‹‹ Kan ikke køre exe filer. Regedit har virus ?     Hjælp ››
 
 
 
Har haft msn-virus - HJ log + de tre andre logs
    [ Ignorer ]   
  Yogo
05.12.2006 13:38:56
Antal indlæg: 9

Hej. Er også én af de heldige som har fået en msn-orm ind på computeren. Har fulgt jeres “opskrift” og kørt, Dr. web, Ewido, SAS og combofix. Vidste ikke om jeg sku kopiere alle fire logs ind i samme indlæg, men det har jeg altså gjort.
Efter scanningen med Ewido står der at man skal genstarte normalt. Dette kunne ikke lade sig gøre for mig, og ´jeg blev nødt til at starte i fejlsikret tilstand igen (ved ikke om det har noget at sige) Når den var ved at indlæse windows, kom der lige et kort blink på en blå skærm og en 3-4 linier tekst, inden den genstartede sig selv…..og sådan fortsatte den så indtil man selv afbrøde den.

Men her er log-filerne i hvert fald. Håber I kan hjælpe med at få renset ud.


Logfile of HijackThis v1.99.1
Scan saved at 11:19:44, on 05-12-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ejer\Skrivebord\Alternativ.exe
C:\Programmer\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.dk/0SEDADK/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ofir.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: C:\WINDOWS\system32\zkPeCrypt.dll - {8A5849C4-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\system32\zkPeCrypt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\da\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [WINDOWS] C:\egnt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://opdatering.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

 

 

Ejer - 06-12-05 11:07:57,43   Service Pack 2
ComboFix 06.11.27W - Running from: “C:\Documents and Settings\Ejer\Skrivebord”

((((((((((((((((((((((((((((((((((((((((((((  Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Ejer\Application Data\Install.dat
C:\Programmer\Inetget2
C:\Programmer\F‘lles filer\{3CA3A260-0380-1030-1119-01091220002d}
C:\Programmer\F‘lles filer\{6CA3A260-0380-1030-1119-01091220002d}


(((((((((((((((((((((((((((((((  Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-04 22:26 <DIR> d————C:\Documents and Settings\Ejer\DoctorWeb
2006-12-04 22:10 <DIR> d————C:\Programmer\SUPERAntiSpyware
2006-12-04 22:10 <DIR> d————C:\Documents and Settings\Ejer\Application Data\SUPERAntiSpyware.com
2006-12-04 22:05 <DIR> d————C:\Programmer\ewido
2006-12-04 21:24 <DIR> d————C:\Program Files
2006-12-04 21:21 391—a———C:\WINDOWS\system32\z14.exe
2006-12-04 21:21 13,824—a———C:\gcue.exe
2006-12-04 21:21 10,000—a———C:\WINDOWS\system32\zkPeCrypt.dll
2006-12-04 21:20 46,592—a———C:\WINDOWS\system32\zlbw.dll
2006-12-04 21:20 3,584 -rahs——C:\WINDOWS\system32\z271737132964.exe
2006-12-04 21:20 1,941—a———C:\xfeq.exe
2006-12-04 21:19 81,920—a———C:\WINDOWS\system32\Packet.dll
2006-12-04 21:19 61,440—a———C:\WINDOWS\system32\WanPacket.dll
2006-12-04 21:19 53,299—a———C:\WINDOWS\system32\pthreadVC.dll
2006-12-04 21:19 32,512—a———C:\WINDOWS\system32\drivers\npf.sys
2006-12-04 21:19 233,472—a———C:\WINDOWS\system32\wpcap.dll
2006-12-04 21:18 9,292—a———C:\WINDOWS\system32\z1481.exe
2006-12-04 21:18 <DIR> d————C:\WINDOWS\inet20000
2006-12-04 21:17 85,504—a———C:\egnt.exe
2006-12-04 21:17 77,824—a———C:\WINDOWS\system32\gotgo.exe
2006-12-04 21:17 77,824—a———C:\Documents and Settings\Ejer\gotgo.exe
2006-12-04 21:17 16,185—a———C:\lwqojwt.exe
2006-12-04 21:17 138,565—a———C:\WINDOWS\system32\mcc.exe
2006-12-04 21:17 138,565—a———C:\Documents and Settings\Ejer\mcc.exe
2006-12-04 21:17 122,880—a———C:\WINDOWS\system32\winstall.exe
2006-12-04 21:17 122,880—a———C:\Documents and Settings\Ejer\winstall.exe


