\InstallShield Installation Information

2006-12-06 09:01 -------- d-------- C:\Program\Delade filer

2006-12-06 08:32 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Azureus

2006-11-30 08:12 -------- d-------- C:\Program\MSN Messenger

2006-11-27 13:11 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Macromedia

2006-11-27 12:47 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Winamp

2006-11-27 11:44 -------- d-------- C:\Program\Winamp

2006-11-18 03:01 -------- d-------- C:\Program\Internet Explorer

2006-11-16 21:59 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\Real

2006-11-13 06:24 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\dvdcss

2006-10-16 15:31 -------- d-------- C:\Documents and Settings\khn06halonne\Application Data\foobar2000

2006-10-13 13:41 65536 --a------ C:\WINDOWS\system32\nwwks.dll

2006-10-13 13:41 64000 --a------ C:\WINDOWS\system32\nwapi32.dll

2006-10-13 13:41 141824 --a------ C:\WINDOWS\system32\nwprovau.dll

2006-10-13 11:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys

2006-09-13 06:07 1084416 --a------ C:\WINDOWS\system32\msxml3.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"msnmsgr"="\"C:\\Program\\MSN Messenger\\msnmsgr.exe\" /background"

"Steam"=""

"MSMSGS"="\"C:\\Program\\Messenger\\msmsgs.exe\" /background"

"Uniblue Registry Booster"="C:\\Program\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"

"SUPERAntiSpyware"="C:\\Program\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"IAAnotif"="C:\\Program\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe"

"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"

"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"

"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"

"AGRSMMSG"="AGRSMMSG.exe"

"SynTPEnh"="C:\\Program\\Synaptics\\SynTP\\SynTPEnh.exe"

"hpWirelessAssistant"="C:\\Program\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"

"SCANINICIO"="\"C:\\Program\\Panda Software\\Panda Antivirus Platinum\\Inicio.exe\""

"APVXDWIN"="\"C:\\Program\\Panda Software\\Panda Antivirus Platinum\\APVXDWIN.EXE\" /s"

"WatchDog"="C:\\Program\\InterVideo\\DVD Check\\DVDCheck.exe"

"TkBellExe"="\"C:\\Program\\Delade filer\\Real\\Update_OB\\realsched.exe\" -osboot"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000000

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

"{C671A733-A4AA-4B5F-8CEE-006242C457B5}"=""

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Acrobat Assistant.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start-meny\\Program\\Autostart\\Acrobat Assistant.lnk"

"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program\\Adobe\\ADOBEA~1.0\\Distillr\\acrotray.exe "

"item"="Acrobat Assistant"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Gamma Loader.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start-meny\\Program\\Autostart\\Adobe Gamma Loader.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program\\DELADE~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "

"item"="Adobe Gamma Loader"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="daemon"

"hkey"="HKLM"

"command"="\"C:\\Program\\DAEMON Tools\\daemon.exe\" -lang 1033"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="QlbCtrl"

"hkey"="HKLM"

"command"="%ProgramFiles%\\Hewlett-Packard\\HP Quick Launch Buttons\\QlbCtrl.exe /Start"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Smax4"

"hkey"="HKLM"

"command"="C:\\Program\\Analog Devices\\SoundMAX\\Smax4.exe /tray"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="smax4pnp"

"hkey"="HKLM"

"command"="C:\\Program\\Analog Devices\\Core\\smax4pnp.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DVDCheck"

"hkey"="HKLM"

"command"="C:\\Program\\InterVideo\\DVD Check\\DVDCheck.exe"

"inimapping"="0"

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyp32

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

Completion time: 06-12-06 13:47:13.17

C:\ComboFix.txt ... 06-12-06 13:47

C:\ComboFix2.txt ... 06-12-06 10:26

C:\ComboFix3.txt ... 06-12-06 09:01

[/log]

 

Link to comment
Share on other sites

Okej, nu var pe386 borta i alla fall.

