Just nu i M3-nätverket
Jump to content

Ännu ett msn virus


heneborn

Recommended Posts

Hej!

 

Dum i huvett som man är så klickade man ju på den där img25.rar filen som dök upp i fönstret och nu beter sig msn tokigt. Fönster blinkar till i rutan hela tiden och skickar iväg filen till ytterliggare kontakter och jag vet inte hur jag ska få bort det.

 

Körde MSNFix som sa att den plockade bort ett virus den hittade men problemet är kvar.

 

Kan någon hjälpa, snälla?

 

/andreas

 

Link to comment
Share on other sites

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:55:43, on 2007-09-27

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\WINDOWS\system32\nvsvc64.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\PROGRA~1\Mozilla Firefox\firefox.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [EPSON Stylus Photo RX520 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE /P31 "EPSON Stylus Photo RX520 Series" /O6 "USB001" /M "Stylus Photo RX520"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nVidia Display Driver] nvsvc64.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1085031214-2139871995-682003330-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Marcus')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

 

--

End of file - 5996 bytes

[/log]

 

Link to comment
Share on other sites

Det vore bra att se loggen från MSNFix, du ska kunna hitta den i den mappen där programmet ligger och namnet på den innehåller datum och klockslag för körningen.

 

[log]Ladda ner SDFix till Skrivbordet:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Dubbelklicka på SDFix.exe och en ny mapp skapas, C:\SDFix.

 

Starta om datorn i felsäkert läge (tryck F8 upprepade gånger under uppstarten och välj felsäkert läge i menyn).

 

Öppna den nya mappen C:\SDFix och dubbelklicka på RunThis.bat för att starta programmet.

Tryck Y för att fortsätta.

Det arbetar ett tag och när det är klart så kommer det upp en fråga om du vill starta om datorn.

Tryck på godtycklig tangent för att omstarten ska påbörjas.

Datorn kommer att ta lång tid på sig under uppstarten eftersom programmet kommer att gå igång och fixa till en massa.

När det är klart visas Finished.

Tryck på valfri tangent för att avsluta programmet.

 

Öppna mappen SDFix och öppna filen Report.txt i Anteckningar.

Klistra in innehållet i filen i ditt svar här.[/log]

 

[log]Ladda ner ComboFix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Kör den och följ anvisningarna som visas.

 

VIKTIGT! Klicka inte på Combofix-fönstret med musen när den körs annars kan den hänga upp sig.

 

När den är färdig så ska en logg komma upp, klistra in den här, samt en ny HijackThis-logg. [/log]

 

Link to comment
Share on other sites

[log]MSNFix 1.521

 

C:\Documents and Settings\Heneborn\Desktop\MSNFix\MSNFix

Sokningen var klar pa 2007-09-27 - 23:18:08,01 By Heneborn

normalt lage

 

************************ Kollar filer

 

... C:\DOCUME~1\Heneborn\LOCALS~1\Temp\*.dmp

 

************************ MSNCHK ***** /!\ beta test /!

 

 

************************ Kollar mappar

 

... C:\Temp\

 

 

 

 

************************ Tar bort virus filer

 

.. OK ... C:\DOCUME~1\Heneborn\LOCALS~1\Temp\*.dmp

 

 

************************ Tar bort virus mappar

 

.. OK ... C:\Temp\

 

 

************************ Rensar registret

 

 

 

************************ Misstankta Filer

 

/!\ Dem funna filerna maste kontrolleras innan borttagning

 

[C:\WINDOWS\system32\davinci.scr] 8EFE67C26EEEDED21FAE6EC0ABE64FBE

[C:\WINDOWS\system32\mypixdx.scr] C644C2CE7E5224297757FFA93346D529

[C:\WINDOWS\system32\nature.scr] 3DD0058B893C3532103AD96C593DE18C

[C:\WINDOWS\system32\space.scr] 6FA9112A53D4192656F961809BED3D41

[C:\WINDOWS\system32\wpgldfsh.scr] 54F3C37B574A2269FC5A92E9F07DE152

 