((((((((((((((((((((((((((((((((((((((((((((((((  Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-12-05 11:08————d————C:\Programmer\F‘lles filer
2006-12-04 23:29————d————C:\Programmer\PacificPoker
2006-12-04 22:09————d————C:\Programmer\F‘lles filer\Wise Installation Wizard
2006-12-04 21:55————d————C:\Programmer\F‘lles filer\Microsoft Shared
2006-12-04 21:46————d————C:\Programmer\MSN Messenger
2006-09-13 06:06 1084416—a———C:\WINDOWS\system32\msxml3.dll


((((((((((((((((((((((((((((((((((((((((((  Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\\WINDOWS\\system32\\ctfmon.exe”
“SUPERAntiSpyware”=“C:\\Programmer\\SUPERAntiSpyware\\SUPERAntiSpyware.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“TrackPointSrv”=“tp4mon.exe”
“WINDOWS”=“C:\\egnt.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“Installed”=“1”
“NoChange”=“1”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
“DeskHtmlVersion”=dword:00000110
“DeskHtmlMinorVersion”=dword:00000005
“Settings”=dword:00000001
“GeneralFlags”=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“Min aktuelle startside”
“Flags”=dword:00000002
“Position”=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
“CurrentState”=hex:04,00,00,40
“OriginalStateInfo”=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
“RestoredStateInfo”=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
  00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\\WINDOWS\\System32\\CTFMON.EXE”

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\\WINDOWS\\System32\\CTFMON.EXE”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
“{438755C2-A8BA-11D1-B96B-00A0C90312E1}”=“Browseui preloader”
“{8C7461EF-2B13-11d2-BE35-3078302C2030}”=“Component Categories cache daemon”
“{8A5849C4-93F3-429D-FF34-660A2068897C}”=“OpenGL additional”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{AEB6717E-7E19-11d0-97EE-00C04FD91972}”=”“
“{54D9498B-CF93-414F-8984-8CE7FDE0D391}”=“ewido shell guard”
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”=”“

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“dontdisplaylastusername”=dword:00000000
“legalnoticecaption”=”“
“legalnoticetext”=”“
“shutdownwithoutlogon”=dword:00000001
“undockwithoutlogon”=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
“NoDriveTypeAutoRun”=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
“PostBootReminder”=”{7849596a-48ea-486e-8937-a2a3009f31a9}”
“CDBurn”=”{fbeb8a05-beee-4442-804e-409d6c4515e9}”
“WebCheck”=”{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”
“SysTray”=”{35CEC8A3-2BE6-11D2-8773-92E220524153}”

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”

Completion time: 06-12-05 11:09:38.36
C:\ComboFix.txt ... 06-12-05 11:09

 

 

 

SUPERAntiSpyware Scan Log
Generated 12/05/2006 at 00:57 AM

Application Version : 3.3.1020

Core Rules Database Version : 3107
Trace Rules Database Version: 1133

Scan type     : Complete Scan
Total Scan Time : 00:09:20

Memory items scanned     : 168
Memory threats detected   : 0
Registry items scanned   : 3811
Registry threats detected : 45
File items scanned     : 276
File threats detected   : 6

Trojan.Downloader-AVPMon
[Recoveru systems] C:\DOCUME~1\EJER\LOKALE~1\TEMP\SVCHOST.EXE
C:\DOCUME~1\EJER\LOKALE~1\TEMP\SVCHOST.EXE

Trojan.Update-Mcboo
[{6CA3A260-0380-1030-1119-01091220002d}] C:\PROGRAMMER\FæLLES FILER\{6CA3A260-0380-1030-1119-01091220002D}\UPDATE.EXE
C:\PROGRAMMER\FæLLES FILER\{6CA3A260-0380-1030-1119-01091220002D}\UPDATE.EXE
C:\WINDOWS\Prefetch\UPDATE.EXE-23CE5EB7.pf

Trojan.Downloader-RPCC
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc
C:\WINDOWS\SYSTEM32\RPCC.DLL
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Asynchronous
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Startup