 

Ladda ner Vundofix:

http://www.atribune.org/ccount/click.php?id=4

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Dubbelklicka på VundoFix.exe för att starta programmet.

När den startar igen så tryck på Scan for Vundo.

När skanningen är klar så tryck på Remove Vundo.

Svara Ja/Yes på frågan om du vill ta bort filerna.

Därefter kommer Skrivbordet att försvinna medan filerna tas bort.

När det är klart så kommer det en fråga om att din dator kommer att stängas av, tryck på OK.

Sätt igång datorn igen i normalt läge.

 

Om det är så att VundoFix inte kunde ta bort någon fil vid första försöket så kommer VundoFix att starta igen när datorn startas, följ i så fall beskrivningen en gång till.

 

Klistra in C:\vundofix.txt i ditt svar.

 

Ladda ner programmet SmitfraudFix (by S!Ri) till Skrivbordet:

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Högerklicka och extrahera allt innehåll till Skrivbordet. En mapp SmitfraudFix kommer att skapas.

 

Öppna SmitfraudFix-mappen och dubbelklicka på smitfraudfix.cmd.

Välj alternativ #1 - Search genom att trycka på 1 och Enter.

Programmet kommer att skanna igenom datorn.

När den är klart visas resultatet och programmet har skapat loggfilen C:\rapport.txt.

 

Klistra in innehållet i loggfilen i ditt svar här.

 

Gör inget annat med SmitfraudFix-mappen eller smitfraudfix.cmd.

 

Link to comment
Share on other sites

[log]SmitFraudFix v2.128

 

Scan done at 15:21:08,73, 2006-12-06

Run from C:\Documents and Settings\khn06halonne\Skrivbord\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» C:

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\khn06halonne

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\khn06halonne\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\KHN06H~1\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

[/log]

[log]

VundoFix V6.2.13

 

Checking Java version...

 

Sun Java not detected

Scan started at 15:07:37 2006-12-06

 

Listing files found while scanning....

 

No infected files were found.

 

 

Beginning removal...

 

VundoFix V6.2.13

 

Checking Java version...

 

Sun Java not detected

Scan started at 15:16:44 2006-12-06

 

Listing files found while scanning....

 

No infected files were found.

 

[/log]

 

Link to comment
Share on other sites

Det är en gammal Java-version med säkerhetshål i datorn. Avinstallera alla Java i Kontrollpanelen - Lägg till eller ta bort program och installera därefter en ny: http://www.java.com/sv/

 

Skanna med HijackThis och bocka för:

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://clk.atdmt.com/goiframe/11562227.16657942/msnnkmse001234x60

Ximssws0000001pps/direct;wi.234;hi.60/01

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - (no file)

O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - (no file)

O2 - BHO: (no name) - {CB414770-9D0B-411D-A0C7-ED2FF46F2CEC} - C:\WINDOWS\system32\mlljj.dll (file missing)

O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program\Safety Bar\SafetyBar.dll (file missing)

O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvgak.dll,startup

O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Ställ in Utforskaren så att du kan se alla filer:

Verktyg - (Mapp)alternativ eller liknande - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

Ta bort filerna (om de finns kvar):

C:\WINDOWS\system32\drvgak.dll

C:\WINDOWS\system32\mlljj.dll

Alla filer i samma mapp som börjar med jjllm

 

Ta bort mapparna (om de finns kvar):

C:\Program\Safety Bar

 

Starta om i normalt läge och så en ny HijackThis-logg.

Hur uppför sig datorn nu?

 

Link to comment
Share on other sites

Datorn funkar mycket bättre nu :)

Tack så mycket !

Här är loggen om du skulle ha den..