==> Var snall och ladda upp filen C:\DOCUME~1\Heneborn\Desktop\Upload_Me.zip on http://upload.changelog.fr

 

 

 

Filerna och Registernycklarna har sparats i karantan 2007-09-27_23184446.zip

 

 

------------------------------------------------------------------------

Gjord av : !aur3n7 Contact: http://changelog.fr

------------------------------------------------------------------------

 

--------------------------------------------- END ---------------------------------------------

 

[/log]

 

Link to comment
Share on other sites

På webbsidan http://upload.changelog.fr/ fyll i rutorna så här:

heneborn

//eforum.idg.se/viewmsg.asp?EntriesId=984448#984504

MSNFix requested upload

C:\DOCUME~1\Heneborn\Desktop\Upload_Me.zip

Tryck på Envoyer

 

så kan MSNFix uppdateras.

 

Ställ in Utforskaren så att du kan se alla filer:

Verktyg - (Mapp)alternativ eller liknande - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

Gå till mappen C:\WINDOWS\system32 kontrollera datum på filerna:

davinci.scr

mypixdx.scr

nature.scr

space.scr

wpgldfsh.scr

Om någon/några av dem är skapade efter att datorn blev infekterad så ta bort den/de filerna.

 

Link to comment
Share on other sites

[log]SDFix: Version 1.107

 

Run by Heneborn on 2007-09-28 at 10:53

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

No Trojan Files Found

 

 

 

 

Removing Temp Files...

 

ADS Check:

 

C:\WINDOWS

No streams found.

 

C:\WINDOWS\system32

No streams found.

 

C:\WINDOWS\system32\svchost.exe

No streams found.

 

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

"C:\\Program Files\\FlashFXP\\flashfxp.exe"="C:\\Program Files\\FlashFXP\\flashfxp.exe:*:Enabled:FlashFXP v3"

"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"

"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

"C:\\Program Files\\Hamachi\\hamachi.exe"="C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client"

"C:\\Documents and Settings\\Marcus\\My Documents\\_REL__Hebbo___Nero_2\\[REL] Hebbo & Nero 2\\Server.exe"="C:\\Documents and Settings\\Marcus\\My Documents\\_REL__Hebbo___Nero_2\\[REL] Hebbo & Nero 2\\Server.exe:*:Enabled:Server"

"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"="C:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942"

"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"

"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"

"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"

"C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars Beta 2\\etqw.exe"="C:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars Beta 2\\etqw.exe:*:Enabled:Enemy Territory - QUAKE Wars Beta 2"

"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"

"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"="C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe:*:Disabled:Adobe Photoshop Elements Media Server"

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\FlashFXP\\flashfxp.exe"="C:\\Program Files\\FlashFXP\\flashfxp.exe:*:Enabled:FlashFXP v3"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

 

Remaining Files:

---------------

 

 

Files with Hidden Attributes:

 

Thu 27 Sep 2007 60,928 ..SHR --- "C:\WINDOWS\system32\nvsvc64.exe"

Fri 27 Feb 2004 233,472 A..H. --- "C:\Program Files\Image-Line\FL Studio 7\REX Shared Library.dll"

Thu 27 Sep 2007 2,158 ...HR --- "C:\Documents and Settings\Heneborn\Application Data\SecuROM\UserData\securom_v7_01.bak"

Fri 21 Sep 2007 2,158 ...HR --- "C:\Documents and Settings\Marcus\Application Data\SecuROM\UserData\securom_v7_01.bak"

Fri 28 Sep 2007 5,684 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp"

Fri 28 Sep 2007 5,938 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp"

 

Finished!

[/log]

 

Link to comment
Share on other sites

davinci.scr

mypixdx.scr

nature.scr

space.scr

wpgldfsh.scr

 

Dom filerna hade jag redan tagit bort efter att jag körde MSNFix igår, det löste ingenting, dom var bara screensavers.