Browser Hijacker.Glotka
HKCR\CLSID\{14D1A72D-8705-11D8-B120-0040F46CB696}
HKCR\CLSID\{14D1A72D-8705-11D8-B120-0040F46CB696}\InprocServer32
HKCR\CLSID\{14D1A72D-8705-11D8-B120-0040F46CB696}\InprocServer32#ThreadingModel
HKCR\CLSID\{14D1A72D-8705-11D8-B120-0040F46CB696}\ProgID
HKCR\CLSID\{14D1A72D-8705-11D8-B120-0040F46CB696}\Programmable
HKCR\CLSID\{14D1A72D-8705-11D8-B120-0040F46CB696}\TypeLib
HKCR\CLSID\{14D1A72D-8705-11D8-B120-0040F46CB696}\VersionIndependentProgID
HKCR\Bho_html.edit_html
HKCR\Bho_html.edit_html\CLSID
HKCR\Bho_html.edit_html\CurVer
HKCR\Bho_html.edit_html.1
HKCR\Bho_html.edit_html.1\CLSID
HKCR\TypeLib\{14D1A720-8705-11D8-B120-0040F46CB696}
HKCR\TypeLib\{14D1A720-8705-11D8-B120-0040F46CB696}\1.0
HKCR\TypeLib\{14D1A720-8705-11D8-B120-0040F46CB696}\1.0\0
HKCR\TypeLib\{14D1A720-8705-11D8-B120-0040F46CB696}\1.0\0\win32
HKCR\TypeLib\{14D1A720-8705-11D8-B120-0040F46CB696}\1.0\FLAGS
HKCR\TypeLib\{14D1A720-8705-11D8-B120-0040F46CB696}\1.0\HELPDIR
HKCR\Interface\{14D1A72C-8705-11D8-B120-0040F46CB696}
HKCR\Interface\{14D1A72C-8705-11D8-B120-0040F46CB696}\ProxyStubClsid
HKCR\Interface\{14D1A72C-8705-11D8-B120-0040F46CB696}\ProxyStubClsid32
HKCR\Interface\{14D1A72C-8705-11D8-B120-0040F46CB696}\TypeLib
HKCR\Interface\{14D1A72C-8705-11D8-B120-0040F46CB696}\TypeLib#Version
HKU\S-1-5-21-602162358-507921405-854245398-1003\Software\fid

Trojan.SpySheriff
C:\Program Files\SpySheriff\Uninstall.#xe
C:\Program Files\SpySheriff

Trojan.PestTrap
HKU\S-1-5-21-602162358-507921405-854245398-1003\Software\SNO2

Adware.Toolbar888
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0\win32
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\FLAGS
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\HELPDIR
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid32
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib#Version

Adware.IPWins
HKU\S-1-5-21-602162358-507921405-854245398-1003\Software\IpWins

 

 

