Guest idgadmin Posted December 14, 2004 Share Posted December 14, 2004 Ok. här kommer en ny bat fil.. Jag ska inte stänga av datorn eller starta om nu. Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. ------- System Files in System32 Directory ------- Volymen i enhet C har etiketten Pepparkaka Volymens serienummer „r 709B-60D9 Inneh†ll i katalogen C:\WINDOWS\System32 2004-12-13 22:51 224ÿ375 f2j20c1oef.dll 2004-12-13 22:51 224ÿ955 u4rule991h.dll 2004-12-13 09:19 223ÿ008 d20m0cd1ef0.dll 2004-12-10 17:36 224ÿ424 enlul1391.dll 2004-12-09 13:40 226ÿ082 gpn8l35u1.dll 2004-12-07 18:41 223ÿ389 j6n20g5oe6.dll 2004-12-06 14:56 226ÿ281 koddv.dll 2004-12-04 14:29 dllcache 2004-12-03 15:56 224ÿ676 r68s0gl7e6q.dll 2004-12-03 15:56 223ÿ193 dn2001fme.dll 2004-12-03 08:49 224ÿ552 cuc.dll 2004-12-03 00:30 224ÿ340 fp2q03f5e.dll 2004-12-02 22:47 224ÿ976 ktlql7351.dll 2004-12-02 20:06 223ÿ848 j6j60g1se6.dll 2003-08-22 11:46 Microsoft 13 fil(er) 2ÿ918ÿ099 byte 2 katalog(er) 66ÿ601ÿ107ÿ456 byte ledigt ------- Hidden Files in System32 Directory ------- Volymen i enhet C har etiketten Pepparkaka Volymens serienummer „r 709B-60D9 Inneh†ll i katalogen C:\WINDOWS\System32 2004-12-14 10:32 20ÿ700 FFASTLOG.TXT 2004-12-04 14:29 dllcache 2003-08-28 22:47 488 WindowsLogon.manifest 2003-08-28 22:47 488 logonui.exe.manifest 2003-08-28 22:47 749 cdplayer.exe.manifest 2003-08-28 22:47 749 sapi.cpl.manifest 2003-08-28 22:47 749 nwc.cpl.manifest 2003-08-28 22:47 749 wuaucpl.cpl.manifest 2003-08-28 22:47 749 ncpa.cpl.manifest 8 fil(er) 25ÿ421 byte 1 katalog(er) 66ÿ601ÿ107ÿ456 byte ledigt ---------- Files Named "Guard" ------------- Volymen i enhet C har etiketten Pepparkaka Volymens serienummer „r 709B-60D9 Inneh†ll i katalogen C:\WINDOWS\System32 2004-12-14 10:32 223ÿ047 guard.tmp 1 fil(er) 223ÿ047 byte 0 katalog(er) 66ÿ601ÿ103ÿ360 byte ledigt --------- Temp Files in System32 Directory -------- Volymen i enhet C har etiketten Pepparkaka Volymens serienummer „r 709B-60D9 Inneh†ll i katalogen C:\WINDOWS\System32 2004-12-14 10:32 223ÿ047 guard.tmp 2002-09-11 13:00 2ÿ578 CONFIG.TMP 2 fil(er) 225ÿ625 byte 0 katalog(er) 66ÿ601ÿ103ÿ360 byte ledigt ---------------- User Agent ------------ REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{A6160020-AEC8-4BDC-8B40-1577144F87E1}"="" ------------ Keys Under Notify ------------ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] @="" "DLLName"="igfxsrvc.dll" "Asynchronous"=dword:00000001 "Impersonate"=dword:00000001 "Unlock"="WinlogonUnlockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\u4rule991h.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ---------------- Xfind Results ----------------- C:\WINDOWS\SYSTEM32\F2J20C~1.DLL +++ File read error -------------- Locate.com Results --------------- C:\WINDOWS\SYSTEM32 cuc.dll Fri 2004-12-03 8.49.38 ..S.R 224 552 219,29 K d20m0c~1.dll Mon 2004-12-13 9.19.04 ..S.R 223 008 217,78 K dn2001~1.dll Fri 2004-12-03 15.56.06 ..S.R 223 193 217,96 K enlul1~1.dll Fri 2004-12-10 17.36.36 ..S.R 224 424 219,16 K f2j20c~1.dll Mon 2004-12-13 22.51.18 ..S.R 224 375 219,11 K ffastlog.txt Tue 2004-12-14 10.32.28 A..H. 20 700 20,21 K fp2q03~1.dll Fri 2004-12-03 0.30.34 ..S.R 224 340 219,08 K gpn8l3~1.dll Thu 2004-12-09 13.40.46 ..S.R 226 082 220,78 K j6j60g~1.dll Thu 2004-12-02 20.06.26 ..S.R 223 848 218,60 K j6n20g~1.dll Tue 2004-12-07 18.41.58 ..S.R 223 389 218,15 K koddv.dll Mon 2004-12-06 14.56.26 ..S.R 226 281 220,98 K ktlql7~1.dll Thu 2004-12-02 22.47.04 ..S.R 224 976 219,70 K r68s0g~1.dll Fri 2004-12-03 15.56.10 ..S.R 224 676 219,41 K u4rule~1.dll Mon 2004-12-13 22.51.14 ..S.R 224 955 219,68 K 14 items found: 14 files, 0 directories. Total of file sizes: 2 938 799 bytes 2,80 M Link to comment Share on other sites More sharing options...