 

Tack så mycket fö all hjälp förresten!

 

Link to comment
Share on other sites

[log]ComboFix 07-09-21.2 - "Heneborn" 2007-09-28 11:34:25.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1543 [GMT 2:00]

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users.\documents\setup.exe

 

.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))

.

 

2007-09-28 11:33 51,200 --a------ C:\WINDOWS\NirCmd.exe

2007-09-28 10:52 <KAT> d-------- C:\WINDOWS\ERUNT

2007-09-27 23:55 <KAT> d-------- C:\Program Files\Trend Micro

2007-09-27 23:02 <KAT> d-------- C:\Program Files\MSN Messenger

2007-09-27 20:20 60,928 -r-hs---- C:\WINDOWS\system32\nvsvc64.exe

2007-09-26 20:39 <KAT> d-------- C:\DOCUME~1\Marcus\APPLIC~1\Samsung

2007-09-22 19:49 <KAT> d-------- C:\Program Files\The Creative Assembly

2007-09-20 16:08 <KAT> d-------- C:\DOCUME~1\Marcus\APPLIC~1\Opera

2007-09-19 22:18 <KAT> d-------- C:\Program Files\MediaMonkey

2007-09-19 19:51 40,960 --a------ C:\WINDOWS\system32\psfind.dll

2007-09-19 19:51 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll

2007-09-19 19:05 109,568 --------- C:\WINDOWS\system32\pxinsi64.exe

2007-09-19 19:05 108,544 --------- C:\WINDOWS\system32\pxcpyi64.exe

2007-09-09 19:18 737,280 --a------ C:\WINDOWS\iun6002.exe

2007-09-09 19:18 <KAT> d-------- C:\Program Files\Codec Pack - All In 1

2007-09-09 19:15 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll

2007-09-09 19:15 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll

2007-09-09 19:15 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll

2007-09-09 19:15 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll

2007-09-09 19:15 <KAT> d-------- C:\Program Files\Cucusoft

2007-09-09 19:08 <KAT> d-------- C:\DOCUME~1\Heneborn\APPLIC~1\Ahead

2007-09-09 15:59 <KAT> d-------- C:\DOCUME~1\Marcus\APPLIC~1\Media Player Classic

2007-09-08 13:45 <KAT> d-------- C:\DOCUME~1\Marcus\APPLIC~1\dvdcss

2007-09-05 13:05 <KAT> d-------- C:\DOCUME~1\Heneborn\APPLIC~1\dvdcss

2007-09-03 16:05 <KAT> d-------- C:\DOCUME~1\Heneborn\APPLIC~1\InstallShield

2007-09-02 14:40 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll

2007-09-02 14:40 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

2007-09-02 14:40 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll

2007-09-02 14:40 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll

2007-09-02 14:40 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll

2007-09-02 14:40 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll

2007-09-02 14:40 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll

2007-09-02 14:40 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll

2007-09-01 20:16 <KAT> d-------- C:\Program Files\NCSoft

2007-08-30 09:44 <KAT> d-------- C:\Program Files\FirstClass

2007-08-30 09:44 <KAT> d-------- C:\DOCUME~1\Heneborn\APPLIC~1\InstallShield Installation Information

2007-08-30 09:44 <KAT> d-------- C:\DOCUME~1\Heneborn\APPLIC~1\FirstClass

2007-08-29 15:06 225,280 --a------ C:\WINDOWS\system32\rewire.dll

2007-08-29 15:06 <KAT> d-------- C:\Program Files\VstPlugins

2007-08-29 15:06 <KAT> d-------- C:\Program Files\ASIO4ALL v2

2007-08-29 15:04 <KAT> d-------- C:\Program Files\Image-Line

2007-08-28 18:04 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-08-28 18:04 22,328 --a------ C:\DOCUME~1\Heneborn\APPLIC~1\PnkBstrK.sys