28.tmp c:\documents and settings\ejer\lokale indstillinger\temp Trojan.EmailSpy Deleted.
888bar.dll c:\programmer\fælles filer\{3ca3a260-0380-1030-1119-01091220002d} Adware.IWantSearch
services.exe c:\windows\inet20000 Trojan.Doma Deleted.
svchost.exe c:\windows\inet20000 Trojan.EmailSpy Deleted.
cmd32.exe c:\windows\system32 Trojan.DownLoader.15527 Deleted.
kernels1118.exe c:\windows\system32 Trojan.DownLoader.14191 Deleted.
msasvc.exe c:\windows\system32 Trojan.Starter.112 Deleted.
nordsys.exe c:\windows\system32 Trojan.Spambot Deleted.
taskdir.exe c:\windows\system32 Trojan.Spambot Deleted.
z271737138141.exe c:\windows\system32 Trojan.DownLoader.15541 Deleted.
sysvx_.exe c:\windows Trojan.Proxy.795 Deleted.
winstall.exe c:\ Trojan.Fakealert Deleted.
ost.exe C:\Documents and Settings\Ejer Trojan.Spambot Deleted.
wpcem.exe C:\Documents and Settings\Ejer Trojan.EmailSpy Deleted.
25.tmp C:\Documents and Settings\Ejer\Lokale indstillinger\Temp Trojan.Spambot Deleted.
EtqIKprhi C:\Documents and Settings\Ejer\Lokale indstillinger\Temp Trojan.Fakealert Deleted.
her.pt C:\Documents and Settings\Ejer\Lokale indstillinger\Temp Dialer.Maxd Deleted.
installer.exe C:\Documents and Settings\Ejer\Lokale indstillinger\Temp Trojan.MulDrop.924 Deleted.
IqrCIdmhg C:\Documents and Settings\Ejer\Lokale indstillinger\Temp Trojan.Fakealert Deleted.
maxdd1.game C:\Documents and Settings\Ejer\Lokale indstillinger\Temp Dialer.Maxd Deleted.
Uninstall.exe C:\Program Files\SpySheriff Adware.Spysheriff Renamed.
ibm00001.dll C:\Programmer\Fælles filer\Microsoft Shared\Web Folders Trojan.PWS.Snap Incurable.Moved.
888Bar.dll C:\Programmer\Fælles filer\{3CA3A260-0380-1030-1119-01091220002d} Adware.IWantSearch Renamed.
pv.exe C:\Programmer\PacificPoker Program.PrcView.3725 Renamed.
A0016154.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP342 Trojan.PurityAd Incurable.Moved.
A0016170.dll C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP342 Trojan.Proxy.718 Deleted.
A0016174.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP342 Trojan.Proxy.795 Deleted.
A0016175.dll C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP342 Trojan.PWS.Micro Deleted.
A0016176.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP342 Trojan.DownLoader.11981 Deleted.
A0016177.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP342 Trojan.DownLoader.13046 Deleted.
A0016178.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP343 Trojan.DownLoader.13046 Deleted.
A0016260.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP345 Trojan.Killer Deleted.
A0016262.dll C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP345 Trojan.Click.1564 Deleted.
A0016263.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP345 Trojan.EmailSpy Deleted.
A0016286.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.Doma Deleted.
A0016287.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.EmailSpy Deleted.
A0016288.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.DownLoader.15527 Deleted.
A0016289.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.DownLoader.14191 Deleted.
A0016290.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.Starter.112 Deleted.
A0016291.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.Spambot Deleted.
A0016292.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.Spambot Deleted.
A0016293.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.DownLoader.15541 Deleted.
A0016294.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.Proxy.795 Deleted.
A0016295.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.Fakealert Deleted.
A0016296.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.Spambot Deleted.
A0016297.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.EmailSpy Deleted.
A0016298.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Adware.Spysheriff Renamed.
A0016299.dll C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Trojan.PWS.Snap Incurable.Moved.
A0016300.dll C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Adware.IWantSearch Renamed.
A0016301.exe C:\System Volume Information\_restore{7011F358-D015-4025-9CB4-DA4116D7F87D}\RP346 Program.PrcView.3725 Renamed.
speedtest2.dll C:\WINDOWS\Downloaded Program Files Adware.Matcash Renamed.
124205753.dll C:\WINDOWS\inet20000 Trojan.Click.1564 Deleted.
killer.exe C:\WINDOWS\inet20000 Trojan.Killer Deleted.
killer.exe.bak C:\WINDOWS\inet20000 Trojan.Killer Deleted.
mmx666.exe C:\WINDOWS\inet20000 Trojan.Spambot Deleted.
mmx807.exe C:\WINDOWS\inet20000 Trojan.Spambot Deleted.
svchost.exe.bak C:\WINDOWS\inet20000 Trojan.EmailSpy Deleted.
wpcem.exe C:\WINDOWS\inet20000 Trojan.EmailSpy Deleted.
adir.dll C:\WINDOWS\system32 Trojan.PWS.Micro Deleted.
comdlg64.dll C:\WINDOWS\system32 Trojan.Proxy.718 Deleted.
dial23.exe C:\WINDOWS\system32 Dialer.Maxd Deleted.
google.png.exe C:\WINDOWS\system32 Trojan.Spambot Deleted.
j81Rtip.exe C:\WINDOWS\system32 Trojan.Spambot Deleted.
maxd641.exe C:\WINDOWS\system32 Dialer.Maxd Deleted.
ost.exe C:\WINDOWS\system32 Trojan.Spambot Deleted.
se.exe.exe C:\WINDOWS\system32 Trojan.Spambot Deleted.
ss.exe.exe C:\WINDOWS\system32 Trojan.Spambot Deleted.
start32.exe C:\WINDOWS\system32 Trojan.DownLoader.11981 Deleted.
sysvx.exe C:\WINDOWS\system32 Trojan.Proxy.795 Deleted.
w.exe C:\WINDOWS\system32 Trojan.Spambot Deleted.
w.exe.exe C:\WINDOWS\system32 Trojan.Spambot Deleted.
z11.exe C:\WINDOWS\system32 Trojan.MulDrop.4521 Deleted.
z12.exe C:\WINDOWS\system32 Trojan.DownLoader.14964 Deleted.
z13.exe C:\WINDOWS\system32 Trojan.Spambot Deleted.
z15.exe\data001 C:\WINDOWS\system32\z15.exe Trojan.DownLoader.11981
z15.exe\data002 C:\WINDOWS\system32\z15.exe Trojan.DownLoader.13046
z15.exe C:\WINDOWS\system32 Archive contains infected objects Moved.
z16.exe C:\WINDOWS\system32 Trojan.Proxy.795 Deleted.
z211.exe C:\WINDOWS\system32 Trojan.Doma Deleted.
z2457.exe C:\WINDOWS\system32 Trojan.DownLoader.14191 Deleted.
z2644.exe C:\WINDOWS\system32 Trojan.DownLoader.15527 Deleted.
z271737119084.exe C:\WINDOWS\system32 Trojan.DownLoader.15542 Deleted.
z2908.exe C:\WINDOWS\system32 Trojan.Spambot Deleted.
z3720.dll C:\WINDOWS\system32 Trojan.DownLoader.14191 Deleted.