Zipp. Posted December 14, 2004 Share Posted December 14, 2004 Ta bort KillBoxen och KillBox.zip du ladda ner tidigare. Ta den här nyare versionen http://www.downloads.subratam.org/KillBox.zip Efter det koppla bort datorn från nätet. Unzippa på skrivbordet i en ny mapp. Öppna den och klicka Tools Sen klicka Delete Temp Files och svara Ok. Sen kopiera och klistra in följande filer en i taget i fältet Full Path of File to Delete Efter varje fil tryk Delete knappen (röd med vit X på) Titta noga på vilka filer du får meddelande att kan inte hittas eller finns inte. C:/WINDOWS/SYSTEM32/ f2j20c1oef.dll C:/WINDOWS/SYSTEM32/ u4rule991h.dll C:/WINDOWS/SYSTEM32/ d20m0cd1ef0.dll C:/WINDOWS/SYSTEM32/ enlul1391.dll C:/WINDOWS/SYSTEM32/ gpn8l35u1.dll C:/WINDOWS/SYSTEM32/j6n20g5oe6.dll C:/WINDOWS/SYSTEM32/ koddv.dll C:/WINDOWS/SYSTEM32/ r68s0gl7e6q.dll C:/WINDOWS/SYSTEM32/dn2001fme.dll C:/WINDOWS/SYSTEM32/ cuc.dll C:/WINDOWS/SYSTEM32/fp2q03f5e.dll C:/WINDOWS/SYSTEM32/ ktlql7351.dll C:/WINDOWS/SYSTEM32/ j6j60g1se6.dll C:/WINDOWS/SYSTEM32/guard.tmp Sen bocka i Delete on Reboot i KillBoxen Sen samma sak med alla dom filer som inte hittades eller finns inte. Efter varje fil svara No. När du har klistrat in sista filen så svara Yes och starta om datorn och skicka en ny Find.bat Link to comment Share on other sites More sharing options...
Guest idgadmin Posted December 14, 2004 Share Posted December 14, 2004 Det var tre filer som togs bort direkt: C:/WINDOWS/SYSTEM32/j6n20g5oe6.dll C:/WINDOWS/SYSTEM32/dn2001fme.dll C:/WINDOWS/SYSTEM32/guard.tmp När jag skulle reboota på sista så hände det inget.. för när datorn har blivit lite konstig efter ett tag så kan man ej starta om, man får stänga av och sätta på..hoppas inte det påverkar processen. Här kommer den nya find.bat filen: Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. ------- System Files in System32 Directory ------- Volymen i enhet C har etiketten Pepparkaka Volymens serienummer „r 709B-60D9 Inneh†ll i katalogen C:\WINDOWS\System32 2004-12-14 11:56 224ÿ955 cxm.dll 2004-12-14 11:56 225ÿ010 hrn0055me.dll 2004-12-13 22:51 224ÿ375 f2j20c1oef.dll 2004-12-13 22:51 224ÿ955 u4rule991h.dll 2004-12-13 09:19 223ÿ008 d20m0cd1ef0.dll 2004-12-10 17:36 224ÿ424 enlul1391.dll 2004-12-09 13:40 226ÿ082 gpn8l35u1.dll 2004-12-06 14:56 226ÿ281 koddv.dll 2004-12-04 14:29 dllcache 2004-12-03 15:56 224ÿ676 r68s0gl7e6q.dll 2004-12-03 08:49 224ÿ552 cuc.dll 2004-12-02 22:47 224ÿ976 ktlql7351.dll 2004-12-02 20:06 223ÿ848 j6j60g1se6.dll 2003-08-22 11:46 Microsoft 12 fil(er) 2ÿ697ÿ142 byte 2 katalog(er) 66ÿ628ÿ165ÿ632 byte ledigt ------- Hidden Files in System32 Directory ------- Volymen i enhet C har etiketten Pepparkaka Volymens serienummer „r 709B-60D9 Inneh†ll i katalogen C:\WINDOWS\System32 2004-12-14 11:56 20ÿ733 FFASTLOG.TXT 2004-12-04 14:29 dllcache 2003-08-28 22:47 488 WindowsLogon.manifest 2003-08-28 22:47 488 logonui.exe.manifest 2003-08-28 22:47 749 cdplayer.exe.manifest 2003-08-28 22:47 749 sapi.cpl.manifest 2003-08-28 22:47 749 nwc.cpl.manifest 2003-08-28 22:47 749 wuaucpl.cpl.manifest 2003-08-28 22:47 749 ncpa.cpl.manifest 8 fil(er) 25ÿ454 byte 1 katalog(er) 66ÿ628ÿ165ÿ632 byte ledigt ---------- Files Named "Guard" ------------- Volymen i enhet C har etiketten Pepparkaka Volymens serienummer „r 709B-60D9 Inneh†ll i katalogen C:\WINDOWS\System32 --------- Temp