2007-08-28 18:03 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2007-08-28 18:03 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2007-08-28 18:03 <KAT> d-------- C:\WINDOWS\system32\LogFiles

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-09-27 21:47 --------- d-------- C:\DOCUME~1\Heneborn\APPLIC~1\foobar2000

2007-09-27 17:54 --------- d-------- C:\DOCUME~1\Marcus\APPLIC~1\foobar2000

2007-09-27 10:43 --------- d-------- C:\DOCUME~1\Heneborn\APPLIC~1\Azureus

2007-09-26 10:43 --------- d-------- C:\Program Files\FlashFXP

2007-09-22 19:49 --------- d--h----- C:\Program Files\InstallShield Installation Information

2007-09-20 17:04 --------- d-------- C:\Program Files\Sierra Entertainment

2007-09-19 08:43 --------- d-------- C:\DOCUME~1\Marcus\APPLIC~1\Creative

2007-09-12 12:22 --------- d-------- C:\Program Files\Azureus

2007-08-29 15:06 --------- d-------- C:\Program Files\VstPlugins

2007-08-28 18:02 --------- d-------- C:\Program Files\id Software

2007-08-26 20:49 --------- d-------- C:\DOCUME~1\Heneborn\APPLIC~1\Bioshock

2007-08-26 19:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles

2007-08-25 12:31 --------- dr-h----- C:\DOCUME~1\Marcus\APPLIC~1\SecuROM

2007-08-25 10:43 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll

2007-08-25 10:43 --------- dr-h----- C:\DOCUME~1\Heneborn\APPLIC~1\SecuROM

2007-08-23 17:38 --------- d-------- C:\Program Files\EA GAMES

2007-08-17 17:25 356352 --a------ C:\WINDOWS\system32\nvunrm.exe

2007-08-17 17:25 356352 --a------ C:\WINDOWS\system32\NVUNINST.EXE

2007-08-17 17:25 356352 --a------ C:\WINDOWS\system32\nvudisp.exe

2007-08-17 16:23 8478720 --a------ C:\WINDOWS\system32\nvcpl.dll

2007-08-17 16:23 81920 --a------ C:\WINDOWS\system32\nvwddi.dll

2007-08-17 16:23 81920 --a------ C:\WINDOWS\system32\nvmctray.dll

2007-08-17 16:23 753664 --a------ C:\WINDOWS\system32\nvcplui.exe

2007-08-17 16:23 6842208 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys

2007-08-17 16:23 6746112 --a------ C:\WINDOWS\system32\nvoglnt.dll

2007-08-17 16:23 6344704 --a------ C:\WINDOWS\system32\nvdisps.dll

2007-08-17 16:23 5860736 --a------ C:\WINDOWS\system32\nv4_disp.dll

2007-08-17 16:23 466944 --a------ C:\WINDOWS\system32\nvshell.dll

2007-08-17 16:23 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll

2007-08-17 16:23 442368 --a------ C:\WINDOWS\system32\nvappbar.exe

2007-08-17 16:23 425984 --a------ C:\WINDOWS\system32\keystone.exe

2007-08-17 16:23 36864 --a------ C:\WINDOWS\system32\nvcodins.dll

2007-08-17 16:23 36864 --a------ C:\WINDOWS\system32\nvcod.dll

2007-08-17 16:23 360448 --a------ C:\WINDOWS\system32\nvapi.dll

2007-08-17 16:23 3551232 --a------ C:\WINDOWS\system32\nvvitvs.dll

2007-08-17 16:23 3334144 --a------ C:\WINDOWS\system32\nvgames.dll

2007-08-17 16:23 307200 --a------ C:\WINDOWS\system32\nvexpbar.dll

2007-08-17 16:23 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll

2007-08-17 16:23 2371584 --a------ C:\WINDOWS\system32\nvwss.dll

2007-08-17 16:23 229376 --a------ C:\WINDOWS\system32\nvmccs.dll

2007-08-17 16:23 188416 --a------ C:\WINDOWS\system32\nvmccss.dll

2007-08-17 16:23 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll

2007-08-17 16:23 1626112 --a------ C:\WINDOWS\system32\nwiz.exe

2007-08-17 16:23 155716 --a------ C:\WINDOWS\system32\nvsvc32.exe

2007-08-17 16:23 1478656 --a------ C:\WINDOWS\system32\nview.dll