 
    [ Ignorer ]   [ # 1 ]   
  Magic Spyhunter
05.12.2006 15:45:46
Administrator
Avatar
Supporter Emeritus
Antal indlæg: 32075

Hej Yogo og velkommen smile

Du er desværre også inficeret med et rootkit, derfor har vi flyttet dig over i rootkit afdelingen.

Her gælder lidt andre regler:
http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=29320


Hent Ccleaner: [url=“http://www.ccleaner.com/ccdownload.asp”] 
Ccleaner  [/url]

Installer programmet, men lad vær med at køre det endnu!
Husk at vælge dansk ved installationen.
Ccleaner programmet fjerner overflødige Temp filer.
Og gør de nedenstående scanninger hurtigere

Dansk manual:
[url=“http://spywareinfo.dk/#/manualer/ccleaner.htm”]
Ccleaner manual      [/url]

Klik på Start-kør. Skriv: Services.msc Tast OK.
Find følgende services, højreklik på dem og vælg egenskaber. Under starttype vælger du deaktiveret.
Microsoft authenticate service (MsaSvc)


Kør en scanning med Hijackthis, så du kan se alle filer.

Du får herunder nogle filer, som du skal fixe. Det, du skal gøre, er at sætte et flueben ud for disse filer. Når du har gjort det, så lukker du alle andre vinduer ned. Det er meget vigtigt at det eneste vindue, som er åbent er HijackThis vinduet.Nu må du fixe. Klik på Fix checked:
O2 - BHO: C:\WINDOWS\system32\zkPeCrypt.dll - {8A5849C4-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\system32\zkPeCrypt.dll
O4 - HKLM\..\Run: [WINDOWS] C:\egnt.exe
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll


Jeg vil foreslå at du printer nedenstående ud, da du ikke kan se vejledingen i fejlsikret tilstand

Genstart til fejlsikret tilstand


Åbn Stifinder, gå op i værktøjslinjen, klik på Funktioner=>Mappeindstillinger=>Vis.
Fjern flueben ved “Skjul beskyttede operativsystemfiler”.
Fjern flueben ved “Skjul filtypenavne for kendte filtyper”.
Sæt prik i “Vis skjulte filer og mapper”.

Slet nedenstående filer og mapper, mærket med fedt. Bliv ikke forbavset hvis du ikke kan finde alle filer eller mapper, da de kan være fjernet automatisk under fixet med Hijackthis.

Filer:
C:\WINDOWS\system32\zkPeCrypt.dll
C:\egnt.exe


Nu skal du køre CCleaner, som du hentede tidligere.
Fjern flueben ved Cookies.
Tryk så på “Renser” i menuen i venstre side.
Nu skal du trykke på knappen “Kør Cleaner” - det gør du mindst 2 gange.
Luk programmet.

Genstart normalt

Hent dette værktøj, og gem det på skrivebordet:
http://www.uploads.ejvindh.net/rustbfix.exe

Dobbeltklik på værktøjet. Hvis værktøjet finder en Rustock-infektion, vil du efter kort tid blive bedt om at genstarte computeren. Dette skal du så acceptere. Genstarten vil muligvis tage et godt stykke tid, og måske skal der 2 genstarter til, men dette vil ske helt automatisk.

Når genstarten er færdig vil der åbnes 2 logfiler, som du skal kopiere ind i tråden, sammen med en ny hijackthis log.

 

Signatur

Sund Computer fornuft

    [ Ignorer ]   [ # 2 ]   
  Yogo
05.12.2006 19:06:50
Antal indlæg: 9

Tak for hjælpen indtil videre. Nu har jeg fulgt opskriften og her er de tre logs:


************************* Rustock.b-fix—By ejvindh *************************
05-12-2006 16:56:44,49


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure….
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
  :lzx32.sys                     68968
Total size: 68968 bytes.
Attempting to remove ADS…
system32: deleted 68968 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lhahsick

*******************

Script file located at: \??\C:\Documents and Settings\esfksybp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished!  Terminate.