Files in System32 Directory -------- Volymen i enhet C har etiketten Pepparkaka Volymens serienummer „r 709B-60D9 Inneh†ll i katalogen C:\WINDOWS\System32 2002-09-11 13:00 2ÿ578 CONFIG.TMP 1 fil(er) 2ÿ578 byte 0 katalog(er) 66ÿ628ÿ161ÿ536 byte ledigt ---------------- User Agent ------------ REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{A6160020-AEC8-4BDC-8B40-1577144F87E1}"="" ------------ Keys Under Notify ------------ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] @="" "DLLName"="igfxsrvc.dll" "Asynchronous"=dword:00000001 "Impersonate"=dword:00000001 "Unlock"="WinlogonUnlockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\u4rule991h.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ---------------- Xfind Results ----------------- C:\WINDOWS\System32\CXM.DLL +++ File read error -------------- Locate.com Results --------------- C:\WINDOWS\SYSTEM32 cuc.dll Fri 2004-12-03 8.49.38 ..S.R 224 552 219,29 K cxm.dll Tue 2004-12-14 11.56.24 ..S.R 224 955 219,68 K d20m0c~1.dll Mon 2004-12-13 9.19.04 ..S.R 223 008 217,78 K enlul1~1.dll Fri 2004-12-10 17.36.36 ..S.R 224 424 219,16 K f2j20c~1.dll Mon 2004-12-13 22.51.18 ..S.R 224 375 219,11 K ffastlog.txt Tue 2004-12-14 11.56.32 A..H. 20 733 20,25 K gpn8l3~1.dll Thu 2004-12-09 13.40.46 ..S.R 226 082 220,78 K hrn005~1.dll Tue 2004-12-14 11.56.24 ..S.R 225 010 219,73 K j6j60g~1.dll Thu 2004-12-02 20.06.26 ..S.R 223 848 218,60 K koddv.dll Mon 2004-12-06 14.56.26 ..S.R 226 281 220,98 K ktlql7~1.dll Thu 2004-12-02 22.47.04 ..S.R 224 976 219,70 K r68s0g~1.dll Fri 2004-12-03 15.56.10 ..S.R 224 676 219,41 K u4rule~1.dll Mon 2004-12-13 22.51.14 ..S.R 224 955 219,68 K 13 items found: 13 files, 0 directories. Total of file sizes: 2 717 875 bytes 2,59 M Link to comment Share on other sites More sharing options...
Zipp. Posted December 14, 2004 Share Posted December 14, 2004 Huh...filerna kommer tillbaka,det är nått jag missar men vet inte vad. Jag hittade den här,pröva om det funkar. http://www.lavasoftsupport.com/index.php?showtopic=54511 Annars får vi pröva igen. Link to comment Share on other sites More sharing options...
Zipp. Posted December 14, 2004 Share Posted December 14, 2004 Du kan också titta vad detta är C:/WINDOWS/SYSTEM32/ffastlog.txt Link to comment Share on other sites More sharing options...
Guest idgadmin Posted December 14, 2004 Share Posted December 14, 2004 Den filen fastlogg verkar inte vara skum.. stod något om snabbsökning eller så.. Men jag ska testa Varje steg på den sidan.. hoppas jag fattar alla steg bara. Link to comment Share on other sites More sharing options...
927 Posted December 14, 2004 Share Posted December 14, 2004 det kan väl ev va så att systemåterställningen ställer till det... Link to comment Share on other sites More sharing options...
Zipp. Posted December 15, 2004 Share Posted December 15, 2004 Hur gick det med rensningen? Link to comment Share on other sites More sharing options...
Guest idgadmin Posted December 18, 2004 Share Posted December 18, 2004 Hej zipp! Jag testade aldrig stegen, jag formaterade om datorn och installerade om windows. Så nu funkar den felfritt utan virus. Tackar och bugar för hjälpen ändå! Link to comment Share on other sites More sharing options...
.thumb.png.71a73be41d8bf63826729db87e16f1ce.png)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.