2007-08-17 16:23 147456 --a------ C:\WINDOWS\system32\nvcolor.exe

2007-08-17 16:23 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe

2007-08-17 16:23 1150976 --a------ C:\WINDOWS\system32\nvmobls.dll

2007-08-17 16:23 1073152 --a------ C:\WINDOWS\system32\nvcpluir.dll

2007-08-17 16:23 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll

2007-08-07 12:05 --------- d-------- C:\DOCUME~1\Heneborn\APPLIC~1\Samsung

2007-08-01 21:29 --------- d-------- C:\DOCUME~1\Heneborn\APPLIC~1\LimeWire

2007-07-31 13:59 --------- d-------- C:\DOCUME~1\Marcus\APPLIC~1\Apple Computer

2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll

2007-07-20 01:19 855886 --a------ C:\Program Files\AUG2007_d3dx10_35_x64.cab

2007-07-20 01:19 800467 --a------ C:\Program Files\AUG2007_d3dx10_35_x86.cab

2007-07-20 01:19 1803760 --a------ C:\Program Files\AUG2007_d3dx9_35_x64.cab

2007-07-20 01:18 44684 --a------ C:\Program Files\dxdllreg_x86.cab

2007-07-20 01:18 201696 --a------ C:\Program Files\AUG2007_XACT_x64.cab

2007-07-20 01:18 1711752 --a------ C:\Program Files\AUG2007_d3dx9_35_x86.cab

2007-07-20 01:18 156612 --a------ C:\Program Files\AUG2007_XACT_x86.cab

2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll

2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll

2007-07-20 00:48 976020 --------- C:\Program Files\BDAXP.cab

2007-07-20 00:48 917318 --------- C:\Program Files\Apr2006_MDX1_x86.cab

2007-07-20 00:48 88102 --------- C:\Program Files\AUG2006_xinput_x64.cab

2007-07-20 00:48 87989 --------- C:\Program Files\Apr2006_xinput_x64.cab

2007-07-20 00:48 86925 --------- C:\Program Files\Oct2005_xinput_x64.cab

2007-07-20 00:48 86709 --a------ C:\Program Files\dxupdate.cab

2007-07-20 00:48 77160 --a------ C:\WINDOWS\system32\DSETUP.dll

2007-07-20 00:48 77160 --a------ C:\Program Files\DSETUP.dll

2007-07-20 00:48 702644 --------- C:\Program Files\JUN2007_d3dx10_34_x64.cab

2007-07-20 00:48 702212 --------- C:\Program Files\APR2007_d3dx10_33_x64.cab

2007-07-20 00:48 702072 --------- C:\Program Files\JUN2007_d3dx10_34_x86.cab

2007-07-20 00:48 699465 --------- C:\Program Files\APR2007_d3dx10_33_x86.cab

2007-07-20 00:48 56902 --------- C:\Program Files\APR2007_xinput_x86.cab

2007-07-20 00:48 503144 --a------ C:\WINDOWS\system32\DXSETUP.exe

2007-07-20 00:48 503144 --a------ C:\Program Files\DXSETUP.exe

2007-07-20 00:48 47018 --------- C:\Program Files\AUG2006_xinput_x86.cab

2007-07-20 00:48 46898 --------- C:\Program Files\Apr2006_xinput_x86.cab

2007-07-20 00:48 46247 --------- C:\Program Files\Oct2005_xinput_x86.cab

2007-07-20 00:48 4163518 --------- C:\Program Files\Apr2006_MDX1_x86_Archive.cab

2007-07-20 00:48 213767 --------- C:\Program Files\DEC2006_d3dx10_00_x64.cab

2007-07-20 00:48 200722 --------- C:\Program Files\JUN2007_XACT_x64.cab

2007-07-20 00:48 199366 --------- C:\Program Files\APR2007_XACT_x64.cab

2007-07-20 00:48 198275 --------- C:\Program Files\FEB2007_XACT_x64.cab

2007-07-20 00:48 193435 --------- C:\Program Files\DEC2006_XACT_x64.cab

2007-07-20 00:48 192680 --------- C:\Program Files\DEC2006_d3dx10_00_x86.cab

2007-07-20 00:48 183863 --------- C:\Program Files\AUG2006_XACT_x64.cab

2007-07-20 00:48 183321 --------- C:\Program Files\OCT2006_XACT_x64.cab

2007-07-20 00:48 181745 --------- C:\Program Files\JUN2006_XACT_x64.cab

2007-07-20 00:48 180021 --------- C:\Program Files\Apr2006_XACT_x64.cab