 


Logfile of HijackThis v1.99.1
Scan saved at 17:04:16, on 05-12-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\system32\inet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ejer\Skrivebord\Alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.dk/0SEDADK/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ofir.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\da\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [System64] C:\WINDOWS\system32\inet.exe
O4 - HKLM\..\RunServices: [SystemTools32] C:\WINDOWS\system32\inet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://opdatering.tdc.dk/csp/authenticode/tdccsp-0506.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    [ Ignorer ]   [ # 3 ]   
  Fromsej TeamSpywarefri
05.12.2006 21:04:37
Administrator
Avatar
Team Spywarefri
Antal indlæg: 55502

Kør Hijackthis igen og fix:
O4 - HKLM\..\Run: [System64] C:\WINDOWS\system32\inet.exe
O4 - HKLM\..\RunServices: [SystemTools32] C:\WINDOWS\system32\inet.exe

Slet fra fejlsikret:
C:\WINDOWS\system32\inet.exe

Tjek om disse er til stede, er de det, så slet dem:
C:\WINDOWS\system32\inet20.exe
C:\WINDOWS\system32\inet20n.exe

Genstart, kom med en frisk hijackthislog.

Signatur

qui potest, obligatur

Nierne bomaye - You’ll never walk alone

Kaffen er drukket
Kassen er lukket
Støtten gør mere nytte
Hos de små og forknytte
Børns vilkår
Hospitalsklovne

    [ Ignorer ]   [ # 4 ]   
  Yogo
06.12.2006 14:48:13
Antal indlæg: 9

Her er den seneste hijackthislog:


Logfile of HijackThis v1.99.1
Scan saved at 12:46:28, on 06-12-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\ewido\security suite\ewidoctrl.exe
C:\Programmer\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ejer\Skrivebord\Alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.dk/0SEDADK/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ofir.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\da\msntb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter; til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://opdatering.tdc.dk/csp/authenticode/tdccsp-0506.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Programmer\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programmer\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    [ Ignorer ]   [ # 5 ]   
  Magic Spyhunter
06.12.2006 15:42:06
Administrator
Avatar
Supporter Emeritus
Antal indlæg: 32075

Det gav en ren log smile

Efter sådan en oprydning er det altid en god ide og rydde op i systemgendannelses filerne. Deaktiver systemgendannelse, læs her hvordan:
[url=“http://www.spywareinfo.dk/#/tip-og-tricks/deaktiver_systemgendannelse.htm”]
Systemgendannelse              [/url]
- genstart din computer - aktiver systemgendannelse. Gå herefter i Start -> Programmer -> Tilbehør -> Systemværktøjer -> Systemgendannelse og lav et systemgendannelsespunkt, så du har det at vende tilbage til, hvis noget går galt.

Skjul system filerne igen.
Åbn Stifinder, klik på Funktioner=>Mappeindstillinger=>Vis.
Sæt flueben ved “Skjul beskyttede operativsystemfiler”.
Sæt flueben ved “Skjul filtypenavne for kendte filtyper”.
Fjern prik i “Vis skjulte filer og mapper”.

 

For at beskytte din Computer i fremtiden vil det være en god idé at bruge nogle af programmerne fra vores lille pakke som du kan se her:
[url=“http://www.spywarefri.dk/manualer/sikkerhedspakke.htm”]
Sikkerheds Pakken           [/url]
Især - Spywareguard, Spywareblaster og IE-Spyad
Jeg vil også anbefale at du installerer antivirus og en firewall

Kig lige her:
[url=“http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=14414”]
Undgå at blive inficeret i fremtiden  [/url]


Kører computeren tilfredsstillende [?]

Signatur

Sund Computer fornuft

    [ Ignorer ]   [ # 6 ]   
  Yogo
06.12.2006 16:39:32
Antal indlæg: 9

Computeren kører umiddelbart tilfredsstillende. Mange tak for hjælpen!!

    [ Ignorer ]   [ # 7 ]   
  Magic Spyhunter
07.12.2006 15:37:40
Administrator
Avatar
Supporter Emeritus
Antal indlæg: 32075

Det lyder godt og velbekomme [^]

Jeg lukker pænt efter os igen, du kender adressen hvis du får brug for os igen

Signatur

Sund Computer fornuft

 
‹‹ Kan ikke køre exe filer. Regedit har virus ?     Hjælp ››
 
Om os | Kontakt os
Copyright © 2003-2010 Spywarefri - Alle rettigheder haves