 

 

[log]

Logfile of HijackThis v1.99.1

Scan saved at 17:20:37, on 2006-12-06

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program\Delade filer\LightScribe\LSSrvc.exe

C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

C:\Program\Panda Software\Panda Antivirus Platinum\apvxdwin.exe

C:\WINDOWS\Explorer.EXE

C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program\Delade filer\Real\Update_OB\realsched.exe

C:\Program\Java\jre1.5.0_09\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program\MSN Messenger\msnmsgr.exe

C:\Program\Messenger\msmsgs.exe

C:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program\Panda Software\Panda Antivirus Platinum\pavProxy.exe

C:\Program\hpq\Shared\HPQTOA~1.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\svchost.exe

C:\Program\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [iAAnotif] C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\npjpi150_09.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\npjpi150_09.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154682963062

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = khamn.johnbauer.nu

O17 - HKLM\Software\..\Telephony: DomainName = khamn.johnbauer.nu

O17 - HKLM\System\CCS\Services\Tcpip\..\{77D3FF0C-7C1B-4732-8D8C-60F26D81ABB0}: NameServer = 192.168.0.1,192.168.0.2

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = khamn.johnbauer.nu

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = khamn.johnbauer.nu

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: !SASWinLogon - C:\Program\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program\Delade filer\LightScribe\LSSrvc.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program\Delade filer\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

[/log]

 

Link to comment
Share on other sites

Jag ser inget otrevligt i HijackThis-loggen.

 

Det kan finnas en del otrevliga filer kvar, även om de troligen inte används, enligt ComboFix-loggen.

Gå till http://www.virustotal.com/ klistra in ett av följande filnamn i rutan, tryck på Send och vänta tills resultatet är klart (Status blir Finished). Om virustotal rapporterar att filen är infekterad eller att filstorleken är 0 så ta bort filen. Upprepa med nästa filnamn.

C:\WINDOWS\system32\vtuvstr.dll

C:\WINDOWS\system32\ryylrbnv.exe

C:\WINDOWS\system32\klwmwukq.exe

C:\WINDOWS\system32\rcxdoiic.exe

C:\WINDOWS\system32\rbbxbsmj.dll

C:\WINDOWS\system32\cool.exe

C:\WINDOWS\system32\drvluk.dll

C:\WINDOWS\system32\vljcyyds.exe

C:\WINDOWS\system32\xlxsdgok.dll

C:\uvfeel.exe

C:\WINDOWS\system32\drvxil.dll

C:\WINDOWS\system32\qommlig.dll

 

Här kommer mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

 

Uppdatera från Windows Update och kör antispionprogrammen AVG Anti-Spyware (Ewido), SUPERAntiSpyware, Spybot S&D och/eller Ad-aware regelbundet.

http://www.ewido.net/en/

http://www.superantispyware.com/

http://www.safer-networking.org/en/download/index.html

http://www.lavasoft.com

 

Komplettera antivirusprogrammet med några online-skanningar då och då:

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan8/ie.html

http://www.pandasoftware.com/products/activescan/

 

Använd en brandvägg (bättre än den inbyggda i XP), finns gratis från t ex ZoneLabs.

http://www.zonelabs.com/store/content/home.jsp

 

Om man använder Internet Explorer så kan det vara lämpligt att ha programmen SpywareBlaster och SpywareGuard, vilka hindrar en hel del otrevliga program från att laddas ner resp. köras:

http://www.javacoolsoftware.com

 

Se över säkerhetsinställningarna i Internet Explorer, det finns en hel del tips här:

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm

 

Samt kör IE-SpyAd som lägger en hel massa otrevliga webbplatser i zonen Ej tillförlitliga i Internet Explorer så att de inte kan göra något med datorn:

http://www.spywarewarrior.com/uiuc/resource.htm

 

Om man byter webbläsare så är det bara SpywareGuard som behövs. Andra webbläsare är t ex Mozilla Firefox och Opera:

http://www.mozilla.org

http://www.opera.com

 

Allt gratis för hemanvändare/personligt bruk.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.



×
×
  • Create New...