2007-07-20 00:48 179247 --------- C:\Program Files\Feb2006_XACT_x64.cab

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

"CTHelper"="CTHELPER.EXE" [2005-08-08 08:10 C:\WINDOWS\CTHELPER.EXE]

"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-08 08:10 C:\WINDOWS\system32\CTXFIHLP.EXE]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-08-17 16:23]

"nwiz"="nwiz.exe" [2007-08-17 16:23 C:\WINDOWS\system32\nwiz.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 09:11]

"EPSON Stylus Photo RX520 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.exe" [2005-04-07 06:00]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-08-17 16:23]

"nVidia Display Driver"="nvsvc64.exe" [2007-09-27 18:19 C:\WINDOWS\system32\nvsvc64.exe]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 21:00]

"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 10:06]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;C:\WINDOWS\system32\drivers\hcw88aud.sys

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys

R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;C:\WINDOWS\system32\drivers\hcw88bda.sys

R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;C:\WINDOWS\system32\drivers\hcw88tse.sys

R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;C:\WINDOWS\system32\drivers\hcw88tun.sys

R3 hcw88vid;Hauppauge WinTV 88x Video;C:\WINDOWS\system32\drivers\hcw88vid.sys

R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;C:\WINDOWS\system32\drivers\HCW88BAR.sys

S3 ssm_bus;SAMSUNG Mobile USB Device II 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ssm_bus.sys

S3 ssm_mdfl;SAMSUNG Mobile USB Modem II 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys

S3 ssm_mdm;SAMSUNG Mobile USB Modem II 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys

 

*Newly Created Service* - CATCHME

.

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-28 11:35:40

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

CTxfiHlp = CTXFIHLP.EXE?

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-09-28 11:36:02

C:\ComboFix-quarantined-files.txt ... 2007-09-28 11:36

.

--- E O F ---[/log]

 

Link to comment
Share on other sites

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:39:04, on 2007-09-28

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\PROGRA~1\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [EPSON Stylus Photo RX520 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE /P31 "EPSON Stylus Photo RX520 Series" /O6 "USB001" /M "Stylus Photo RX520"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nVidia Display Driver] nvsvc64.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

 

--

End of file - 5722 bytes

[/log]

 

Link to comment
Share on other sites

Ställ in Utforskaren så att du kan se alla filer:

Verktyg - (Mapp)alternativ eller liknande - Visning

Välj Visa dolda filer och mappar

Avbocka Dölj filnamnstillägg för kända filtyper

Avbocka Dölj skyddade operativsystemfiler

 

Gå till C:\WINDOWS\system32 och högerklicka på filen nvsvc64.exe och välj Egenskaper. Går det att knyta filen till något företag eller produkt?

Om inte gör så här:

Gå till http://www.virustotal.com/ klistra in C:\WINDOWS\system32\nvsvc64.exe i rutan, tryck på Send File och vänta tills resultatet är klart (Current status blir Finished). Klistra in resultatet från de olika antivirusprogrammen samt File size här.

Har du 64-bitars XP?

 

Dom filerna hade jag redan tagit bort efter att jag körde MSNFix igår, det löste ingenting, dom var bara screensavers.
Jovisst, men det finns farliga skärmsläckare.

 

 

Link to comment
Share on other sites

Det här var allt som stog när jag försökte ladda upp den filen.

 

0 bytes size received / Se ha recibido un archivo vacio

 

Däremot hittade mitt antivirus pogram (AVG) filen efter det att jag tillät windows visa alla dolda filer. Det healade den och la den i karantän (efter att jag försökt med virustotal) Räcker det?

 

Jag vet faktist inte om det är 64-bitars XP, vart kan man kolla det?

 

Link to comment
Share on other sites

Om AVG hittade något otrevligt i den så var det ju det och då spelar resten ingen roll.

 

Lägg hit en ny HijackThis-logg så får vi se hur det ser ut nu.

 

Link to comment
Share on other sites

Grymt! Tack så jättemycket för all hjälp!

 

[log]Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:41:29, on 2007-09-28

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [EPSON Stylus Photo RX520 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAGE.EXE /P31 "EPSON Stylus Photo RX520 Series" /O6 "USB001" /M "Stylus Photo RX520"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nVidia Display Driver] nvsvc64.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

 

--

End of file - 5882 bytes

[/log]

 

Link to comment
Share on other sites

Skanna med HijackThis och bocka för:

 

O4 - HKLM\..\Run: [nVidia Display Driver] nvsvc64.exe

 

Avsluta alla andra program.

Tryck Fix checked.

 

Starta om datorn och så en ny HijackThis-logg.

Testa hur MSN uppför sig nu.

 

 

Link to comment
Share on other sites

Tack själv för poängen! :)

 

[log]Här kommer mina vanliga råd för en säkrare dator, men det är så klart viktigt att man använder sitt förnuft också.

 

Uppdatera från Windows Update och kör antispionprogrammen AVG Anti-Spyware (Ewido), SUPERAntiSpyware Free Edition och/eller Spybot S&D regelbundet.

http://www.ewido.net/en/

http://www.superantispyware.com/

http://www.safer-networking.org/en/download/index.html

 

Använd en brandvägg (bättre än den inbyggda i XP), det finns gratis t ex Comodo (avancerad) och ZoneAlarm (mer lättanvänd).

http://www.personalfirewall.comodo.com/

http://www.zonealarm.com/store/content/company/products/znalm/freeDownload.jsp

Länken "I only want basic ZoneAlarm protection" eller på

http://www.majorgeeks.com/ZoneAlarm_Free_d388.html

 

Komplettera antivirusprogrammet med några online-skanningar då och då:

http://www.eset.eu/online-scanner

http://housecall.trendmicro.com/

http://www.bitdefender.com/scan8/ie.html

http://www.pandasoftware.com/products/activescan/

 

Om man använder Internet Explorer så kan det vara lämpligt att ha programmet SpywareBlaster, vilket hindrar en hel del otrevliga program från att laddas ner http://www.javacoolsoftware.com , samt kör IE-SpyAd som lägger en hel massa otrevliga webbplatser i zonen Ej tillförlitliga i Internet Explorer så att de inte kan göra något med datorn http://www.spywarewarrior.com/uiuc/resource.htm

 

Se över säkerhetsinställningarna i Internet Explorer, det finns en hel del tips på:

http://surfthenetsafely.com/surfsafely6.htm

http://www.spywarewarrior.com/uiuc/btw/ie/ie-opts.htm

 

Om man använder webbläsaren Firefox så är det lämpligt att ha tillägget NoScript.

http://www.mozilla.com

https://addons.mozilla.org/firefox/722/

 

Se vilka webbplatser som är säkra/osäkra med hjälp av SiteAdvisor http://www.siteadvisor.com

 

Allt gratis för hemanvändare/personligt bruk.

[/log]

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...